Workplace data leaks set another record

Breaches involving employee information reported to the UK’s data regulator climbed again in 2025, reaching their highest level since the Information Commissioner’s Office began publishing comparable incident data in 2019, according to an analysis by law firm Nockolds that draws on ICO reporting. The rise adds to mounting concern among employers that staff records, payroll details and internal HR files are becoming harder to protect as hybrid working, third-party systems and everyday handling errors widen the points of exposure.

The trend is notable because it is not being driven only by headline-grabbing cyber attacks. Trade reporting on the Nockolds review said cyber-related employee-data breaches fell by 6% in 2025, to about 1,568 from 1,675 a year earlier, while non-cyber incidents rose 15%, pushing the total number of employee-data breaches to around 3,880 from roughly 3,680 in 2024. That suggests routine mistakes such as sending information to the wrong recipient, mishandling spreadsheets, poor disposal of paperwork and weak controls around remote access may now be contributing as much as malicious intrusion.

That shift builds on a pattern already visible in 2024. Coverage of Nockolds’ earlier analysis, based on ICO data, showed employee-data breach reports rose to 3,679 in 2024 from 3,208 in 2023, after having stood at 3,010 in 2019, the first year of the ICO’s current data series. Phishing incidents involving employee data also increased sharply in that earlier period, underlining how staff records remain attractive targets because employers hold national insurance details, salary information, addresses, bank data and, in some cases, sensitive health or disciplinary records.

The ICO’s own data notes add an important note of caution: the figures cover only breaches discovered and reported to the regulator, begin at Q2 2019 because recording methods changed before then, and may not capture every serious case because some are moved to separate systems for further review. Even with those caveats, the direction of travel has been steadily upward enough to alarm employment lawyers, privacy advisers and HR specialists who see staff information as one of the most exposed pools of personal data inside large organisations.

Pressure on employers has intensified as regulators sharpen their tone on accountability. The ICO says organisations must report qualifying personal-data breaches within 72 hours of discovery under Article 33 of UK GDPR. In October 2025, the watchdog fined Capita £14 million over a 2023 cyber attack that exposed personal data from pension and staff records and affected more than 6 million people. The regulator said the company had failed to ensure appropriate technical and organisational measures and had not responded effectively enough once the attack was under way.

That enforcement action has become a reference point for boards and compliance teams because it showed the ICO is prepared to pursue large penalties when employment-related records are caught up in major breaches. In Capita’s case, the ICO said the stolen information included pension records, staff records and, for some people, especially sensitive material such as financial data, criminal-record details or special-category data. The commissioner, John Edwards, said the case was a reminder that organisations of every size must take proactive steps to secure the information entrusted to them.

The legal backdrop is also evolving. The Data Act 2025 amends, rather than replaces, the UK GDPR, the Data Protection Act 2018 and PECR, with changes being phased in between June 2025 and June 2026. The ICO says many of the adjustments are designed to make compliance easier or more flexible, but the core obligation to protect personal data remains intact. For employers, that means the basic discipline still matters: tighter access controls, clearer rules for remote work, stronger complaint handling, staff training, careful vendor oversight and faster internal escalation when something goes wrong.

Hybrid and dispersed working arrangements are likely to remain central to the debate. Employment specialists have argued that breaches increasingly stem from ordinary work habits rather than only sophisticated attacks: documents viewed in shared spaces, personal devices used for office tasks, HR files emailed outside secure systems, and line managers given access to data they do not need. Those risks are harder to eliminate than a single technical flaw because they are woven into daily operations, particularly in organisations juggling multiple cloud tools and outsourced payroll or benefits platforms.