UK councils report 2,400-plus suspected data breaches in Apricorn study

The figures, collected from 27 UK councils, indicate that over 2,400 suspected data breaches occurred across the sector last year. Surrey County Council was the highest reporting authority, disclosing 634 breaches, followed closely by Oxfordshire County Council (451), North Yorkshire Council (406) and Suffolk County Council (328). Many of these incidents were the result of basic human errors, such as misdirected e-mails, lost paperwork or the unauthorised sharing of sensitive personal information.

Notably, Suffolk County Council disclosed six breaches reported to the Information Commissioner’s Office (ICO), highlighting multiple failures including unauthorised access, internal data publication and inappropriate information sharing.

North Yorkshire Council provided similar reasoning. Of the 406 total breaches, eight were reported to the ICO, including three cyber incidents, two unauthorised disclosures, one through incorrect e-mail recipients, one unauthorised access and one through lost or misplaced data (ie paper records).

Despite these volumes, several councils sought to reassure by clarifying that not all incidents resulted in harm or formal reporting to the ICO. Cheshire East Council, which recorded 212 suspected breaches, noted that all potential data security incidents and data breaches are reported out of an abundance of caution, but many involved internal-only disclosures or were otherwise classified as ‘near misses’. In accordance with internal policies and procedures, staff are encouraged to report incidents as soon as they’re discovered, even if they’re unsure of the risk at the time.

Similarly, Cambridgeshire County Council reported just three ICO-notified breaches in 2024, all of which were the end result of staff mistakes, but the regulator deemed they were handled appropriately.

Device management issues

The FoI responses also highlight ongoing problems with device management. East Riding of Yorkshire Council reported the loss or misplacement of 157 devices in 2024, including 106 mobile phones and 34 tablets.

Hertfordshire County Council lost 75 devices, while Essex County Council reported the loss of 33 mobile phones, none of which were encrypted. Essex County Council stated that the devices in question were low-cost, non-smart phone models such as the Nokia 105, which don’t support encryption. The use of such unsecured devices raises concerns about the council’s ability to protect data on the move.

“Even with training, guidance and policies in place, basic human error continues to be a significant cause of data breaches across local Government,” said Jon Fielding (managing director for the EMEA at Apricorn). “Add to this the large number of unencrypted or poorly secured devices still in circulation and the risk to data becomes even more pressing. Councils must ensure that endpoint security is not left to chance. Encryption should be standard, regardless of device type, and data handling processes must be reinforced through ongoing staff training and technical safeguards.”

The report echoes Apricorn’s earlier findings on device loss across central Government departments and reinforces concerns that public sector organisations continue to underinvest in proactive data protection measures.

“Transparency is vital for improving data protection standards,” added Fielding. “Councils that encourage incident reporting and acknowledge risk, even when incidents are minor, are taking the right approach. True protection also requires investment in encrypted hardware, secure data transfer practices and clear accountability across departments.” 

*The research was conducted through FoI requests submitted via Whatdotheyknow.com in February this year. Responses cover the period from 1 January-31 December 2024