Ransomware incidents and software used at the Northern Ireland Assembly

Information Standards Freedom of Information Response

Our Ref: FoI 36-21

17 September 2021

Freedom of Information Act 2000

I can confirm that the Northern Ireland Assembly Commission (Assembly Commission) holds information relevant to your request of 1 September 2021.  In your request, you asked for the following information:

“1. In the past three years has your organisation:

a. Had any ransomware incidents? (An incident where an attacker attempted to, or successfully, encrypted a computing device within your organisation with the aim of extorting a payment or action in order to decrypt the device?)

i. If yes, how many?

The Assembly Commission has not experienced any ransomware incidents within the past three years.

b. Had any data rendered permanently inaccessible by a ransomware incident (i.e. some data was not able to be restored from back up.)

c. Had any data rendered permanently inaccessible by a systems or equipment failure (i.e. some data was not able to be restored from back up.)

The Assembly Commission has not had any data rendered permanently inaccessible by a ransomware incident.

d. Paid a ransom due to a ransomware incident / to obtain a decryption key or tool?

i. If yes, was the decryption successful, with all files recovered?

e. Used a free decryption key or tool (e.g. from https://www.nomoreransom.org) ?

i. If yes was the decryption successful, with all files recovered?

The Assembly Commission has not paid any ransom due to a ransomware incident. The Assembly Commission has not experienced any ransomware incidents within the past three years so no decryption tools have been required.

f. Had a formal policy on ransomware payment?

i. If yes, please provide, or link, to all versions relevant to the 3-year period.

The Assembly Commission does not have a formal ransomware payment policy.

g. Held meetings where policy on paying ransomware was discussed?

The Assembly Commission have not held any meeting where ransomware has been discussed.

h. Paid consultancy fees for malware, ransomware, or system intrusion investigation

i. If yes, at what cost in each year?

i. Used existing support contracts for malware, ransomware, or system intrusion investigation.

j. Requested central government support for malware, ransomware, or system intrusion investigation?

The Assembly Commission has not paid consultancy fees or used existing support contracts for malware nor requested central government support for ransomware or system intrusion in the last three years.

k. Paid for data recovery services?

i. If yes, at what cost in each year?

l. Used existing contracts for data recovery services?

The Assembly Commission has not paid for data recovery services or used existing support contracts for data recovery services in the last three years.

m. Replaced IT infrastructure such as servers that have been compromised by malware?

i. If yes, at what cost in each year?

n. Replaced IT endpoints such as PCs, Laptops, Mobile devices that have been compromised by malware?

i. If yes, at what cost in each year?

The Assembly Commission has not replaced IT infrastructure or IT endpoints that have been compromised by malware, as there have been no such incidents within the last three years.

o. Lost data due to portable electronic devices being mislaid, lost or destroyed?

i. If yes, how many incidents in each year?

The Assembly Commission has not lost data due to electronic devices being mislaid, lost or destroyed.

2. Does your organisation use a cloud based office suite system such as Google Workspace (Formerly G Suite) or Microsoft’s Office 365?

a. If yes, is this system’s data independently backed up, separately from that platform’s own tools?

The Assembly Commission does use a cloud based office suite system but the systems are not independently backed up, separate from the platform’s own tools.

3. Is an offsite data back-up a system in place for the following? (Offsite backup is the replication of the data to a server, which is separated geographically from the system’s normal operating location site.)

a. Mobile devices such as phones and tablet computers

b. Desktop and laptop computers

There are no offsite data backup system in place for phones, tablets, desktops or laptops.

c. Virtual desktops

d. Servers on premise

There is offsite data backup system in place for virtual desktops and servers on the premises.

e. Co-located or hosted servers

The Assembly Commission does not currently have any co-located or non-cloud hosted servers.

f. loud hosted servers

There are no offsite data backup system in place for cloud-hosted servers.

g. Virtual machines

There is offsite data backup system in place for virtual machines.

h. Data in SaaS applications

There is no offsite data backup system in place for data in SaaS applications.

i. ERP / finance system

There is offsite data backup system in place for ERP/Finance System

j. We do not use any offsite back-up systems

Please see answers above

4. Are the services in question 3 backed up by a single system or are multiple systems used?

With the exception of externally hosted services, the Assembly Commission uses a single and highly available system for backup and recovery.

5. Do you have a cloud migration strategy? If so is there specific budget allocated to this?

The Assembly Commission does not have a formal strategy as it operates a hybrid environment with both in-house and externally hosted systems. Each requirement for on-premises or cloud hosting is determined on an individual basis.

6. How many Software as a Services (SaaS) applications are in place within your organisation?

a. How many have been adopted since January 2020?”

There are five Software as a Services applications in place at the Assembly Commission and one of these has been adopted since January 2020.

 

If you feel that the information we have provided does not meet your request fully, please contact this office as soon as possible.  You have the right to request a formal review by the Northern Ireland Assembly Commission and if you wish to do so, please write to me at the above address.

If after such an internal review you are still unhappy with the response, you have the right to appeal to the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,  Cheshire SK9 5AF who will undertake an independent review.

The Assembly Commission may publish details of your FOI request and our official response within the organisational disclosure log. The request will be completely anonymised and you will not be identified in any way. This is to meet the requirements as laid out by in the agreed publication scheme with the Information Commissioners’ Office.

If you have any queries about this letter, please contact me.  Please remember to quote the reference number above.

Yours sincerely

INFORMATION STANDARDS

Find MLAs

Find your MLAs

Locate MLAs

Search

News and Media Centre

Visit the News and Media Centre

Read press releases, watch live and archived video

Find out more

Follow the Assembly

Follow the Assembly on our social media channels

Keep up-to-date with the Assembly

Find out more

Useful Contacts

Contact us

Contacts for different parts of the Assembly

Contact Us