Data breaches recorded by English councils up 53% over five years, FOI analysis finds

An examination of FOI responses from 78 councils shows that internally logged data incidents increased by 53% between 2021 and 2025, while the number of breaches reported to the Information Commissioner’s Office (ICO) rose by 41% over the same period.

In the most recent reporting year, the councils collectively recorded 16,902 incidents, alongside 305 referrals to the ICO. ICO referrals represent breaches assessed by councils as likely to pose a risk to individuals’ rights and freedoms, such as identity theft or significant financial or privacy harm.

The vast majority of incidents, the report  stressed, were minor and caused no lasting harm.

The data shows significant variation between councils in both overall volumes and rates of increase.

Wiltshire Council recorded the largest rise in internally logged incidents over the period examined, with a 601% increase from 341 incidents in 2021 to 2,391 in 2025. Other authorities with large percentage increases included Gateshead Council, the London Borough of Greenwich, Salford City Council and Bedford Borough Council.

In terms of absolute numbers in the latest reporting year, Wiltshire again recorded the highest total, followed by Bristol City Council, Wakefield Council, Sheffield City Council and Manchester City Council.

Bristol City Council recorded the highest number of ICO referrals in the most recent year (21), followed by Cumberland Council and Cornwall Council (16 each), Shropshire Council (15) and the London Borough of Enfield (14).

Internally recorded data breach registers capture a wide range of incidents, including near misses and low level administrative errors such as emails sent to incorrect recipients. A logged incident does not necessarily indicate a breach of data protection law.

On average, the ratio between internally recorded incidents and ICO referrals was around 50:1, indicating that only a small proportion of incidents are assessed as serious enough to require regulatory notification.

Several councils cited in the analysis said that increasing figures were indicative of improved staff awareness and a stronger reporting culture, rather than a deterioration in data security. Authorities including Manchester, Bristol, Wakefield, Wiltshire and the London Borough of Bexley told the report authors that mandatory training, clearer reporting routes and improved detection systems had led to more consistent logging of incidents.

Wiltshire Council said its figures reflected a “mature reporting culture,” noting that it encourages the reporting of near misses and introduced new data loss prevention controls and internal reporting tools during the period covered by the data.

Local authorities have been victims to several high profile attacks on councils in recent years. These include ransomware attacks affecting Leicester City Council in 2024, disruption following an attack on housing software provider Locata, and a cyber incident in late 2025 that affected Westminster City Council, the Royal Borough of Kensington and Chelsea and Hammersmith and Fulham, which share IT infrastructure.

Recovery costs and disruption following serious cyber incidents can be substantial, such as the £12m spent by Hackney Council in the year following a 2020 ransomware attack and the severe operational difficulties faced by Kensington & Chelsea Council following an attack last year which left it unable collect council tax for a substantial period of time and disrupted many core services for months.

The analysis is based on FOI requests submitted to 100 of England’s largest councils, of which 78 provided data. Some authorities declined to supply information, while others provided partial data for certain years.