Question to the Cabinet Office:

To ask the Minister for the Cabinet Office, what risks to (a) employees and (b) the wider population were identified following cyber crimes against Government departments in the last 12 months.

This Government is committed to protecting citizens and public services from the ever-evolving cyber threat.

As set out in the 2023 National Risk Register, cyber attacks on the UK’s transport, health and social care, and telecommunications systems were identified amongst the most serious risks currently facing the UK. In addition, in this year’s National Cyber Security Centre (NCSC) Annual Review, data theft - either through ransomware or the exploitation of vulnerabilities in public-facing apps - and cyber-enabled fraud remain some of the most acute cyber threats facing UK businesses and citizens. For example, between September 2022 and August 2023, the NCSC received 297 reports of ransomware activity and 327 incidents involving the exfiltration of data.

The Government takes data protection very seriously and we understand that data breaches are a matter of great concern to those whose data may have been exposed in a cyber attack. It is the responsibility of organisations affected to meet their statutory obligations under the UK General Data Protection Regulation (GDPR) regarding notifying the Information Commissioner’s Office (ICO) and the individuals affected of certain personal data breaches.

It would not be appropriate to comment on specific cyber incidents for national security reasons. However, the Government has already taken significant steps to reduce the risks identified and to strengthen our cyber defences.

The Government Cyber Security Strategy 2022 sets out our plans to significantly harden the Government’s critical functions against cyber attack by 2025, with all organisations across the public sector being resilient to known vulnerabilities by 2030. Alongside this, the National Cyber Strategy 2022 sets out our approach to tackling cyber threats against the wider population, including by better detecting, disrupting and deterring malicious cyber actors and embedding good cyber security practices and protections at national, organisation and citizen level.