Council data breaches rise 53% in five years, study finds

Recorded data breaches across 78 of England's largest local councils rose 53% over five years, according to research by password management company Passpack. Referrals to the Information Commissioner's Office (ICO) for the most serious incidents increased 41% over the same period.

The study drew on Freedom of Information responses from 78 of 100 councils contacted, covering 2021 to 2025. In the most recent reporting year supplied by each authority, the councils logged 16,902 incidents on internal breach registers and made 305 referrals to the ICO.

The figures cover a wide range of incidents, from emails sent to the wrong recipient to breaches serious enough to require notification to the regulator. Under UK GDPR, organisations must report a breach to the ICO within 72 hours if it is likely to pose a risk to individuals' rights and freedoms.

Across the dataset, the ratio of internal incidents to ICO referrals was about 50 to one. This suggests most logged events were minor, but the rise in referrals points to an increase in incidents councils judged serious enough to have potential consequences for residents.

Largest rises

Among authorities with data for the full period, Wiltshire Council recorded the sharpest increase in internally logged incidents, up 601% from 341 in 2021 to 2,391 in 2025. Gateshead Council followed with a 302% increase, while the London Borough of Greenwich rose 215% and Salford City Council 191%.

Wiltshire also recorded the highest total number of incidents in the latest year covered, ahead of Bristol City Council with 721, Wakefield Council with 607, Sheffield City Council with 574 and Manchester City Council with 533.

Bristol recorded the highest number of ICO referrals in its latest reporting year, with 21. Cumberland Council and Cornwall Council each recorded 16, followed by Shropshire Council with 15 and the London Borough of Enfield with 14.

Council responses

Several councils said the figures reflected stronger internal reporting rather than a direct rise in damaging breaches or cyber attacks. Some also stressed the distinction between data-handling incidents and cyber security events.

A Manchester City Council spokesperson said the FOI data covered all types of potential data incidents, including near misses, cases where no data was lost and incidents flagged by other organisations that may have affected the council.

They said such incidents would not necessarily qualify as data breaches, and many did not involve personal data breaches. Many were low-level data-handling issues and did not involve unauthorised system access, malware or external threat actors, but were still reported internally as good practice.

The spokesperson added that annual mandatory GDPR training had improved staff understanding of good data practice and reporting responsibilities. Greater awareness, clearer reporting routes and better detection mechanisms meant issues that might previously have gone unreported were now being logged and managed appropriately.

Manchester also said cyber security and data protection were treated as separate risk areas, and that combining the two would give a misleading impression of its cyber security position. It said there had been no material cyber security incidents affecting core systems or resulting in the loss of personal data, and that a higher number of reported data protection incidents reflected stronger organisational maturity and a more open reporting culture, rather than weaker cyber security controls.

Bristol, which recorded the most ICO referrals, said it encouraged staff to report all suspected incidents, however minor, so they could be investigated and used to improve controls.

Wakefield Council, one of the authorities with the highest internal incident totals, said the figures included minor, non-reportable events and that no cyber attacks had resulted in a personal data breach during the period covered.

Wiltshire Council said its high totals reflected a broad reporting culture that included near misses and incidents identified through data loss prevention tools introduced through Microsoft 365. It added that none of the breaches it had reported to the ICO over the past five years had resulted in enforcement action.

Broader pressure

The findings come as local government faces sustained scrutiny over cyber resilience and data protection practices. Councils hold large volumes of residents' personal information, including housing, social care, education and benefits data, while many operate under financial pressure.

Several major incidents have affected councils in recent years. Leicester City Council suffered a ransomware attack that disrupted IT systems and phone lines for weeks, while an attack on housing software supplier Locata affected housing websites used by Manchester, Salford and Bolton councils. Following a 2020 ransomware attack, Hackney Council spent more than GBP £12 million in a single financial year on recovery.

The research also noted the lack of a consistent national approach to how local authorities detect, classify and record data incidents. That makes direct comparisons difficult, particularly when one authority logs near misses and another records only confirmed breaches.

The London Borough of Bexley said the increase in reported data breaches should be seen in the context of a more open and mature reporting culture. It said staff had been encouraged to report all actual and potential data breaches, however minor, so they could be investigated, lessons learned and controls improved.

Bexley added that while the overall number of internally reported breaches had increased, the number requiring notification to the ICO had remained broadly consistent. In its view, that suggests the rise was driven mainly by better internal reporting of lower-level incidents rather than an increase in serious breaches, and reflected greater awareness of the importance of data protection across the organisation.