Skip to additional navigation Skip to content

Response

Response to request for information

Reference

3984007

Response date

27 April 2026

Request

I would like to request the following information for each calendar year from 2020 to 2026 inclusive:

  1. The number of cyber security breaches that have being identified that were found to be a result of a malicious threat actor (i.e. not accidental data breach)
  2. The breakdown in high-level causes of these breaches as identified by cyber security incident response teams (CSIRTs), for example (but not limited to) unpatched software/hardware, lack of multi-factor authentication (MFA), leaked user credentials, lack of in-transit encryption, etc
  3. The number of breaches that occurred that were attributed to a previously known vulnerability to the organisations hardware, software, policies, or processes, for example where system was known to be at risk due to being unpatched or out of support, or security controls were recommended but not enforced, and was defined within the resulting incident response report.
  4. The estimated combined costs incurred as a result of cyber security breaches defined in request number one in each year.

Response

  1. The number of cyber security breaches that have being identified that were found to be a result of a malicious threat actor (i.e. not accidental data breach)
    • No known cyber breaches
  2. The breakdown in high-level causes of these breaches as identified by cyber security incident response teams (CSIRTs), for example (but not limited to) unpatched software/hardware, lack of multi-factor authentication (MFA), leaked user credentials, lack of in-transit encryption, etc
    • Not applicable
  3. The number of breaches that occurred that were attributed to a previously known vulnerability to the organisations hardware, software, policies, or processes, for example where system was known to be at risk due to being unpatched or out of support, or security controls were recommended but not enforced, and was defined within the resulting incident response report.
    • Not applicable
  4. The estimated combined costs incurred as a result of cyber security breaches defined in request number one in each year.
    • Not applicable

FOI Responses ICT 2026