07 March 2022
Your request & our response
I am writing to request information surrounding the council's engagement with potential ransomware attacks.
1) Have you experienced digital data loss in the past two years?
a. Yes
b. No
c. Don't know
2) Specifically, have you experienced a ransomware attack in the past two years?
a. Yes
b. No
c. Don't know
3) If you answered yes to question 2, were the attackers successful in locking a proportion of your data
a. Yes
b. No
c. Don't know
N/A
4) If you answered yes to question 3, what percentage of your data was impacted?
● 1-10%
● 11-20%
● 21-30%
● 31-40%
● 41 - 50%
● 51-60%
● 61-70%
● 71-80%
● 81 - 90%
● 91-100%
N/A
5) If you answered yes to question 2, did you pay a ransom to regain access to your data?
a. Yes
b. No
c. Don't know
N/A
6) If you answered yes to question 4, how much did you pay?
- Up to £10,000
- £10,001 - £50,000
- £50,001 - £100,000
- £100,001 - £500,000
- £500,001 - £1,000,000
- £1,000,000+
N/A
7) Has your cybersecurity budget increased, decreased or remained the same over the past two years?
a. Increased
b. Decreased
c. Remained the same
N/A
Lambeth Council does not have a separate ‘cybersecurity budget’. This work falls within a wider budget, and the level of both staffing allocation and spending is calibrated against available risk analysis.
8) What best describes your IT infrastructure storage solutions?
a. 100% On-premises
b. On-premises & public cloud
c. 100% public cloud
9) What protection do you currently have in place to protect against ransomware attacks? (mark all that are applicable)
a. Training (e.g., anti-phishing education for employees)
b. Air-gap storage (e.g. Data stored offline or offsite)
c. Perimeter defences (e.g., anti-malware software)
d. Data encryption for data in flight
e. Data encryption for data at rest
f. Internal access controls
g. Immutable data storage (e.g. data cannot be changed, encrypted or deleted)
h. Other (please state)
I can confirm that the remainder of the information you have requested is held by Lambeth Council, by law. However, I'm unable to give this to you.
The information requested is exempt from disclosure under Section 31(1) of the Freedom of Information Act (FoIA). Disclosure of this information would be likely to prejudice:
a. the prevention or detection of crime,
b. the apprehension or prosecution of offenders,
c. the administration of justice,
d. the assessment or collection of any tax or duty or of any imposition of a similar nature,
e. the operation of the immigration controls,
f. the maintenance of security and good order in prisons or in other institutions where persons are lawfully detained,
g. the exercise by any public authority of its functions for any of the purposes specified in subsection 2 (listed below)
h. any civil proceedings which are brought by or on behalf of a public authority and arise out of an investigation conducted, for any of the purposes specified in subsection 2 (listed below) by or on behalf of the authority by virtue of Her Majesty’s prerogative or by virtue of powers conferred by or under an enactment, or
The purposes in g - h are:
(2) (a)the purpose of ascertaining whether any person has failed to comply with the law,
(b)the purpose of ascertaining whether any person is responsible for any conduct which is improper,
(c)the purpose of ascertaining whether circumstances which would justify regulatory action in pursuance of any enactment exist or may arise,
(d)the purpose of ascertaining a person’s fitness or competence in relation to the management of bodies corporate or in relation to any profession or other activity which he is, or seeks to become, authorised to carry on,
(e)the purpose of ascertaining the cause of an accident,
(f)the purpose of protecting charities against misconduct or mismanagement (whether by trustees or other persons) in their administration,
(g)the purpose of protecting the property of charities from loss or misapplication,
(h)the purpose of recovering the property of charities,
(i)the purpose of securing the health, safety and welfare of persons at work, and
(j)the purpose of protecting persons other than persons at work against risk to health or safety arising out of or in connection with the actions of persons at work.
To use this exemption, we are required to undertake a public interest test. The matters which were considered in applying the public interest test are as follows:
Factors in favour of disclosure
We consider that disclosure would increase the public's understanding of this issue and we note the general benefit in transparency where possible
Factors in favour of withholding
Disclosure of this data could allow individuals intent on fraudulent activity to attempt to defraud the council and has the potential to compromise security controls. It is therefore not in the public interest to provide information if to do so would increase the risk of fraud and/or compromise security controls.
It is considered that the greater public interest therefore lies in not providing the information at this time. In coming to that conclusion, the public interest in providing the information has been carefully weighed against any prejudice to the public interest that might arise from withholding the information; in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information.
This response therefore acts as a refusal notice under section 17 of the FoIA.