Freedom of information requests concerning IT Infrastructure, IT security issues, attacks, ransomware, malware, and related topics

IT infrastructure and IT security issues

Southampton City Council is frequently asked to supply detailed information about our IT infrastructure and IT security. We are often asked about what technology we deploy, what IT security systems we have in place, the suppliers and versions of our IT security, how often we update and amend our security, whether we have identified particular issues or vulnerabilities and what we have done to strengthen our systems.
The Council has considered these issues carefully and we have decided not to disclose this information. This is because we consider the information to be exempt under section 31 of the Freedom of Information Act 2000. Please see the Council’s justification for applying Section 31 below:

Refusal Notice Section 31(1)(a) – Law Enforcement

Section 31(1)(a) states that a local authority need not provide information that would be likely to prejudice the functions of law enforcement, in this case, the prevention and detection of crime.

Southampton City Council believes that disclosing information about our security systems and infrastructure could allow criminals to identify vulnerabilities within our estate and use this information for targeted attacks. If these attacks were successful, cyber criminals may unlawfully gain access to Council systems containing sensitive personal and commercially confidential data. The Council therefore considers that disclosing these types of information would increase the risk of further criminal offences.

Public Interest Test

Section 31 is a qualified exemption which means we must consider the public interest in disclosure.

Factors in favour of disclosure

• Evidencing the Council’s transparency and accountability.
• Reassuring the public and our partners that the Council’s systems are secure.
• Providing information about how effective our security systems are.

Factors in favour of withholding

• The public interest in crime prevention.
• Avoiding disruption to public services.
• Avoiding costs associated with any attacks (for example, recovery, revenue, regulatory fines).
• Preventing any threat to the integrity of Council data.
• Ensuring the Council can comply with its duties to take all necessary steps to safeguard data.

The Council is satisfied that the balance of public interest lies in upholding the exemption and not releasing the information.

To provide assurance that Council systems are secure, we are happy to release details of the compliance standards the Council currently meets at the time of any request being submitted.

Malware, ransom attacks etc.

Southampton City Council is frequently asked to supply information about malware, ransom ware and any other previous cyber-attacks. Examples of common questions include whether we have been subjected to any cyber-attacks within a given period, the volume, whether they succeeded and what actions we have undertaken to protect the Council. We may be asked if we have been the victim of ransom ware, whether attacks were successful, if we paid ransoms, how often, when, to whom and for how much.

The Council has considered these issues carefully and we have decided that we should “neither confirm, nor deny” whether the requested information is held by the Council. This is because we consider the information to be exempt under section 31 of the Freedom of Information Act 2000.

Please see the Council’s justification for applying Section 31 below:

Refusal Notice Section 31(3) – Law Enforcement

The Council believes that disclosing whether we hold information about cyber-attacks, malware or ransomware may give cyber criminals insight into vulnerabilities within our systems which would pose a threat to our cyber security infrastructure. The Council therefore considers that confirming whether we hold the requested information would, or would be likely to, prejudice the prevention or detection of crime - section 31(1)(a). Therefore, in line with section 31(3), the Council considers that the duty to “confirm or deny” does not arise.

Public Interest Test

Section 31 is a qualified exemption which means we must consider the public interest in disclosure.

Factors in favour of confirming or denying if we hold relevant information.

• Evidencing the Council’s transparency and accountability.
• Reassuring the public and our partners that the Council’s systems are secure.
• Providing information about how effective our security systems are.

Factors against confirming or denying if we hold relevant information.

• The public interest in crime prevention.
• Avoiding disruption to public services.
• Avoiding costs associated with any attacks (for example, recovery, revenue, regulatory fines).
• Preventing any threat to the integrity of Council data.
• Ensuring the Council can comply with its duties to take all necessary steps to safeguard data.

The Council is satisfied that the balance of public interest lies in upholding the exemption and not releasing the information.

To provide assurance that Council systems are secure, we are happy to release details of the compliance standards the Council currently meets at the time of any request being submitted.

Internal Review

If you are dissatisfied with the handling of your request, you have the right to ask for an internal review. Internal review requests should be submitted within two months of the date of receipt of the response to your original request and should be submitted to dataprotection@southampton.gov.uk.

Please remember to quote the reference number above in any future communications.

Complaint to the Information Commissioners Office

If you are not content with the outcome of the internal review, you have the right to apply directly to the Information Commissioner for a decision.

The Information commissioner can be contacted by using the details available at https://ico.org.uk/make-a-complaint/ or by post at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF