UK data breach trends
A data breach trend is the pattern of personal-data breaches reported to a regulator over time — which sectors report the most incidents and how those incidents happen. This page breaks down the 3,677 personal-data breaches reported to the UK Information Commissioner's Office (ICO) in Q4 2025, by sector and by incident type, taken directly from the ICO's published statistics.
Quick answer
In Q4 2025, UK organisations reported 3,677 personal-data breaches to the ICO across 22 sectors. The highest-volume sector was Health with 647 breaches (17.6% of the total), and the largest single named cause was data emailed to incorrect recipient. Most high-volume incident types are human error rather than sophisticated attacks.
By the numbers
Totals computed directly from the ICO's published statistics for Q4 2025. The unit is distinct personal-data breaches reported to the ICO.
Explore breaches by sector
Pick a sector to see the breaches it reported in Q4 2025, its share of the total, and its rank. Every figure is a published ICO statistic — a factual lookup, not a predictive score.
See the personal-data breaches actually reported to the ICO by this sector in Q4 2025. All figures are published ICO statistics — not a prediction.
Across 3,677 breaches reported in Q4 2025, this sector accounts for 17.6%. Figures are historical published statistics and do not indicate the likelihood of any future breach.
Breaches by sector
Distinct personal-data breaches reported to the ICO in Q4 2025, by sector. Select a sector for its dedicated breakdown.
| # | Sector | Breaches | Share |
|---|---|---|---|
| 1 | Health | 647 | 17.6% |
| 2 | Education and childcare | 518 | 14.1% |
| 3 | Retail and manufacture | 395 | 10.7% |
| 4 | Local government | 299 | 8.1% |
| 5 | Finance, insurance and credit | 298 | 8.1% |
| 6 | Charitable and voluntary | 246 | 6.7% |
| 7 | Legal | 234 | 6.4% |
| 8 | Land or property services | 208 | 5.7% |
| 9 | Transport and leisure | 182 | 4.9% |
| 10 | Social care | 106 | 2.9% |
| 11 | Online Technology and Telecoms | 88 | 2.4% |
| 12 | General business | 86 | 2.3% |
| 13 | Unknown | 82 | 2.2% |
| 14 | Justice | 66 | 1.8% |
| 15 | Central Government | 54 | 1.5% |
| 16 | Membership association | 54 | 1.5% |
| 17 | Utilities | 42 | 1.1% |
| 18 | Marketing | 26 | 0.7% |
| 19 | Regulators | 13 | 0.4% |
| 20 | Media | 12 | 0.3% |
| 21 | Political | 11 | 0.3% |
| 22 | Religious | 10 | 0.3% |
Source: ICO (Information Commissioner's Office) — Data security incident trends (data-security-incidents-trends-q1-2019-to-q4-2025.xlsx). Contains public sector information licensed under the Open Government Licence v3.0. Figures are distinct-incident counts for Q4 2025, retrieved 2026-06-25. Presented neutrally; this is statistics, not legal advice.
Breaches by incident type
How the 3,677 reported breaches in Q4 2025 happened. Each incident is attributed to one type.
| Incident type | Breaches | Share |
|---|---|---|
| Not Provided | 649 | 17.7% |
| Data emailed to incorrect recipient | 607 | 16.5% |
| Phishing | 429 | 11.7% |
| Unauthorised access | 373 | 10.1% |
| Other non-cyber incident | 320 | 8.7% |
| Other cyber incident | 221 | 6% |
| Failure to redact | 201 | 5.5% |
| Data posted or faxed to incorrect recipient | 188 | 5.1% |
| Ransomware | 148 | 4% |
| Loss/theft of paperwork or data left in insecure location | 128 | 3.5% |
| Failure to use bcc | 96 | 2.6% |
| Hardware/software misconfiguration | 93 | 2.5% |
| Data of wrong data subject shown in client portal | 72 | 2% |
| Verbal disclosure of personal data | 71 | 1.9% |
| Loss/theft of device containing personal data | 31 | 0.8% |
| Malware | 20 | 0.5% |
| Brute Force | 19 | 0.5% |
| Incorrect disposal of hardware | 4 | 0.1% |
| Incorrect disposal of paperwork | 3 | 0.1% |
| Alteration of personal data | 2 | 0.1% |
| Denial of service | 2 | 0.1% |
Source: ICO (Information Commissioner's Office) — Data security incident trends (data-security-incidents-trends-q1-2019-to-q4-2025.xlsx). Contains public sector information licensed under the Open Government Licence v3.0. Figures are distinct-incident counts for Q4 2025, retrieved 2026-06-25. Presented neutrally; this is statistics, not legal advice.
