What happened, who was affected, and what we can learn…
April 2026 was another reminder that some of the most serious data protection failures are not caused by sophisticated cyberattacks; but by organisations failing to manage access, oversight, and basic governance properly.
This month brought major concerns around sensitive health and genomic data, large-scale exposure risks involving government systems and further customer data compromise affecting UK households. While the sectors were very different, the underlying issue was the same; personal information was accessible in ways it should never have been.
What stands out most is that none of these cases were particularly surprising; they reflect familiar weaknesses—third-party access, platform vulnerabilities, and poor internal controls that continue to create avoidable risk across both the public and private sectors.
With the Data (Use and Access) Act 2025 continuing to strengthen expectations around accountability and the ICO placing greater emphasis on demonstrable governance, organisations are increasingly being judged on whether the breach should have been preventable in the first place.
As always, this report brings together ICO enforcement activity, public disclosures and credible reporting involving breaches affecting people in the UK.
Only incidents involving UK individuals and confirmed ICO oversight are included.
UK Biobank
Date Reported: 1st April, 2026
No. of UK Individuals Affected: 500,000
Data Exposed or at Risk: De-identified health records, genomic data, scans and sensitive medical research datasets.
ICO Response: Self-referred to the ICO; formal investigation ongoing with no published enforcement action at month-end.
Summary: UK Biobank identified that highly sensitive volunteer health data had been listed for sale through Alibaba-linked listings connected to external research institutions with approved access. Although the organisation stated the data was de-identified, the exposure raised immediate concerns around re-identification and how securely external research partners were managing access. Permissions were revoked and affected institutional access was suspended.
Commentary: This case exposes a mistake many organisations still make; treating pseudonymised data as if it is no longer sensitive. When genetic information and health records are involved, re-identification is a very real risk. Once data leaves your own environment, accountability does not disappear with it.
Companies House
Date Reported: 16th April, 2026
No. of UK Individuals Affected: Up to 5 million registered entities and associated personal details.
Data Exposed or at Risk: Names, addresses, company filing records and personal details exposed through a WebFiling platform vulnerability.
ICO Response: Reported to the ICO and NCSC; investigation ongoing with no enforcement outcome published.
Summary: A vulnerability within the Companies House WebFiling platform exposed personal information connected to millions of registered businesses and users. GOV.UK confirmed the issue had been contained, the affected service restored and formal notifications made to the relevant authorities.
Commentary: Incidents like this damage trust quickly because people assume government systems are built to a higher standard. This was not a sophisticated external attack; it was a weakness in platform design and access control. Secure design should be part of the system from day one, not something introduced after the problem becomes public.
ADT
Date Reported: 27th April, 2026
No. of UK Individuals Affected: Not publicly disclosed.
Data Exposed or at Risk: Names, phone numbers, addresses and limited customer account information.
ICO Response: Investigation underway, customer notifications issued and no public ICO enforcement action announced by month-end.
Summary: ADT confirmed unauthorised access to customer information following a cyber intrusion linked to the ShinyHunters group. While the full scale of UK customer exposure was not disclosed publicly, affected individuals were notified and internal investigations were launched.
Commentary: Security providers being breached always attract greater concern because customers trust them specifically to protect privacy and safety. When those organisations suffer repeated access failures, confidence drops quickly. It is another reminder that access management and supplier oversight are still weak points, even in businesses built around security.
Insights for UK Organisations
- Sensitive data remains sensitive even when it is “de-identified”; UK Biobank shows that pseudonymisation does not remove accountability, particularly where health and genomic records are involved.
- System design failures can be just as serious as cyberattacks; Companies House demonstrates that platform weaknesses often create exposure without a traditional breach event.
- Third-party access remains one of the biggest hidden risks; external researchers, suppliers and service providers continue to create major exposure points.
- Reputation is often harder to repair than compliance; organisations handling health, government, or home security data face long-term trust damage when protections fail.
Legislative Context
April 2026 sits within the stronger enforcement environment created by the Data (Use and Access) Act 2025, which continues to shape how organisations are expected to manage data risk.
This includes:
- Improved breach logging and accountability requirements.
- Greater scrutiny of governance and decision-making.
- Clearer expectations around third-party assurance.
- Stronger focus on evidence of prevention rather than explanations after the fact.
The ICO is continuing to prioritise cases involving:
- Special category data such as health records.
- Large-scale public record systems.
- Supplier and partner access failures.
- Avoidable governance weaknesses.
The regulatory position is becoming clearer each month; organisations must be able to demonstrate not only how they responded to a breach, but why the conditions for that breach were allowed to exist in the first place.
Conclusion
April 2026 showed that many of the biggest data protection failures are still failures of control, not innovation from attackers.
Sensitive research data was exposed through external access; a government filing platform revealed personal information because of poor system design and security provider suffered another customer data intrusion.
Different industries, same lesson.
For organisations operating in the UK, the regulator is becoming less interested in apologies after the event and far more focused on whether reasonable safeguards were already in place.
Good breach response still matters; but increasingly, the real question is whether the breach should have happened at all.
Disclaimer
This report is based on public disclosures, media reports, and ICO updates available at the time of writing. Figures for affected individuals may be estimated where not officially disclosed. This post is intended for informational purposes only and does not constitute legal advice.
Sources:
