List of UK government data losses

Last updated

The following is a list of UK government data losses. It lists reported instances of the loss of personal data by UK central and local government, agencies, non-departmental public bodies, etc., whether directly or indirectly because of the actions of private-sector contractors. Such losses tend to receive widespread media coverage in the UK.

DateDepartmentNumber of
records lost
NarrativeReferences
2025 Legal Aid Agency Breach of personal data concerning applicants for legal aid (both civil and criminal) and their legal representatives.
2025 Ministry of Defence 3,700Details of Afghans being resettled in the UK were lost following a data breach by a subcontracter.
2024 Ministry of Defence Names and bank details of serving military personnel lost following hack to payroll system.
2024 Leicester City Council 1.3 TBRansomware attack led to the publication of large quantities of personally identifiable information including rent statements, applications to purchase council housing under Right to Buy, and accompanying identity documents.
2023 Police Service of Northern Ireland Details of all police employees accidentally published on WhatDoTheyKnow in response to a request under the Freedom of Information Act 2000. (See: PSNI data breaches)
2023 Metropolitan Police 47,000Contractor who supplies ID cards to the Metropolitan Police was subject of a ransomware attack. Ransomware attackers had access to information about 47,000 police staff (including police officers) and contractors, including name, photo, rank and vetting status.
2023August Norfolk Constabulary and Suffolk Constabulary 1,230Police in Norfolk and Suffolk accidentally published personal details of sexual abuse victims, witnesses and suspects on their website in response to a request under the Freedom of Information Act 2000.
2023July Ministry of Defence A number of emails were sent to .ml domains (rather than ".mil") due to human error.
2022 Ministry of Defence 19,000Spreadsheet containing details of Afghans fleeing the Taliban accidentally leaked by UK Special Forces headquarters official. A High Court injunction was sought to forbid publication of the data until 2025.
2022 Electoral Commission Names and addresses of all registered voters in the United Kingdom (except anonymous registrations).
2021 Department for Work and Pensions Court bundles for Child Maintenance appeals were sent out with personal information unredacted, including the address of a person whose ex-partner had a history of domestic violence.
2020 Public Health Wales 18,105Initials, date of birth, geographical area and sex of those who tested positive for COVID-19 were published online due to human error.
2020 Department for Work and Pensions 6,000National Insurance numbers of 6,000 disabled benefits claimants were publicly accessible for two years.
2020 NHS Scotland, Lanarkshire500Clinical information concerning 500 patients was shared through unauthorised WhatsApp groups. A third party was added to said groups and discovered the material.
2019 Cabinet Office 1,000+CSV file of New Year Honours recipients was published online, with personal address details for some recipients.
2017 Independent Inquiry into Child Sexual Abuse 90Emails were sent via CC rather than BCC, revealing 90 names of victims of child sexual abuse.
2017 Heathrow Airport 2.5GB / 76 foldersLost unencrypted USB storage device containing complete security information for Heathrow airport including badges, maps, CCTV camera locations, etc.
2015 Ministry of Defence British Army footage and photographs of Operation Motorman were found to be missing.
2014 Foreign Office Records of Diego Garcia flights and the UK's role in the CIA rendition programme were destroyed by water damage.
2014 Home Office 114Files linked to 1980s Westminster paedophile ring allegations were found to be missing. (See also: Westminster paedophile dossier.)
2013 Serious Fraud Office Documents related to the investigation of BAE Systems were lost accidentally. The data amounted to 32,000 physical pages of text, 81 tapes of audio, and other electronic media.
2013November Suffolk County Council An unencrypted USB memory stick was found containing information from the county’s adult and community services department. It had internal memos and copies of e-mails about forthcoming projects – and it also had tables containing the names of clients.
2013JulyNHS Greater Glasgow and Clyde60A folder containing patient records was found in a car park and handed in by a member of the public.
2012 Greater Manchester Police over 1,000An unencrypted USB stick containing details of witnesses with links to serious criminal investigations that was being kept in a police officer's house was stolen in a burglary. The force was fined £120,000.
2012South London NHS Trust600Records on 600 maternity patients and their newborn children were lost by misplacing unencrypted USB sticks.
2012MayNHS Surrey3,000Computer used by the NHS was sold on auction website eBay without being properly cleansed of patient records.
2012FebruaryOffice for Nuclear Regulation (ONR)A memory stick containing a safety assessment of a nuclear power plant in north-east England has been lost by an official. The unencrypted USB pen drive, containing a 'stress test' safety assessment of the Hartlepool plant.
2011FebruaryPowys County CouncilA file containing details of a child protection case was leaked accidentally. The council was fined £130,000.
2010SeptemberBrighton General HospitalHard drives containing patient data were stolen.
2008November Department for Work and Pensions n/aUSB memory stick, apparently encrypted and containing passwords for an old version of the Government Gateway, a website giving access to millions of records of personal data.
2008October Ministry of Defence 1,700,000Hard drive being held by contractor EDS is found to be missing.
2008September Service Personnel and Veterans Agency 50,500Three USB portable hard drives with details of staff are allegedly stolen from a high security facility at RAF Innsworth. The Agency holds records on 900,000 current and former personnel. Stolen records included sensitive information about the private lives of senior staff.
2008September National Offender Management Service 5,000A hard drive containing details of 5,000 employees of the National Offender Management Service was lost by EDS.
2008September Insolvency Service 400Names, addresses and bank details of up to 400 directors of 122 firms were lost when four laptops were stolen from a Manchester premises.
2008September Tees, Esk and Wear Valleys NHS Trust 200Memory stick with details of patients found in a public park.
2008August Home Office 84,000 PA Consulting lost an unencrypted memory stick containing details of high risk, prolific and other offenders.
2008August Colchester Hospital University NHS Foundation Trust 21,000A manager's unencrypted laptop holding patient addresses and treatment details is stolen from his car whilst on holiday in Edinburgh
2008January Royal Navy 600,000A Royal Navy officer's laptop was stolen that contained the details of 600,000 applicants and others who had expressed interest in joining the Armed Forces including both the Navy, Marines and Air Force.
2007December Department for Work and Pensions 45,000West Yorkshire benefit claimants' in data lost.
2007December Department for Work and Pensions 000sCDs with personal data found at the home of a former contractor.
2007November City and Hackney Teaching Primary Care Trust 160,000"Heavily encrypted" disks containing details of children are lost by couriers. The loss prompted the agency to implement hard drive and USB memory stick encryption systems across all PCs.
2007November Foreign and Commonwealth Office 50,000Details of visa applicants were made available on an FCO website.
2007November HM Revenue and Customs 25,000,000 Two CDs containing details of the families of child benefits claimants went missing in the post. HMRC's handling of data was described as "woefully inadequate" and staff were described as "muddling through" in a June 2008 Independent Police Complaints Commission report.
2007July Ministry of Justice 5,000Hard disk with details of HM Prison Service staff is lost on the premises of EDS.
2007May Driving Standards Agency 3,000,000Hard disk with details of candidates for the driving theory test was lost in a premises in Iowa by subcontractors.
2007May Foreign and Commonwealth Office 50Details of individuals made public after "unauthorised disclosure by a contractor"
1961 Foreign Office Many of the most sensitive documents from the UK's colonial era were destroyed under the direction of Secretary of State for the Colonies Iain Macleod.