Current timestamp: 21/06/2025 11:46:58
AgeAlertAnonymousAppealsApplicationsApply Or RegisterArea OutlineArrow DownArrow LeftArrow RightArrow UpAutomatic DoorsBack ArrowBusinessCalendarCashArrow DownArrow LeftArrow RightArrow Down[Missing text '/SvgIcons/Symbols/Titles/icon-chrome' for 'English (United Kingdom)']ClockCloseContactDirectionsDocumentDownloadDrawDrugExpandExternal LinkFacebookFb CommentFb LikeFiletype DefaultFiletype DocFiletype PdfFiletype PptFiletype XlsFinance[Missing text '/SvgIcons/Symbols/Titles/icon-firefox' for 'English (United Kingdom)']First AidFlickrFraudGive FeedbackGlobeGuide DogHealthHearing ImpairedInduction LoopInfoInstagramIntercom[Missing text '/SvgIcons/Symbols/Titles/icon-internet-explorer' for 'English (United Kingdom)']LaptopLiftLinkedinLocal Activity[Missing text '/SvgIcons/Symbols/Titles/icon-location' for 'English (United Kingdom)']LoudspeakerLow CounterMailMapMap PinMembershipMenuMenu 2[Missing text '/SvgIcons/Symbols/Titles/icon-microsoft-edge' for 'English (United Kingdom)']Missing PeopleMobility ImpairmentNationalityNorth PointerOne Mile RadiusOverviewPagesPaper PlaneParkingPdfPhonePinterestPlayPushchairRefreshReportRequestRestart[Missing text '/SvgIcons/Symbols/Titles/icon-rotate-clockwise' for 'English (United Kingdom)']Rss[Missing text '/SvgIcons/Symbols/Titles/icon-safari' for 'English (United Kingdom)']SearchShareSign LanguageSnapchatStart AgainStatsStats And Prevention AdviceStopSubscribeTargetTattosTell Us AboutTickTumblrTwenty Four HoursTwitter LikeTwitter ReplyTwitter RetweetUploadVisually ImpairedWhatsappWheelchairWheelchair AssistedWheelchair ParkingWheelchair RampWheelchair WcYoutubeZoom InZoom Out

Leave this site

Skip to main content

Skip to main navigation

Welcome

This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.

FOI 281-2025 / Mar 2025 / Data breaches

FREEDOM OF INFORMATION REQUEST REFERENCE NO: 281-2025

 

I write in connection with your request for information which was received on 3rd March 2025 as follows:

 

Data Breaches:

 

Q1. The number of data breaches recorded by your force in the past 10 years.

 

Q2. The agencies or external bodies involved, if any.

 

Q3. The type of data compromised.

 

Q4. The departments or units within your force affected.

 

Q5. The impact of these data breaches.

 

Q6. Whether any of these breaches were reported in the media (if so, please specify).

 

Q7. Whether the breaches were made public by the force.

 

Clarification

 

On 4th March 2025 we requested the following clarification:

 

With regard to Q2 of your request where you ask "The agencies or external bodies involved, if any" it is not clear what information is required here - please could you clarify and perhaps given an example if this would assist.

 

With regard to Q5 of your request where you ask " The impact of these data breaches", again it is not clear what information is required here - please could you advise.'

 

On 5th March 2025 you advised:

 

Regarding Q2 (agencies or external bodies involved), we are referring to any agencies or external organisations that were implicated in the data breaches (for example, if data was shared inappropriately with another agency). This could include other law enforcement bodies, governmental departments, or partner agencies with whom data was exchanged. We are particularly interested in any existing breaches that involved sharing intelligence with other law enforcement bodies.

 

Regarding Q5 (impact of the data breaches), by 'impact', we are seeking information on any recorded consequences or outcomes following any data breaches. This could include, for instance, disciplinary actions taken against staff members, investigations launched (internal/external), operational disruptions, financial costs incurred (e.g. Fines from regulatory bodies), reputational damage (e.g. Public or media backlash), or any remedial actions implemented to prevent future breaches (e.g. Refreshed training on data protection).

 

Please accept my sincere apologies for the delay in providing the response to your request and for any inconvenience this may have caused.  Please find the Warwickshire Police response set out below.

 

Q1 response: Please be advised that information is not held prior to 2020:  

 

2020 – 50

2021 – 63

2022 – 40

2023 – 68

2024 – 81

Total – 302

 

In addition, Warwickshire Police can neither confirm nor deny that it holds any further information, as the duty in Section 1(1)(a) of the Freedom of Information Act 2000 does not apply, by virtue of the following exemptions:

 

Section 24(2) - National Security

Section 31(3) - Law Enforcement

 

Section 24 and 31 are qualified, prejudice-based exemptions and as such there is a requirement to articulate the harm and conduct a test of the public interest in confirmation or denial.

 

Please find the required evidence of harm, and the Public Interest Test set out below:

 

Harm in Confirming or Denying that Information is held

 

To confirm or deny whether any further information is held in respect of successful cyber-attacks resulting in Data Breaches would provide actual knowledge that where an attempt has been made, it has or has not been successful. Confirming that such information is not held may assist potential attackers by indicating that an attack had gone undetected. Equally, confirming information is held would enable understanding of where attacks have been successful, and possible weaknesses exist. Attackers may then be able to tailor their methods to increase their chances of success.

