About our data

Reporting quarters are based on the calendar year, 1 January to 31 December.

We receive reports of incidents from both individuals and organisations. They choose how much or how little they feel comfortable providing, often about very sensitive incidents. We will not share specific details about an incident, without the reporting party's consent.

We aren't always able to verify the information we receive, though we try to, particularly when dealing with significant cyber security incidents.

From 1 July 2020, we’ve made some changes to the way data is collected and structured. These changes have been made to improve the level of detail and reporting produced. It also allows for other data sources to be introduced. The way we collect and use the information provided to us is set out in our privacy and information statement.