UK councils report 12,700 data breaches with GBP £268,000 paid

An investigation has found that UK Metropolitan Councils have reported over 12,700 data breaches in the past three years and paid in excess of GBP £260,000 in compensation for data breach claims.

The figures, released from an examination by Data Breach Claims UK, detail a significant rise in both cyber and non-cyber attacks affecting local authorities across the United Kingdom.

Data trends

The data, obtained through Freedom of Information requests made to 36 Metropolitan Councils, highlights a year-on-year increase in local authority security breaches over the last three years. Of the 24 councils that provided information within the required timeframe, a total of 12,745 data breach incidents were reported.

In terms of financial implications, these councils have collectively paid GBP £268,310 in compensation due to legal claims made following data breaches. The process for establishing the figures involved submitting FOI requests, consolidating the responses, and calculating both incident counts and compensation totals.

Highest reporting councils

Sheffield City Council recorded the highest number of security incidents, with 1,512 breaches in three years. Manchester City Council followed closely, reporting 1,493 cases, while Wakefield Council reported 1,268 breaches over the same period.

Additionally, Sheffield City Council disclosed the most cybersecurity incidents, reporting 26 cybersecurity breaches since the financial year 2022/23. Meanwhile, Wakefield City Council encountered the greatest compensation expense, paying out GBP £52,500 for data breach claims, with North Tyneside at GBP £49,128 and Tameside Borough Council at GBP £32,500.

Regulatory environment

Councils collect and handle personal data according to requirements set by the General Data Protection Regulation and the Data Protection Act. In instances where a breach occurs that could impact individuals' rights and freedoms, authorities must report the breach to the Information Commissioner's Office within 72 hours of discovery.

Recent figures from the Information Commissioner's Office show that cyberattacks on local authority systems have risen by 387% between 2022 and 2024. Non-cyber data breaches increased by 25 per cent in the same period.

Expert commentary

"The rise in UK local government data breaches is worrying and we hope that organisations are ensuring that they have sufficient security in place to protect people's personal information," Reece Vassallo, Data Breach Claims UK expert, said.

The investigation notes that while over 12,700 breaches were reported since 2022, most incidents are likely attributable to administrative errors, such as emails sent to the wrong recipient or poor paperwork disposal practices. The definition of personal data breaches encompasses any accidental or unlawful destruction, loss, alteration, disclosure of, or unauthorised access to personal data.

"We have noticed an increase in data breaches generally over the last year, both in terms of human error and cyber-attacks. We understand that this is worrying and hope that organisations are ensuring that they have sufficient security in place to protect people's personal information. In terms of compensation, this is dependent upon what has happened, the information which has been subject to the data breach and the distress it has caused. A lot of cases can be settled without the need to issue Court proceedings, but if this is necessary, then we would advise clients accordingly," Reece Vassallo further commented.

Support and response

Data Breach Claims UK offers guidance and advice to individuals concerned about data breaches, and, according to the group, have observed a continuing upward trend in both cyber and human error-related incidents over the last year within UK councils.