 

To confirm or deny whether information is held in respect of any leaked data as a result of an attack would, in effect, confirm that there had been successful cyber-attacks made against the force, which would present harm as detailed above.

 

Furthermore, in order to counter criminal and terrorist behaviour it is vital that the police and other agencies have the ability to work together, where necessary covertly, in order to obtain intelligence within current legislative frameworks to ensure the arrest and prosecution of offenders who commit or plan to commit acts of terrorism, whereby their modus operandi may involve cyber-attacks on secure databases. In order to achieve this goal, it is vitally important that information sharing takes place with other police forces and security bodies within the United Kingdom in order to support counter-terrorism measures in the fight to deprive terrorist networks of their ability to commit crime. To confirm or deny specific details of any breaches of information technology and security would be extremely useful to those involved in terrorist activity as it would enable them to map vulnerable information security databases.

 

Public Interest Considerations

 

Section 24(2) National Security

 

Factors in favour of confirming or denying that information is held

 

The public are entitled to know how public funds are spent and how resources are distributed within an area of policing.  To confirm information is held regarding successful cyber-attacks causing Data Breaches would enable the general public to hold Warwickshire Police to account ensuring all such breaches are recorded and investigated appropriately.  With the call for transparency of public spending this would enable improved public debate.

 

Factors against confirming or denying that information is held

 

Security measures are put in place to protect the community we serve.  As evidenced within the harm, to confirm whether any cyber-attacks have been successful would highlight to terrorists and individuals’ intent on carrying out criminal activity, vulnerabilities within Warwickshire Police which could be further exploited.

 

Taking into account the current security climate within the United Kingdom, no information (such as the citing of an exemption which confirms information pertinent to this request is held, or conversely, stating ‘no information is held’) which may aid a terrorist, should be disclosed.  To what extent this information may aid a terrorist is unknown, but it is clear that it will have an impact on a force’s ability to monitor terrorist activity.

 

Irrespective of what information is or isn’t held, the public entrust the Police Service to make appropriate decisions with regard to their safety and protection and the only way of reducing risk is to be cautious with what is placed into the public domain.

 

The cumulative effect of terrorists gathering information from various sources would be even more impactive when linked to other information gathered from various sources about terrorism.  The more information disclosed over time will give a more detailed account of the tactical infrastructure of not only a force area but also the country as a whole.

 

Any incident that results from such a disclosure would, by default, affect National Security.

 

Section 31 – Law Enforcement

 

Factors favouring confirming or denying that information is held

 

Confirmation that information exists relevant to this request would lead to a better informed public, which may encourage individuals to provide intelligence in order to reduce such security breaches.

 

Factors against confirming or denying that information is held.

 

Confirmation or denial that information is held in this case would suggest Warwickshire Police take their responsibility to protect information and information systems from unauthorised access, destruction, etc., dismissively and inappropriately. 

 

Balancing Test    

 

The points above highlight the merits of confirming or denying the requested information exists. The Police Service is charged with enforcing the law, preventing and detecting crime and protecting the communities we serve.  As part of that policing purpose, information is gathered which can be highly sensitive relating to high profile investigative activity. Weakening the mechanisms used to monitor any type of criminal activity, and specifically terrorist activity would place the security of the country at an increased level of danger. 

 

In addition, anything that places that confidence at risk, no matter how generic, would undermine any trust or confidence individuals have in the Police Service.  Therefore, at this moment in time, it is our opinion that for these issues the balance test favours neither confirming nor denying that any other information is held.

 

However, this should not be taken as indicating that any further information does or does not exist.

 

Response for all remaining questions: Please be advised that the requested information is not centrally recorded and is therefore not held in a readily retrievable format. The business area has advised that in order to provide a response to the remaining parts of the request it would be necessary to individually review the wider documentation of each data breach and manually extract and collate the information.  A scoping exercise was conducted and this determined that it would take on average 12 minutes to review each breach and locate the requested information. An estimate of the time and cost involved for this work is set out below:

 

Time:

Total of 302 Data Breaches @ an average of 12 minutes per record to review = 60.4 hours

 

Cost:

60.4 hours @ £25 per hour = £1,510.00

 

Therefore, the work involved in determining the information requested at Q2, Q3, Q4, Q5, Q6 and Q7 exceeds the cost threshold (£450), which equates to 18 hours work at a standard rate of £25 per hour, as stated in the Freedom of Information (Fees and Appropriate Limit) Regulations 2004.

 

In accordance with Section 12(1) of the Freedom of Information Act 2000, this letter acts as a Refusal Notice for these parts of the request.

 

In accordance with Section 16 of the Act, I have a duty to provide advice and assistance in relation to refining your request. I can advise that it may be possible to locate and retrieve some information if the scope of the request were reduced to one year or less; however, it is important to note that once the information has been located and retrieved, it will then be subject to the usual disclosure considerations, which may result in exemptions being applied.

 

Every effort has been made to ensure that the information provided is as accurate as possible.

 

Your attention is drawn to the below which details your right of complaint.

 

Should you have any further enquiries concerning this matter, please write or email the Freedom of Information Unit quoting the reference number above.

 

Yours sincerely

Freedom of Information Officer

Freedom of Information Unit
Warwickshire Police

PO Box 4

Leek Wootton

Warwickshire

CV35 7QB

[email protected]