NEWS – “without comment”
Paper data breaches in UK hit 11,141 over five years
28th Apr 2026
Author: Sean Mitchell
Source: https://securitybrief.co.uk/author/sean-mitchell
More than 11,000 paper-based data breaches were reported to the UK Information Commissioner’s Office between 2020 and 2025, according to Officeology.
Its analysis found employee data featured in almost one in five incidents.
The document management specialist reviewed ICO records on paperwork that was lost, stolen or incorrectly disposed of.
It identified 11,141 incidents over the period, including 2,103 involving employee information such as personal identifiers, health details and financial data.
The figures point to a persistent form of data loss outside the usual focus on online attacks and system intrusions.
Under the ICO’s classification, paperwork-related incidents are treated as non-cyber breaches because they do not involve a clear online or technological element linked to a malicious third party.
In 2025 alone, 1,820 paperwork breaches were reported to the regulator, the analysis found. Of those, 330 incidents, or 18%, involved employee data and could have affected as many as 28,000 workers, based on the size of the organisations involved.
Reporting delays
The analysis also highlighted repeated delays in notifying the regulator. UK GDPR requires organisations to report personal data breaches within 72 hours of becoming aware of them, but that deadline was missed in 41% of paperwork cases recorded in 2025.
That included 399 incidents reported a week or more after discovery and 351 reported between 72 hours and one week later. For breaches involving employee data, 39% of incidents, or 130 cases, were reported after the 72-hour deadline.
The information exposed most often was basic personal data, including names, addresses and dates of birth. In 2025, 708 incidents involved those identifiers, accounting for 39% of the year’s paperwork breaches, while health data featured in 23% of cases.
Among breaches linked to employee records, a third, or 112 incidents, involved the loss, theft or incorrect disposal of basic identifying information. This suggests routine administrative records remain a notable source of risk when physical files are mishandled.
Few investigations
Most reported incidents did not lead to a formal ICO investigation. Fewer than 5% of paperwork breaches recorded between 2020 and 2025 were escalated for formal investigation, according to Officeology.
In 2025, only 12 paperwork-related incidents were passed to investigation teams to assess what action, if any, was appropriate, down from 55 in 2024.
Last year, the ICO chose not to use its formal powers in 1,429 paperwork mishandling cases, instead providing guidance and advice. Only one incident involving employee data was formally investigated in 2025.
Full Article can be read at: https://securitybrief.co.uk/author/sean-mitchell
Posted by: Ian (D. Withers)
www.WAPI.org
Disclaimer: News items in W.A.P.I.’s “News Without Comment” section are republished articles from external sources. W.A.P.I. is not the originator of this content and does not endorse or verify the accuracy of the material. Complaints or requests for correction should be directed to the original publisher. W.A.P.I. will review any substantiated notice of defamation and, if appropriate, remove or update the content.