StuWalsh.com

Information Security and Data Protection News, Articles, Consultancy, Guidance and Training Services

Advertisment Image
Advertisment Image
Articles, UK Data Breach Reports

UK Data Breach Report – December 2025

UK Data Breach Report

What happened, who was affected, and what we can learn…

December brought a mix of major enforcement, public reprimands, and newly‑disclosed cyber incidents where organisations confirmed they had notified the ICO. This report pulls together:

  • ICO news and enforcement publications.
  • Public statements by affected organisations.
  • Reputable media coverage explicitly confirming notification to the ICO.

Only incidents with UK individuals and ICO involvement are included in this month’s UK Data Breach Report.

LastPass UK Ltd.
Date Reported: 11th December 2025
No. of UK Individuals Affected: Up to 1.6 million UK users.
Data Exposed or at Risk: Names, email addresses, phone numbers and stored website URLs from a backup database. Password vault contents remained encrypted, but associated metadata and contact details were compromised.
ICO Response: Monetary penalty of £1.2 million for failing to implement sufficiently robust technical and security measures. The ICO highlighted weaknesses around access controls and device security and urged all UK businesses to review their own controls in light of the incident.
Summary: The fine relates to a 2022 cyber attack where a hacker first compromised a corporate laptop in Europe, then a US employee’s personal laptop, installing malware and capturing a master password. Using information from both incidents, the attacker accessed LastPass’ backup database and exfiltrated personal information on up to 1.6m UK customers.
Commentary: This case reinforces that employee endpoint security and privileged access management are as critical as core infrastructure security; “Zero‑knowledge” encryption protected vault contents, but unencrypted metadata (names, emails, URLs) still carries serious risk, from targeted phishing to profiling. The ICO’s language and the relatively modest fine, compared with the scale, underline a focus on proportionate penalties plus sector‑wide deterrence, rather than maximal punishment, especially where passwords themselves were not exposed.

Post Office Ltd.
Date Reported: 3rd December 2025
No. of UK Individuals Affected: 502 postmasters.
Data Exposed or at Risk: Names, home addresses and postmaster status of individuals involved in Horizon group litigation, published in an unredacted legal settlement document on the Post Office’s website and left accessible for almost two months.
ICO Response: A public reprimand rather than a fine. The ICO considered, then discounted, a monetary penalty of up to £1.094m, concluding that the failures did not meet the “egregious” threshold required for fines under its public‑sector approach.
Summary: During web publication of legal documents, the Post Office’s communications team uploaded an unredacted settlement agreement. The file remained publicly available from April to June 2024 before being removed after an external notification. The ICO found inadequate publishing controls, a lack of documented procedures and insufficient staff training around information sensitivity.
Commentary: This is a classic FOI/disclosure‑log failure, not a sophisticated cyber attack. Because the affected group had already experienced major injustice, the ICO framed this as a serious failure of care and dignity, despite the relatively small numbers involved. Organisations should treat website and disclosure‑log processes as high‑risk publishing workflows, with dual sign‑off, templated redaction procedures, and clear accountability.

Prospect Custodian Trustees Ltd.
Date Reported: 18th December 2025
No. of UK Individuals Affected: Prospect has more than 160,000 members across the UK and Crown Dependencies; the precise number of affected UK individuals is not yet known.
Data Exposed or at Risk: Member personal information including financial data and multiple categories of special category data: trade union membership, ethnic origin, sexual orientation, disability and religious belief.
ICO Response: The ICO launched a joint investigation alongside regulators in Jersey, Guernsey and the Isle of Man into a June 2025 cyber incident, after Prospect reported a personal data breach. The investigation will examine the scope of exposed data, security measures in place, breach notification, and mitigation steps. The ICO stresses that opening an investigation does not imply that Prospect has been found in breach of the law.
Summary: A June 2025 cyber attack on Prospect’s systems compromised data spanning multiple jurisdictions. Given the union’s role and the sensitivity of the data categories involved, regulators across the British Isles are collaborating to investigate security adequacy and response.
Commentary: This incident illustrates the intersection of cyber risk and labour rights: trade union membership is both highly sensitive and politically significant. Multi‑jurisdiction breaches increasingly trigger coordinated regulatory action, particularly when member data flows between UK and Crown Dependencies. Organisations holding rich profiles combining financial and special category data should expect intense scrutiny of encryption, access controls and logging.

Royal Cornwall Hospitals NHS Trust
Date Reported: 15th December 2025
No. of UK Individuals Affected: Current and former employees; an exact figure is not disclosed.
Data Exposed or at Risk: An editable spreadsheet with staff sickness absence records (April 2020 to May 2023) was inadvertently disclosed as part of a Freedom of Information response and placed on the Trust’s disclosure log. The Trust emphasised that no patient data or financial information was involved.
ICO Response: The Trust states that the incident has been reported to the ICO and that a full review of disclosure‑log processes is underway. As of 1st January 2026, no separate public enforcement notice or monetary penalty has been published for this incident.
Summary: Once the error was identified, the spreadsheet was removed and the disclosure log temporarily suspended while new safeguards were designed. Affected staff are being contacted directly, with a dedicated email address for queries.
Commentary: Another disclosure‑process breach, mirroring the Post Office case but in the NHS workforce context. Staff data, especially around health and sickness, is sensitive and can be embarrassing or harmful if exposed, even without financial or patient records. Controls for FOI responses should include: locked/non‑editable exports, automatic cell‑protection for hidden columns, and specialist review of anything containing HR or health‑related fields.

