UK councils report 2,400 suspected data breaches

There were more than 2,400 suspected data breaches reported across 27 UK councils in 2024, according to Freedom of Information (FoI) requests.

The findings come from research by USB storage firm Apricorn.

Surrey County Council was the highest reporting authority, disclosing 634 breaches, followed closely by Oxfordshire County Council (451), North Yorkshire Council (406) and Suffolk County Council (328). Many of these incidents were the result of basic human errors, such as misdirected emails, lost paperwork, or the unauthorised sharing of sensitive personal information.

Notably, Suffolk County Council disclosed six breaches reported to the Information Commissioner’s Office (ICO), highlighting multiple failures including unauthorised access, internal data publication, and inappropriate information sharing. North Yorkshire Council provided similar reasoning. Of the 406 total breaches, eight were reported to the ICO, including three cyber incidents, two unauthorised disclosures, one through incorrect email recipients, one unauthorised access, and one through lost or misplaced data (paper records).

Despite these volumes, several councils sought to reassure by clarifying that not all incidents resulted in harm or formal reporting to the ICO. Cheshire East Council, which recorded 212 suspected breaches, noted that all potential data security incidents and data breaches are reported out of an abundance of caution, but many involved internal-only disclosures or were classified as ‘near misses’. In accordance with internal policies and procedures, staff are encouraged to report incidents as soon as they are discovered, even if they are unsure of the risk at the time.

Similarly, Cambridgeshire County Council reported just three ICO-notified breaches in 2024, all of which were caused by staff mistakes, but the regulator deemed they were handled appropriately.

The FoI responses also highlight ongoing problems with device management. East Riding of Yorkshire Council reported the loss or misplacement of 157 devices in 2024, including 106 mobile phones and 34 tablets. Hertfordshire County Council lost 75 devices, while Essex County Council reported the loss of 33 mobile phones, none of which were encrypted. Essex County Council stated that the devices in question were low-cost, non-smartphone models such as the Nokia 105, which do not support encryption. The use of such unsecured devices raises serious concerns about the council’s ability to protect data on the move, said Apricorn.

“Even with training, guidance, and policies in place, basic human error continues to be a significant cause of data breaches across local government,” said Jon Fielding, managing director, EMEA, Apricorn. “Add to this the large number of unencrypted or poorly secured devices still in circulation, and the risk to data becomes even more pressing. Councils must ensure that endpoint security is not left to chance, encryption should be standard, regardless of device type, and data handling processes must be reinforced through ongoing staff training and technical safeguards.

“Transparency is vital to improving data protection standards. Councils that encourage incident reporting and acknowledge risk, even when incidents are minor, are taking the right approach. But true protection also requires investment in encrypted hardware, secure data transfer practices, and clear accountability across departments.”

Cyberattacks on local authorities

Separately, Oxford City Council has revealed it was subject to a cybersecurity incident earlier this month.

Sylvain Cortes, VP strategy at Hackuity pointed out that local authorities remain high-value targets for cybercriminals.

“It’s a sector that’s undergoing rapid digitisation to move services online and faces growing risks from attackers aiming to access sensitive data on citizens and employees,” said Cortes.

“Security teams are dealing with big challenges, so ensuring they’re equipped with all they need, from constant network monitoring to rapid detection, can help to identify and isolate threats before attackers slip through. Prevention, not just response, must be the priority.”

The challenge most councils face is that they are not technology organisations, they are there to deliver services to the country, said Mike Upton, head of public sector at e2e-assure.

“Often, it’s a case of balancing the needs of end users with key considerations of cyber security practices,” he said. “Take an employee who works across social services and is responsible for vulnerable children. Their core responsibility is ensuring the safety of those young people and getting their job done to their best ability, and while they no doubt receive training on cyber security it will not always be front of mind. As technology advances and AI-backed attacks become more sophisticated, the challenge of helping staff understand how to go about their business in a safe and secure fashion will only get tougher.”