Skip to main content
UK Data Breach Trends · Q4 2025

UK data breach trends

A data breach trend is the pattern of personal-data breaches reported to a regulator over time — which sectors report the most incidents and how those incidents happen. This page breaks down the 3,677 personal-data breaches reported to the UK Information Commissioner's Office (ICO) in Q4 2025, by sector and by incident type, taken directly from the ICO's published statistics.

Quick answer

In Q4 2025, UK organisations reported 3,677 personal-data breaches to the ICO across 22 sectors. The highest-volume sector was Health with 647 breaches (17.6% of the total), and the largest single named cause was data emailed to incorrect recipient. Most high-volume incident types are human error rather than sophisticated attacks.

By the numbers

Totals computed directly from the ICO's published statistics for Q4 2025. The unit is distinct personal-data breaches reported to the ICO.

3,677
Total breaches
22
Sectors covered
21
Incident types
Q4 2025
Reporting period

Explore breaches by sector

Pick a sector to see the breaches it reported in Q4 2025, its share of the total, and its rank. Every figure is a published ICO statistic — a factual lookup, not a predictive score.

See the personal-data breaches actually reported to the ICO by this sector in Q4 2025. All figures are published ICO statistics — not a prediction.

647
Reported breaches
17.6%
Share of all incidents
#1
Rank by volume

Across 3,677 breaches reported in Q4 2025, this sector accounts for 17.6%. Figures are historical published statistics and do not indicate the likelihood of any future breach.

Breaches by sector

Distinct personal-data breaches reported to the ICO in Q4 2025, by sector. Select a sector for its dedicated breakdown.

Source: ICO (Information Commissioner's Office) — Data security incident trends (data-security-incidents-trends-q1-2019-to-q4-2025.xlsx). Contains public sector information licensed under the Open Government Licence v3.0. Figures are distinct-incident counts for Q4 2025, retrieved 2026-06-25. Presented neutrally; this is statistics, not legal advice.

Breaches by incident type

How the 3,677 reported breaches in Q4 2025 happened. Each incident is attributed to one type.

Incident typeBreachesShare
Not Provided64917.7%
Data emailed to incorrect recipient60716.5%
Phishing42911.7%
Unauthorised access37310.1%
Other non-cyber incident3208.7%
Other cyber incident2216%
Failure to redact2015.5%
Data posted or faxed to incorrect recipient1885.1%
Ransomware1484%
Loss/theft of paperwork or data left in insecure location1283.5%
Failure to use bcc962.6%
Hardware/software misconfiguration932.5%
Data of wrong data subject shown in client portal722%
Verbal disclosure of personal data711.9%
Loss/theft of device containing personal data310.8%
Malware200.5%
Brute Force190.5%
Incorrect disposal of hardware40.1%
Incorrect disposal of paperwork30.1%
Alteration of personal data20.1%
Denial of service20.1%

Source: ICO (Information Commissioner's Office) — Data security incident trends (data-security-incidents-trends-q1-2019-to-q4-2025.xlsx). Contains public sector information licensed under the Open Government Licence v3.0. Figures are distinct-incident counts for Q4 2025, retrieved 2026-06-25. Presented neutrally; this is statistics, not legal advice.

What to do: prevention by incident type

Each step below targets the highest-volume incident types in this dataset. The breach count next to each is the Q4 2025 total for the incident types it addresses.

Stop misdirected disclosures

891 breaches

Turn on delayed-send and external-recipient warnings, require bcc for any bulk mail, and add a second-person check before sending bulk correspondence. Misdirected email and post are consistently among the largest categories.

Harden access and authentication

821 breaches

Enforce multi-factor authentication, least-privilege access and unusual-login alerting, and run regular phishing-awareness training. Phishing and unauthorised access together account for a large share of cyber incidents.

Build redaction and disclosure checks

273 breaches

Add a mandatory redaction and recipient-verification step before releasing documents or exposing records in a portal. Failure to redact and showing the wrong data subject are avoidable process failures.

Prepare for ransomware and malware

389 breaches

Keep tested, offline backups, patch promptly, segment networks, and rehearse a breach-response plan so the 72-hour ICO reporting clock is manageable when an incident hits.

Data breach trends FAQ

What counts as a personal-data breach under UK GDPR?
A personal-data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. It covers far more than hacking: a misdirected email, a lost laptop, paperwork left in an insecure location, or a failure to redact a document are all personal-data breaches. Under UK GDPR Article 33, a controller must report a notifiable breach to the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it.
How many data breaches were reported to the UK ICO in Q4 2025?
The ICO recorded 3,677 distinct personal-data breaches reported by organisations in Q4 2025. Each incident is one distinct ICO reference and is attributed to exactly one sector and one incident type. The figures on this page are taken directly from the ICO's published 'Data security incident trends' statistics.
Which sectors report the most data breaches?
In Q4 2025 the highest-volume sectors were Health (647 breaches, 17.6%), Education and childcare (518 breaches, 14.1%), Retail and manufacture (395 breaches, 10.7%). The by-sector pages show the exact reported count and share for every sector — see the breakdown below.
What are the most common types of data breach?
Setting aside unspecified and 'other' categories, the most common named incident types in Q4 2025 were data emailed to incorrect recipient (607), phishing (429), unauthorised access (373). Most of the highest-volume types are human-error rather than sophisticated attacks, which is why process controls reduce breach volume so effectively.
Do I have to report every data breach to the ICO?
No. You must report a breach to the ICO only where it is likely to result in a risk to the rights and freedoms of individuals, within 72 hours of becoming aware of it. Where the risk is high, you must also tell the affected individuals without undue delay. Even unreported breaches must be documented internally. A tested breach-response process is what makes the 72-hour clock manageable.
How can an organisation reduce its data-breach risk?
Because the highest-volume incident types are misdirected email, phishing and unauthorised access, the controls with the biggest effect are practical: delayed-send and recipient confirmation on email, mandatory bcc for bulk mail, multi-factor authentication and least-privilege access, redaction checks before disclosure, and regular phishing-awareness training. A structured GDPR audit maps your data flows against these obligations and produces a prioritised remediation plan.

Data retrieved 2026-06-25 · reporting period Q4 2025.

Cut your breach risk before it becomes a report to the ICO

Most breaches in this data are preventable — misdirected email, weak access controls, phishing. GeraCompliance's fixed-scope GDPR sprint maps your data flows, hardens the controls behind these incident types, and gives you a tested breach-response plan — in days, not months.