DXS International
Date Reported: 18th December 2025
No. of UK Individuals Affected: Unknown. A ransomware group claims to have exfiltrated around 300GB of data, but at the time of reporting there was no confirmation that patient records were accessed.
Data Exposed or at Risk: DXS provides software that interacts with NHS clinical systems and may be hosted on the Health and Social Care Network. The precise nature of the compromised data is under investigation; it could range from internal corporate documents to information linked to patient‑facing systems.
ICO Response: DXS has notified law enforcement and regulators including the ICO. An ICO spokesperson confirmed that the regulator is assessing the information provided by DXS; no formal enforcement outcome has yet been announced.
Summary: DXS disclosed the incident via a London Stock Exchange filing after discovering a security incident affecting office servers on 14th December 2025. A ransomware group later claimed responsibility and alleged theft of large volumes of data. Services continued with minimal disruption, but the data‑protection impact remains under active investigation.
Commentary: This is a textbook third‑party/vendor risk event: a specialist supplier to NHS England suffering a breach that could indirectly touch patient data. It highlights the importance of contractual and technical assurance over suppliers’ security and incident‑response capabilities, particularly where they connect to critical healthcare networks. Early notification to the ICO and stock‑market transparency suggest DXS is prioritising regulatory and investor confidence, but the eventual impact will depend on what the forensic work reveals.

Insights for UK Organisations

  • Disclosure processes are still a major weak point
  • Both the Post Office and Royal Cornwall Hospitals NHS Trust incidents came from publishing the wrong thing, not from sophisticated hacking.
  • Organisations need to treat disclosure logs, FOI responses and web uploads as high‑risk publishing, with structured redaction workflows, role‑based approvals and automated checks.
  • Special category and high‑impact data are in focus.
  • Prospect holds trade union membership and other special category data, alongside financial information; a combination that heightens harm if mishandled.
  • The ICO’s Better Records Together campaign and enforcement work around care records (Birthlink, Bristol City Council) show sustained regulatory attention on identity‑defining records and the real‑world harm when they are lost or mismanaged.
  • Third‑party and SaaS security remains critical.
  • The LastPass fine demonstrates that even security products can fall short in their own controls, especially around employee devices and shared credentials.
  • The DXS incident underlines NHS dependencies on external tech providers; and the need for robust supply‑chain assurance across both data‑protection and cyber‑resilience regimes.
  • Public‑sector enforcement is still calibrated, not punitive by default.
  • In the Post Office case, the ICO chose a reprimand instead of a fine, aligning with its public sector approach that reserves monetary penalties for particularly egregious failures while emphasising improvement and learning.

Legislative Context

  • EU–UK data‑protection adequacy renewed.
  • On 19th December 2025, the European Commission renewed both GDPR and Law Enforcement Directive adequacy decisions for the UK, allowing continued data flows from the EU to the UK, including for law enforcement.
  • The renewed GDPR decision explicitly includes data processed for immigration control, widening the categories of data that can flow under adequacy.
  • Cyber Security and Resilience (NIS) Bill advances, with ICO support.
  • The ICO published its response to the Cyber Security and Resilience (Network and Information Systems) Bill on 23rd December 2025, welcoming the Bill as a key step in strengthening UK cyber‑resilience and emphasising the role of managed and digital service providers in modern supply chains.
  • For incidents like DXS and LastPass, this evolving NIS framework will sit alongside UK GDPR, shaping expectations around incident reporting and resilience for essential digital services.
  • Better Records Together campaign ramps up
  • Through the Better Records Together initiative and an open letter to senior leaders, the ICO has signalled that care records and subject access will remain a priority, backed by enforcement where necessary (as seen with Birthlink and Bristol City Council).
  • This has clear relevance for breaches involving record‑keeping and FOI disclosures such as RCHT and the Post Office.

Conclusion

December 2025 illustrates three overlapping trends:

  • Mass‑scale SaaS breaches (LastPass) continue to create systemic risk, even when core credentials remain encrypted.
  • Human and process errors in publishing (Post Office, RCHT) remain a persistent and preventable source of data exposure.
  • Third‑party and cross‑border incidents (Prospect, DXS) are drawing increasingly coordinated regulatory responses, underpinned by renewed EU–UK adequacy and evolving cyber‑resilience law.

For organisations operating in or with the UK, key takeaways are:

  • Harden endpoint and identity security, especially for staff with privileged access.
  • Treat disclosure logs, FOI responses and web uploads as high‑risk publishing, with rigorous redaction and review.
  • Map and actively govern your supplier ecosystem, ensuring contracts, technical controls and incident‑response playbooks are aligned with both UK GDPR and NIS‑style obligations.
  • Prioritise the protection of special category and identity‑defining records, in line with the ICO’s Better Records Together agenda.

Disclaimer

This report is based on public disclosures, media reports, and ICO updates available at the time of writing. Figures for affected individuals may be estimated where not officially disclosed. This post is intended for informational purposes only and does not constitute legal advice.

Sources:

Stu Walsh

Stu Walsh

I am a Chief Information Security Officer (CISO) and Data Protection Officer (DPO) with extensive experience in overseeing organisational information security strategies as well as establishing and maintaining Information Security Management System (ISMS) required for ongoing General Data Protection Regulation (GDPR) compliance, ISO27001 and PCI-DSS certifications; ensuring the protection of sensitive data, and compliance with all UK regulations and standards.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *
RSS
Follow by Email
Facebook
X (Twitter)
LinkedIn