Info Gov

Recorded data breach incidents at England’s largest local authorities have risen by more than 50% over the past five years, according to analysis of Freedom of Information data by password management company Passpack.

An examination of FOI responses from 78 councils shows that internally logged data incidents increased by 53% between 2021 and 2025, while the number of breaches reported to the Information Commissioner’s Office (ICO) rose by 41% over the same period.

In the most recent reporting year, the councils collectively recorded 16,902 incidents, alongside 305 referrals to the ICO. ICO referrals represent breaches assessed by councils as likely to pose a risk to individuals’ rights and freedoms, such as identity theft or significant financial or privacy harm.

The vast majority of incidents, the report stressed, were minor and caused no lasting harm. The ICO has a threshold on personal data breach reporting and not all breaches need to be reported. Organisations must self-assess whether a data breach needs to be reported, for which the ICO provides a self-assessment tool which can be found at https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach-assessment. Reportable breaches must be reported to the ICO within 72 hours from when they become aware of the breach. Organisations should ensure they keep a record of all breaches, even if they are not reportable.

ICO guidance on personal data breaches can be found here. The ICO has also produced a cyber-incident 'grab bag', in conjunction with the Local Governmenr Association, which can be found here: https://www.local.gov.uk/our-support/cyber-digital-and-technology/cyber-incident-grab-bag-local-authorities/delivering-services 

The data shows significant variation between councils in both overall volumes and rates of increase.

Wiltshire Council recorded the largest rise in internally logged incidents over the period examined, with a 601% increase from 341 incidents in 2021 to 2,391 in 2025. Other authorities with large percentage increases included Gateshead Council, the London Borough of Greenwich, Salford City Council and Bedford Borough Council.

In terms of absolute numbers in the latest reporting year, Wiltshire again recorded the highest total, followed by Bristol City Council, Wakefield Council, Sheffield City Council and Manchester City Council.

Bristol City Council recorded the highest number of ICO referrals in the most recent year (21), followed by Cumberland Council and Cornwall Council (16 each), Shropshire Council (15) and the London Borough of Enfield (14).

Internally recorded data breach registers capture a wide range of incidents, including near misses and low level administrative errors such as emails sent to incorrect recipients. A logged incident does not necessarily indicate a breach of data protection law. 

On average, the ratio between internally recorded incidents and ICO referrals was around 50:1, indicating that only a small proportion of incidents are assessed as serious enough to require regulatory notification.

Several councils cited in the analysis said that increasing figures were indicative of improved staff awareness and a stronger reporting culture, rather than a deterioration in data security. Authorities including Manchester, Bristol, Wakefield, Wiltshire and the London Borough of Bexley told the report authors that mandatory training, clearer reporting routes and improved detection systems had led to more consistent logging of incidents.

Wiltshire Council said its figures reflected a “mature reporting culture,” noting that it encourages the reporting of near misses and introduced new data loss prevention controls and internal reporting tools during the period covered by the data.

Local authorities have been victims to several high profile attacks on councils in recent years. These include ransomware attacks affecting Leicester City Council in 2024, disruption following an attack on housing software provider Locata, and a cyber incident in late 2025 that affected Westminster City Council, the Royal Borough of Kensington and Chelsea and Hammersmith and Fulham, which share IT infrastructure.

Recovery costs and disruption following serious cyber incidents can be substantial, such as the £12m spent by Hackney Council in the year following a 2020 ransomware attack and the severe operational difficulties faced by Kensington & Chelsea Council following an attack last year which left it unable collect council tax for a substantial period of time and disrupted many core services for months.

The analysis is based on FOI requests submitted to 100 of England’s largest councils, of which 78 provided data. Some authorities declined to supply information, while others provided partial data for certain years.

An ICO spokesperson said: "Local authorities handle some of our most sensitive personal data and people have the right to expect that they should do so in a safe and secure manner. Whether a breach needs to be reported to us depends on the risk posed. The ICO has a variety of tools available to improve compliance, ranging from providing advice and guidance to taking enforcement action where necessary. We engage with local authorities in England on a regular basis.”

Also in this section

Jul 16, 2026

Scattered Spider pair jailed over TfL hack

Two members of the Scattered Spider hacking collective have each been jailed for five and a half years at Woolwich Crown Court on 16 July over a 2024 cyber attack on Transport for London that compromised the personal data of millions of customers and cost the transport authority £39 million.
Jul 15, 2026

Government introduces mandatory data breach reporting protocol

The Cabinet Office has published a Model Action Plan setting out a single cross-government framework that all departments and arms-length bodies must follow when responding to significant personal data breaches, introducing mandatory central reporting of such incidents for the first time.
Jun 29, 2026

"Five eyes" warn on accelerating cyber security threat from AI

The National Cyber Security has called on organisational leaders to treat cyber resilience as a core business and governance responsibility rather than a technical matter in the light of a report by the Five Eyes intelligence alliance on the "fundamental" impact of AI on the speed and scale of cyber threats.
Jun 15, 2026

Government AI hackathons uncover 407 vulnerabilities across nine departments, including critical remote code execution flaw

A pilot programme using frontier AI models to scan public-sector code repositories has identified 407 security findings across nine government organisations, including a critical vulnerability that could have allowed an external attacker to execute arbitrary code on a key digital service, the Department for Science, Innovation and Technology (DSIT) and the National Cyber Security Centre (NCSC)…

InfoGov Masthead Newsletter 800