Many incidents stemmed from human error, such as misdirected emails, lost paperwork, and unauthorised sharing of personal information.
Local authorities across the UK continue to struggle with data security, with more than 2,400 suspected breaches recorded by 27 councils during 2024.
According to new Freedom of Information data from Apricorn. Surrey County Council reported the highest number of breaches at 634, followed by Oxfordshire (451), North Yorkshire (406) and Suffolk (328). Many incidents stemmed from human error, such as misdirected emails, lost paperwork, and unauthorised sharing of personal information.
Some breaches were serious enough to be reported to the Information Commissioner’s Office: Suffolk disclosed six ICO-reported incidents, involving unauthorised access, internal publication of data, and inappropriate information sharing. North Yorkshire reported eight breaches to the regulator, including three cyber incidents and several cases of data mishandling.
However, councils such as Cheshire East and Cambridgeshire sought to reassure that many incidents involved internal-only disclosures, with staff encouraged to report even minor or ‘near-miss’ events as a precaution.
Device Management
Device management also emerged as a concern, with several councils reporting significant losses of mobile devices during the year. East Riding of Yorkshire Council misplaced 157 devices, including 106 mobile phones and 34 tablets, while Hertfordshire lost 75 devices and Essex County Council reported 33 missing handsets.
Essex said the lost devices were low-cost, non-encrypted models like the Nokia 105, but the use of unprotected hardware still raises questions about the sector’s ability to safeguard sensitive data on the move.
“Even with training, guidance, and policies in place, basic human error continues to be a significant cause of data breaches across local government,” said Jon Fielding, Managing Director, EMEA, Apricorn.
“Add to this the large number of unencrypted or poorly secured devices still in circulation, and the risk to data becomes even more pressing. Councils must ensure that endpoint security is not left to chance, encryption should be standard, regardless of device type, and data handling processes must be reinforced through ongoing staff training and technical safeguards.
"Transparency is vital to improving data protection standards. Councils that encourage incident reporting and acknowledge risk, even when incidents are minor, are taking the right approach.”
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
