Skip to content

Malicious attacks

Date released
23 February 2023
Request number
202301049
Release of information under
Freedom of Information Act 2000 (FOIA)

Information requested

Please find below my FOI request regarding malicious emails sent to the department.

The date range for the request is for 2022. The data shall include a breakdown by individual departments (e.g. separate departments, agencies, or public bodies within the main government agency), if applicable. Where data isn't available for the entire year, please provide the data and timescale it relates to (e.g. X emails over the last 90 days).

  1. How many malicious emails have been successfully blocked/detected?
  2. If possible, please provide a breakdown of figures by malicious email type, e.g. spam, malware, phishing, and ransomware.
  3. What percentage of malicious emails were opened by staff?
  4. What percentage of malicious links in the emails were clicked on by staff?
  5. How many email accounts/employees are there within your department?

Information released

I confirm that under s.1 of the FOIA, we hold the information in relation to question 5 of your request, however as part of it is already reasonably accessible via our website we have partially applied s.21(1). I have provided further information under the relevant heading below.

For questions 1 – 4, I am relying on s.31(3) of the FOIA (read together with s.31(1)(a) – namely prevention and detection of crime) which means that I can neither confirm nor deny that the information is held by ONR. I have set out our reasoning under the relevant heading below.

Questions 1 – 4

I have applied s.31(3) to questions 1 – 4 which removes our duty under s.1(1)(a) of the FOIA to confirm or deny whether we hold the requested information. I can therefore neither confirm nor deny that we hold the information falling within these questions. Please note, this statement should not be taken as an indication that the information you have requested is or is not held by us.

S.31(3) prescribes that the duty to confirm or deny whether information is held does not arise if, or to the extent that, compliance with s.1(1)(a), would, or would be likely to, prejudice any of the matters set out in s.31(1). One of those matters is the prevention or detection of crime.

As s.31(3) is a qualified exemption, we are required to balance the public interest between confirming/denying and not confirming/denying. The public interest test exists to ensure that we have considered the interests of the public fairly and equally. I have therefore applied the public interest test and have detailed this below.

Factors for confirming/denying:

  • ONR is committed to being an open and transparent regulator. We will use openness and transparency to achieve our objective of developing and maintaining stakeholder trust in ONR as an effective independent regulator.
  • Issues related to the nuclear industry are subject to close scrutiny and debate, there is a public interest in information related to nuclear activities and the release of information relating to our functions. The information requested may provide reassurance to the public about the safety of our security systems and that we take our job seriously to protect those systems from harm.

Factors against confirming/denying:

Confirming or denying whether this information is held would leave our computer and security systems in a vulnerable position to becoming a target of crime. Our reasoning for this is:

  • When releasing any information under the FOIA there is an assumption that the information will be released to the world at large and therefore this would greatly increase the reach of this information, thus creating a larger inherent risk.
  • If we were to confirm or deny whether this information is held, it could arm a person or organisation with very valuable information to assist with a malicious attack on our computer systems as it would expose whether strengths and weaknesses exist within our systems. A malicious attack of this nature could lead to sensitive nuclear information being accessed as a consequence and would have very real and widespread consequences which would prejudice our ability to function safely and securely as a regulator.

We strongly believe that to confirm or deny the existence or otherwise of the information in questions 1 – 4 could provide a larger picture of our systems. Therefore, we are neither confirming nor denying whether we hold the requested information in order to prevent the crime that this exemption sets out to avoid.

Conclusion

In conclusion, it is clear that there is an overwhelming public interest in keeping our systems secure to avoid the harm specified, and we are satisfied that these reasons significantly outweigh the benefits of confirming or denying whether the information is held under s.31(3) of the FOIA.

There are 819 current active email accounts across the organisation.

The information requested relating to the number of staff is published in our publication scheme within the Annual Reports and Accounts documents. For your ease of reference, you may find the latest report on the following link:

As such, this information is exempt from disclosure under s.21(1) of the FOIA, which applies to information that is reasonably accessible to the applicant by other means.

Exemptions applied

s.21 and s.31

PIT (Public Interest Test) if applicable

Yes