With this document you can:

This box is not visible in the printed version.

Cyber security breaches

Request date: 4 April 2026

This version was printed or saved on: 25 April 2026

Online version: https://www.gamblingcommission.gov.uk/about-us/freedomofinformation/cyber-security-breaches

Request

Under the Freedom of Information Act, I would like to request the following information for each calendar year from 2020 to 2026 inclusive:

  1. The number ofcyber security breaches that have being identified that were found to be a result of a malicious threat actor (i.e. not accidental data breach)
  2. The breakdown in high-level causes of these breaches as identified by cyber security incident response teams (CSIRTs), for example (but not limited to) unpatched software/hardware, lack of multi-factor authentication (MFA), leaked user credentials, lack of in-transit encryption, etc
  3. The number of breaches that occurred that were attributed to a previously known vulnerability to the organisations hardware, software, policies, or processes, for examplewhere system was known to be at risk due to being unpatched or out of support, or security controls were recommended but not enforced, and was defined within the resulting incident response report.
  4. The estimated combined costs incurred as a result of cyber security breaches defined in request number one in each year.

Response

Thank you for your request which has been processed under the Freedom of Information Act 2000 (FOIA).

In your email you have requested:

  1. The number of cyber security breaches that have being identified that were found to be a result of a malicious threat actor (i.e. not accidental data breach)
  2. The breakdown in high-level causes of these breaches as identified by cyber security incident response teams (CSIRTs), for example (but not limited to) unpatched software/hardware, lack of multi-factor authentication (MFA), leaked user credentials, lack of in-transit encryption, etc
  3. The number of breaches that occurred that were attributed to a previously known vulnerability to the organisations hardware, software, policies, or processes, for example where system was known to be at risk due to being unpatched or out of support, or security controls were recommended but not enforced, and was defined within the resulting incident response report.
  4. The estimated combined costs incurred as a result of cybersecurity breaches defined in request number one in each year.

I can confirm that that there are no recorded incidents that can be categorised as a Cyber Incident. As such there is no information held by the Commission falling within the scope of your request.

Review of the decision

If you are unhappy with the service you have received in relation to your Freedom of Information request you are entitled to an internal review of our decision. You should write to FOI Team, Gambling Commission, 4th floor, Victoria Square House, Victoria Square, Birmingham, B2 4BP or by reply to this email. 

Please note, internal review requests should be made within 40 working days of the initial response. Requests made outside this timeframe will not be processed.

If you are not content with the outcome of our review, you may then apply directly to the Information Commissioner (ICO) for a decision. Generally, the ICO cannot make a decision unless you have already exhausted the review procedure provided by the Gambling Commission. 

It should be noted that if you wish to raise a complaint with the ICO about the Commission’s handling of your request for information, then you are required to do so within six weeks of receiving your final response or last substantive contact with us.

The ICO can be contacted at: The Information Commissioner’s Office (opens in a new tab), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

Information Management Team
Gambling Commission