FOI release

FOI2026/00285: Cyber Security Breaches

Some or all of the information requested was not provided because we determined that the cost to do so would exceed the appropriate limit.

Case reference FOI2026/00285

Received 4 April 2026

Published 16 June 2026

Request

Request Received: 4 April 2026

I would like to request the following information for each calendar year from 2020 to 2026 inclusive:

1. The number of cyber security breaches that have being identified that were found to be a result of a malicious threat actor (i.e. not accidental data breach)

2. The breakdown in high-level causes of these breaches as identified by cyber security incident response teams (CSIRTs), for example (but not limited to) unpatched software/hardware, lack of multi-factor authentication (MFA), leaked user credentials, lack of in-transit encryption, etc

3. The number of breaches that occurred that were attributed to a previously known vulnerability to the organisations hardware, software, policies, or processes, for example where system was known to be at risk due to being unpatched or out of support, or security controls were recommended but not enforced, and was defined within the resulting incident response report.

4. The estimated combined costs incurred as a result of cyber security breaches defined in request number one in each year.

Response

Response Sent: 5 May 2026

Full details of this response is provided in the attached document.

Documents

• FOI_Response_Letter - FOI2026_00285_Redacted.pdf (344.2 KB)

This is UK Research and Innovation's response to a freedom of information (FOI) or environmental information regulations (EIR) request.

You can browse our other responses or make a new FOI request.