Employee Data Breaches Surge to Seven-Year High in UK
Basically, more employee data is being breached due to mistakes in how we work from home and the office.
UK employee data breaches hit a seven-year high, with non-cyber incidents driving the surge. This affects organizations and employees alike, highlighting the need for better data protection measures. Companies must adapt to the hybrid work model to safeguard sensitive information.
What Happened
Employee data breaches reported to the UK Information Commissioner’s Office (ICO) have surged to a seven-year high. According to a recent analysis by law firm Nockolds, there were 3,872 reported breaches in 2025, marking a 5% increase from the previous year. This figure is nearly 29% higher than the total number of breaches recorded in 2019, when tracking began. Interestingly, cyber-related breaches actually fell by 6%, while non-cyber incidents skyrocketed by 15%.
The rise in non-cyber incidents is largely attributed to the shift towards hybrid working. Many organizations have bolstered their digital defenses, but have not updated their physical and procedural safeguards. This creates vulnerabilities that cyber tools alone cannot address. As employees navigate between home and office, sensitive information is often mishandled.
Who's Affected
The increase in breaches affects a wide range of employees across various sectors. Sensitive data such as HR records, payroll documents, and medical information are now frequently handled outside secure office environments. The nature of hybrid work has led to a situation where confidential information is more susceptible to accidental exposure or loss.
Nockolds principal associate, Joanna Sutton, emphasizes that even accidental breaches can lead to claims from employees if they experience stress or anxiety as a result. This places significant responsibility on employers to safeguard the sensitive personally identifiable information (PII) of their staff.
What Data Was Exposed
The types of data exposed in these breaches can be quite sensitive. Non-cyber incidents include:
- Lost or stolen devices like laptops and phones
- Documents left in public spaces, such as trains or cars
- Misaddressed emails or postal mail
- Improper disposal of printed documents
- Files transported without proper controls between home and office
These breaches highlight the need for organizations to implement stricter controls and training to prevent such incidents. Sutton warns that outdated policies and inadequate training can make organizations liable for breaches, even if they are accidental.
What You Should Do
To mitigate the risk of data breaches, organizations must take proactive steps. First, they should invest in regular training for employees, focusing on the realities of hybrid work. It's crucial that staff understand the importance of safeguarding sensitive information, whether they are working from home or the office.
Additionally, organizations should review and update their data protection policies to reflect current working conditions. This includes ensuring that both technical and human elements of data protection are aligned. By fostering a culture of awareness and responsibility, organizations can better protect the sensitive data they handle and reduce the risk of breaches in the future.