What to do: prevention by incident type
Each step below targets the highest-volume incident types in this dataset. The breach count next to each is the Q4 2025 total for the incident types it addresses.
Stop misdirected disclosures
891 breachesTurn on delayed-send and external-recipient warnings, require bcc for any bulk mail, and add a second-person check before sending bulk correspondence. Misdirected email and post are consistently among the largest categories.
Harden access and authentication
821 breachesEnforce multi-factor authentication, least-privilege access and unusual-login alerting, and run regular phishing-awareness training. Phishing and unauthorised access together account for a large share of cyber incidents.
Build redaction and disclosure checks
273 breachesAdd a mandatory redaction and recipient-verification step before releasing documents or exposing records in a portal. Failure to redact and showing the wrong data subject are avoidable process failures.
Prepare for ransomware and malware
389 breachesKeep tested, offline backups, patch promptly, segment networks, and rehearse a breach-response plan so the 72-hour ICO reporting clock is manageable when an incident hits.
Data breach trends FAQ
- What counts as a personal-data breach under UK GDPR?
- A personal-data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. It covers far more than hacking: a misdirected email, a lost laptop, paperwork left in an insecure location, or a failure to redact a document are all personal-data breaches. Under UK GDPR Article 33, a controller must report a notifiable breach to the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it.
- How many data breaches were reported to the UK ICO in Q4 2025?
- The ICO recorded 3,677 distinct personal-data breaches reported by organisations in Q4 2025. Each incident is one distinct ICO reference and is attributed to exactly one sector and one incident type. The figures on this page are taken directly from the ICO's published 'Data security incident trends' statistics.
- Which sectors report the most data breaches?
- In Q4 2025 the highest-volume sectors were Health (647 breaches, 17.6%), Education and childcare (518 breaches, 14.1%), Retail and manufacture (395 breaches, 10.7%). The by-sector pages show the exact reported count and share for every sector — see the breakdown below.
- What are the most common types of data breach?
- Setting aside unspecified and 'other' categories, the most common named incident types in Q4 2025 were data emailed to incorrect recipient (607), phishing (429), unauthorised access (373). Most of the highest-volume types are human-error rather than sophisticated attacks, which is why process controls reduce breach volume so effectively.
- Do I have to report every data breach to the ICO?
- No. You must report a breach to the ICO only where it is likely to result in a risk to the rights and freedoms of individuals, within 72 hours of becoming aware of it. Where the risk is high, you must also tell the affected individuals without undue delay. Even unreported breaches must be documented internally. A tested breach-response process is what makes the 72-hour clock manageable.
- How can an organisation reduce its data-breach risk?
- Because the highest-volume incident types are misdirected email, phishing and unauthorised access, the controls with the biggest effect are practical: delayed-send and recipient confirmation on email, mandatory bcc for bulk mail, multi-factor authentication and least-privilege access, redaction checks before disclosure, and regular phishing-awareness training. A structured GDPR audit maps your data flows against these obligations and produces a prioritised remediation plan.
Data retrieved 2026-06-25 · reporting period Q4 2025.
Cut your breach risk before it becomes a report to the ICO
Most breaches in this data are preventable — misdirected email, weak access controls, phishing. GeraCompliance's fixed-scope GDPR sprint maps your data flows, hardens the controls behind these incident types, and gives you a tested breach-response plan — in days, not months.