January 15, 2026 | Organisational Information and Performance , Security and Data Protection
Request Number: FOI/16351
Category: Organisational Information & Performance - Security and Data Protection
Subject: Ransom Payments
Request and Answer:
Your request for information has now been considered. In respect of Section 1(1)(a) of the Act we can confirm that the Police Service of Northern Ireland (PSNI) does hold information to which your request relates. The decision has been taken not to supply the information you have requested and the reasons for this are set out in more detail below. We have also provided you with links to guidance issued by the Information Commissioner’s Office (ICO) which we have followed in responding to your request.
Question 1
Has your organisation been subject to a ransomware attack between 1 January 2020 and 24 November 2025 (inclusive)?
Question 2
If yes, how many of those attacks resulted in a ransom payment being made?
Question 3
What was the total amount paid in ransom between 1 January 2020 and 24 November 2025?
Answer
In accordance with the Act, this letter represents a Refusal Notice for this particular request. The Police Service of Northern Ireland can neither confirm nor deny that it holds the information you have requested.
Section 1 of the Freedom of Information Act 2000 (FOIA) places two duties on public authorities. Unless exemptions apply, the first duty at Section 1(1)(a) is to confirm or deny whether the information specified in the request is held. The second duty at Section 1(1)(b) is to disclose information that has been confirmed as being held.
Section 17(1) of the Freedom of Information Act 2000 requires the Police Service of Northern Ireland, when refusing to provide such information (because the information is exempt) to provide you the applicant with a notice which:
a. states that fact,
b. specifies the exemption in question and
c. states (if not otherwise apparent) why the exemption applies.
The Police Service of Northern Ireland (PSNI) can Neither Confirm Nor Deny that it holds the information relevant to your request as the duty in Section 1(1)(a) of the Freedom of Information Act 2000 does not apply by virtue of the following exemptions:
Section 24(2) - National Security – The duty to confirm or deny does not arise if exemption from section 1(1)(b) is required to protect national security.
Section 31(3) – Law Enforcement – The duty to confirm or deny does not arise if, or to the extent that, compliance with section 1(1)(a) would, or be likely to, prejudice any of the matters mentioned in subsection (1).
The full text of exemptions can be found at www.legislation.gov.uk and further guidance on how they operate can be located on the Information Commissioners Office website www.ico.org.uk.
The exemption/s, as well as the factors the Department considered when deciding where the public interest lies, are listed below:
‘Neither Confirm nor Deny’ (NCND)
There may be occasions when complying with the duty to confirm or deny under section 1(1) (a) would in itself disclose sensitive or potentially damaging information that falls under an exemption. In these circumstances, the Act allows a public authority to respond by refusing to confirm or deny whether it holds the requested information.
The decision to issue a ‘neither confirm nor deny’ response is not affected by whether we do or do not hold the information but relates to the consequences of confirming or denying the information is held. The starting point and main focus in most cases will be theoretical considerations about the consequences of confirming or denying that a particular type of information is held. The decision to neither confirm nor deny is separate from a decision not to disclose information and needs to be taken entirely on its own merits.
PSNI follow the Information Commissioner’s Guidance in relation to ‘NCND’ and you may find it helpful to refer to this at the following link:
https://ico.org.uk/for-organisations/foi/freedom-of-information-and-environmental-information-regulations/when-to-refuse-to-confirm-or-deny-holding-information/
Section 24 and 31 are a qualified and prejudice based exemptions and there is a requirement to evidence the Harm in confirming or denying information is held and to conduct a Public Interest Test.
Harm
Policing is an information-led activity, and information assurance (which includes information security) is fundamental to how the PSNI manages the challenges faced. To comply with statutory requirements the College of Policing Authorised Professional Practice for Information Assurance has been put in place to ensure the delivery of core operational policing by providing appropriate and consistent protection for the information assets of member organisations, see below link:
https://www.app.college.police.uk/app-content/information-management/
To achieve this goal, it is important that information sharing takes place with other police forces and law enforcement bodies within the UK to support investigations, including counter terrorism measures, in the fight to deprive criminals including terrorist networks of their ability to commit crime. Any breach of information security systems places the information held at significant risk which in turn destabilises this process, rendering police forces unable to prevent and detect crime (including serious and organised crime and terrorism) and apprehend offenders effectively.
