Apricorn has revealed findings from its Freedom of Information (FoI) requests, targeting local authorities across the UK, with basic human error being a key factor in data breaches.
The figures, collected from 27 UK councils, are said to indicate that over 2,400 suspected data breaches occurred across the sector in 2024.
Surrey County Council was the highest reporting authority, disclosing 634 breaches, followed closely by Oxfordshire County Council (451), North Yorkshire Council (406) and Suffolk County Council (328).
Many of these incidents, according to Apricorn, were the result of basic human error, such as misdirected emails, lost paperwork or the unauthorised sharing of sensitive personal information.
Notably, Suffolk County Council disclosed six breaches reported to the Information Commissioner’s Office (ICO), highlighting multiple failures including unauthorised access, internal data publication and inappropriate information sharing as a result of human error.
North Yorkshire Council provided similar reasoning.
According to Apricorn, of the 406 total breaches, eight were reported to the ICO, including three cyber-incidents, two unauthorised disclosures, one through incorrect email recipients, one unauthorised access and one through lost or misplaced data.
Despite these volumes, several councils reportedly sought to clarify that not all incidents resulted in harm or formal reporting to the ICO.
Cheshire East Council recorded 212 suspected breaches, noting that all potential data incidences and data breaches are recorded out of an abundance of caution, but many breaches were internal-only or were classified as ‘near misses’ due to human error.
In accordance with internal policies and procedures at Cheshire East Council, staff are reportedly encouraged to record incidences as soon as they are discovered, even if they are unsure of the risk at the time.
Similarly, Cambridgeshire County Council recorded just three ICO-notified breaches in 2024, all of which were caused by human error, but the regulator reportedly deemed that the data incidences were handled appropriately.
The FoI responses also highlight ongoing problems with device management.
Jon Fielding, Managing Director, EMEA, Apricorn said: “Even with training, guidance and policies in place, basic human error continues to be a significant cause of data breaches across local government.
“Add to this the large number of unencrypted or poorly secured devices still in circulation and the risk to data becomes even more pressing.
“Councils must ensure that endpoint security is not left to chance, encryption should be standard, regardless of device type and data handling processes must be reinforced through ongoing staff training and technical safeguards.
“Transparency is vital to improving data protection standards.
“Councils that encourage incident reporting and acknowledge risk, even when incidents are minor, are taking the right approach.
“But true protection also requires investment in encrypted hardware, secure data transfer practices and clear accountability across departments.”
