Home / Sources / Select Committees / Recommendation 9
Index live · Last sync 23 May 2026
← Rec 8
Rec 10 →
Source · Select Committees · Public Accounts Committee

Recommendation 9

9 Accepted

Organised criminal groups' ransomware attacks severely disrupt public services and incur significant costs.

Conclusion
Organised criminal groups use ransomware and data extortion to make money.10 They do this by stealing and encrypting victims’ data and then demanding a ransom or threatening to the leak the data. In October 2023, 5 Q 2; C&AG’s Report, paras 4, 6 6 C&AG’s Report, paras 6, 22 7 Q 4 8 Qq 4–5 9 Q 5 10 Q 5 8 the British Library suffered a ransomware attack, which it was still recovering from a year after the attack.11 The cyber attackers encrypted most of the British Library’s servers, leaked around 500,000 records and stole several terabytes of data. The Cabinet Office told us that responding to the attack cost the British Library between £6 million and £7 million.12 We asked the Cabinet Office for an example of a cyber attack that had affected the public. The Cabinet Office pointed to the June 2024 ransomware attack on Synnovis, a supplier of NHS pathology services, which led to two NHS foundation trusts postponing more than 10,000 appointments and put a significant amount of data at risk. Ransomware attacks on Hackney, and Redcar and Cleveland councils, have also disrupted public services.13
Government Response Summary
The government agrees with the concern about ransomware attacks, noting it has committed to a more interventionist approach and moved responsibility for public sector cyber security to DSIT. DSIT will publish a Government Cyber Security Strategy Implementation Plan in Winter 2025 to drive resilience.
Government Response Accepted
HM Government Accepted
1.1 The government agrees with the Committee’s recommendation. Target implementation date: Autumn 2026 1.2 The government has committed in the Blueprint for Modern Digital Government to resetting the relationship with cyber and technology risk, and taking a stronger and more interventionist approach to drive transformation across government. This approach is needed to achieve a step change in resilience across government, arm’s–length bodies and the wider public sector. 1.3 The government has taken immediate action to address this and moved responsibility for government and public sector cyber security from the Cabinet Office to the Department for Science, Innovation and Technology (DSIT). This change will strengthen technology resilience and policymaking across the public sector, by better integrating cyber security responsibilities and expertise into the Government Digital Service. 1.4 In winter 2025, DSIT will publish a Government Cyber Security Strategy Implementation Plan (GCSS IP) which will set out the approach to driving cyber and technology resilience. DSIT will write to the Committee to update them on implementation in one year’s time.

Source

Report
24th Report - Government cyber resilience
09 May 2025
HC 643
View on Parliament website ↗

Addressee Bodies

HM Treasury

Timeline

Recommendation age 1.0 yr
Report published 09 May 2025