More than 2,400 public sector data breaches reported in UK 2024
Data from Freedom of Information requests indicates that UK local authorities reported more than 2,400 suspected data breaches in 2024, with issues including device loss and human error raising concerns about public sector information security.
Responses received from 27 councils highlight that Surrey County Council reported the highest number of breaches at 634 incidents. Oxfordshire County Council followed with 451, North Yorkshire Council with 406 and Suffolk County Council with 328 suspected breaches. Many of these incidents were attributed to fundamental mistakes such as emails sent to incorrect recipients, mislaid paperwork, and inappropriate sharing of confidential personal information.
Suffolk County Council reported six incidents to the Information Commissioner's Office (ICO), involving unauthorised access, internal publication of data, and inappropriate sharing. North Yorkshire Council similarly reported that of its 406 breaches, eight were escalated to the ICO, including three cyber incidents, two unauthorised disclosures, one case of incorrect email recipient, one form of unauthorised access and one lost or misplaced paper record. Both authorities provided details on the nature of breaches and their reporting processes.
Despite the high numbers of incidents, some councils clarified that not all cases resulted in harm or formal ICO reports. Cheshire East Council, which recorded 212 suspected breaches, explained that it reports all potential incidents as a precaution, although many were either internal disclosures or considered 'near misses'. The council adheres to organisational protocols that encourage staff to report any potential security incident as soon as identified, regardless of the perceived risk at that time.
Cambridgeshire County Council, in its response, noted that only three breaches were reported to the ICO in 2024 and all were due to staff mistakes. The ICO found these incidents had been managed appropriately.
Concerns around device management remain, according to the FoI findings. East Riding of Yorkshire Council reported the loss or misplacement of 157 devices in 2024, which included 106 mobile phones and 34 tablets. Hertfordshire County Council lost 75 devices during the same period. Essex County Council reported the loss of 33 mobile phones, none of which featured encryption. Essex explained the lost devices were low-value, non-smartphone models, including the Nokia 105, which do not support encryption. The continued use of such unsecured devices presents ongoing challenges in safeguarding mobile data.
Jon Fielding, Managing Director, EMEA, Apricorn, commented on the results:
Even with training, guidance, and policies in place, basic human error continues to be a significant cause of data breaches across local government. Add to this the large number of unencrypted or poorly secured devices still in circulation, and the risk to data becomes even more pressing. Councils must ensure that endpoint security is not left to chance, encryption should be standard, regardless of device type, and data handling processes must be reinforced through ongoing staff training and technical safeguards.
The findings from local authorities echo previous Apricorn reports concerning device loss within central government and support wider concerns about underinvestment in preventative security measures across the public sector.
Fielding added:
Transparency is vital to improving data protection standards. Councils that encourage incident reporting and acknowledge risk, even when incidents are minor, are taking the right approach. But true protection also requires investment in encrypted hardware, secure data transfer practices, and clear accountability across departments.
The data was collected via Freedom of Information requests submitted in early 2025 and cover incidents in 2024. Over 20 councils responded, providing a broad picture of the data security landscape and priorities across the UK public sector during the period.
