Incident report (2023)

Response

This information is held by the House of Commons.

We hold the incident ticket for the incident specified along with follow-up actions taken by the Parliamentary Digital Service (PDS) and details of both are provided.

It may also help you to know that that all devices provided by PDS to passholders are encrypted, including those provided to Members.
Please note that some information within this document has been withheld in accordance with sections 40, 24 & 31 of the Freedom of Information Act 2000 (FOIA). Details of these exemptions are provided below.

Section 40 – Personal information
The document attached contains information that identifies individuals, which is their personal data. This information is withheld in accordance with section 40(2) FOIA, as the disclosure of this information would not be consistent with the data protection principle found in Article 5.1(a) of the UK General Data Protection Regulation (UK GDPR). This is an absolute exemption and the public interest test does not apply.

Section 24 – National security

Some parts of this document contain specific details about IT systems and processes used by the House, including details of the systems, tools and templates used, and specific details of individual assets and items. We have concluded that withholding this information is necessary for the purpose of safeguarding national security. This information is therefore exempt by virtue of section 24 FOIA. This is a qualified exemption and the public interest test applies.

We recognise there is a public interest in ensuring that any system which allows MPs to report relay stolen or lost equipment is appropriate and secure. Equipment such as this is likely to contain sensitive information and could therefore pose a security risk if falls into the wrong hands, and it is therefore imperative to reassure the public that the Parliament has systems in place in order to appropriate deal with situations of this nature quickly, appropriately and effectively. Furthermore, as these systems have been financed from the public purse, we accept that it is also in the public interest to be able to scrutinise any IT systems used by the House of Commons in order to ensure that these design choices were sensible, cost-effective and fit for purpose.

However, we have also considered the public interest in withholding this information. Our network forms part of the Critical National Infrastructure and has been identified as an asset which faces a high level of threat from cyber-attacks and which, if breached, would cause damage to the national interest. The network is used by MPs and their staff, as well as MPs in their capacity as Ministers, for the purposes of communication, scrutinising the work of the government and also in their parliamentary functions. Detailed technical knowledge of IT systems, including our reporting systems and our processes would make it easier for cyber attackers to target both our systems and the parliamentary network as a whole. In particular, disclosing specific details of these systems and processes would be extremely useful to an attacker looking to craft a targeted phishing attack against the parliamentary network. Details of systems used would aid these groups in targeting the network by being able to research publicly available information on the programs used and be better able to plot an attack in turn. Furthermore, if any information arises regarding flaws or exploits within the systems we used, this could be used in the combination with this information to more easily target our systems (also known as a mosaic effect). Likewise, providing specific details on processes, including incident numbers, would allow these same groups to launch phishing attacks against the network in turn, in particular via spear phishing, whereby they could imitate our processes in order to target passholders on the network.

Any breach of the network could enable access to personal constituency data, and perhaps classified material, and could affect the ability of the House to carry out its business properly. It could also expose individuals to criminal activities, who are linked through their work to government departments or other branches of the state, compromising national security as a result. Furthermore, this is likely to be further compounded by releasing details of security measures and non-public areas on the estate, as these details would aid malicious groups or individuals to understanding in targeting the estate itself. In particular, any attack affecting the parliamentary network would also be likely to aid any physical attacks against the estate, as it would be likely to compromise the ability to report and communicate on-going issues to passholders. As this information has the potential to compromise the fundamental systems of the House and by extension the functioning of government departments, and also to render them potentially vulnerable to cyber security and terroristic threats, the wider public interest is therefore to favour non-disclosure in this instance.

For these reasons, we have concluded that the public interest in withholding the information outweighs the public interest in disclosure.

Section 31 – Law enforcement

We also consider that disclosing the same information would be likely to prejudice the prevention or detection of crime and the apprehension of offenders. This information is therefore also exempt by virtue of section 31(1)(a) and (b) FOIA. This is a qualified exemption and the public interest test applies.

As stated before, there is a general public interest in transparency and accountability regarding this information. Providing further details about the IT systems and processes we use for handling lost and stolen items would further help to reassure the public that cyber security is a priority for Parliament and is handled in a sensible and appropriate manner. Likewise, as these systems have been financed from the public purse there is a public interest in being able to determine whether the systems and processes we use are sensible, cost-effective and fit for purpose.

We have also considered the public interest in withholding the information. As stated before, the release of this information could potentially be used, along with other public information, in order to launch attacks against parliamentary network by way of the tools, systems and processes we utilise. It would be of a significant benefit to malicious groups and individuals as by being aware of the systems we use it would allow them to target these directly (particularly if any flaws/issues regarding these systems were public knowledge), and also by mimicking our processes in order to launch phishing attacks against passholders. In either instance, this would likely significantly increase the risk of a cyber-attack against the parliamentary network. If hackers were able to access our systems, either in part or in full, they would then be able to hold these to ransom in order to extort them for financial gain, or to steal confidential information for the same purpose. Groups such as these are known to indiscriminately target public authorities, including the NHS, for disruption and profit, and disclosing this information therefore carries this risk. Furthermore, disclosing details on security measures would only aid attempts by these malicious groups to harm or disrupt the work of Parliament also, and this would be compounded further by releasing details on non-public areas of the estate, which would in turn likely make them targets for these groups also.

The House has a duty to maintain cyber security practices, and it faces the same threats to cyber security as any other public authority. The release of this information would therefore hinder the prevention and detection of crime as it would give an advantage to cyber attackers looking to target the IT systems of the House, along with those looking to target the estate physically, and in turn providing them an advantage which they would not gain were the information exempt from release instead.
In these circumstances therefore, it is our view that the public interest in maintaining the exemption outweighs the public interest in disclosing the information.