FOI_26-065 Cyber security
Date of response: 21 April 2026
We have now considered your request of 04 April 2026 for the following information:
Under the Freedom of Information Act, I would like to request the following information for each calendar year from 2020 to 2026 inclusive:
1. The number of cyber security breaches that have being identified that were found to be a result of a malicious threat actor (i.e. not accidental data breach)
2. The breakdown in high-level causes of these breaches as identified by cyber security incident response teams (CSIRTs), for example (but not limited to) unpatched software/hardware, lack of multi-factor authentication (MFA), leaked user credentials, lack of in-transit encryption, etc
3. The number of breaches that occurred that were attributed to a previously known vulnerability to the organisations hardware, software, policies, or processes, for example where system was known to be at risk due to being unpatched or out of support, or security controls were recommended but not enforced, and was defined within the resulting incident response report.
4. The estimated combined costs incurred as a result of cyber security breaches defined in request number one in each year.
No specific details are requested in relation to software/hardware utilisation, but rather high-level causes of breaches. I believe the high-level nature of this request does not allow for the use of s.31(1)(a) of the FOIA as this would not be likely to prejudice the security of your systems or data, as these are historical incidents which have since been dealt with. The public interest in understanding breach causes across public sector organisations outweighs the public interest in the exemption.
Our response:
We regret that on this occasion it is not possible to provide the requested information.
Under Section 1 of the Freedom of Information Act, we can confirm that the University does hold the information requested, however on this occasion it is not possible for us to provide any of the information for question 1 of your request relating to the number of cyber security breaches that have being identified that were found to be a result of a malicious threat actor (i.e. not accidental data breach).
We have determined that the cost of finding and assembling the requested information will exceed the ‘appropriate limit’ as defined by section 12 of the Act and the Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004/3244.
The ‘appropriate limit’ of £450, which equates to 18 hours’ work, can relate to one request in its entirety or to a series of linked requests. If the University cannot locate, retrieve and extract some or all of the requested information within the 18 hours we are not obliged to retrieve any of the requested information.
Information relating to cyber security breaches is not held centrally at the University, but in several different systems. Looking at just one of those repositories we have identified 1038 reports that might be relevant to your request. The only way of identifying, extracting and recording the exact information you seek would be to manually investigate each of these reports to ascertain whether the report relates to a cyber security incident as per question 1 of your request. We have calculated it would take 2 minutes per report to identify such incidents, or 34.6 hours, to identify and extract information you requested which exceeds the appropriate time limit as outlined above.
If you were to resubmit a revised limited request for information, we would be able to collate information required for all questions in your request, within the required time limit, for data limited to a single year. Please note we have not considered whether any exemptions may apply to such a request.
We should point out that any revised request you submit will be treated as a new FOI request, and the 20-working-day time-limit will begin again.
We are sorry we cannot provide the data you requested, but trust this response explains our position.