To confirm or deny whether a specific type of cyberattack, in this case ransomware attacks, have occurred, irrespective of whether they had been successful or not, would identify potentially vulnerable security infrastructure against an identified type of attack. Placing information such as this in the public domain risks making the force more susceptible to future cyber-attacks of a similar nature as a weakness could be perceived by those individuals or organisations intent on launching new attacks.
There is also a harmful cumulative effect to consider where the same request is made to all police forces, insomuch as to confirm or deny information is held regarding ransomware attacks against a force would be extremely useful to the criminal fraternity, including terrorist organisations, as it would provide actual knowledge of where ransomware attacks have and have not been detected. This would enable them to map vulnerable information security systems at a national level increasing the likelihood of further attacks on those perceived to be more susceptible that others.
In essence, confirmation or denial information is held risks identifying variations in the robustness of cyber-security identification and protection measures which in turn places forces perceived as having a less robust strategy at a greater risk of cyber threat.
Public Interest Test
Section 24(2) - National Security
Factors favouring complying with Section 1(1)(a) neither confirming or denying that information is held
The public are entitled to know how public funds are spent and how resources are distributed within an area of policing. To confirm where ransomware attacks have occurred or not would enable the public to hold the police to account ensuring all such breaches are recorded and investigated appropriately. In the current climate, and with the call for transparency of public spending, this would enable improved public debate.
Factors against complying with Section 1(1)(a) neither confirming or denying that information is held
Security measures are put in place to protect the community we serve. As evidenced within the harm, confirming where ransomware attacks have occurred would highlight to terrorists and individuals intent on carrying out criminal activity, vulnerabilities within PSNI.
Taking into account the current security climate within the United Kingdom, no information (such as the citing of an exemption which confirms information pertinent to this request is held, or conversely, stating ‘no information is held’) which may aid a terrorist should be disclosed. To what extent this information may aid a terrorist is unknown, but it is clear that it will have an impact on a force’s ability to monitor terrorist activity.
The cumulative effect of terrorists gathering information from various sources would be even more impactive when linked to other information gathered from various sources about terrorism. The more information disclosed over time will give a more detailed account of the security infrastructure of not only a force area but also the country as a whole.
Any incident that results from such a disclosure would, by default, affect National Security.
Decision/Balancing - Section 24
It is not in the public interest to release any information, including in some cases confirming or denying anything is held, if to do so would result in an increased risk to the national security of the UK or the endangerment of the general public. Weakening the mechanisms used to monitor any type of criminal and terrorist activity through deliberate disruption of IT infrastructure AKA cyber threats, would place the security of the country and the safety of its citizens at an increased risk of danger.
Section 31(3) Law Enforcement
Factors favouring complying with Section 1(1)(a) neither confirming or denying that information is held
Confirming that information exists relevant to this request would lead to a better-informed public which may encourage individuals to provide intelligence in order to reduce these attacks.
Factors against complying with Section 1(1)(a) neither confirming nor denying that information is held
The public entrust the PSNI to make appropriate decisions regarding their safety and protection and the only way of reducing risk is to be cautious with what is placed into the public domain. Confirmation or denial that information is held in this case would suggest the PSNI take their responsibility to protect information and information systems from unauthorised access, destruction, etc., dismissively, and inappropriately.
Decision/Balancing - Section 31
While there is a need for transparency, the PSNI is charged with enforcing the law, preventing and detecting crime and protecting the communities it serves. As part of that policing purpose, information is gathered which can be highly sensitive relating to high profile investigative activity.
Therefore, it is currently our opinion that for these reasons, the balance tests favour neither confirming nor denying that information is held.