Employee Data Breaches and Hybrid Working

Reports of employee data breaches to the Information Commissioner's Office reached 3,872 in 2025, up from 3,680 the year before. That is a 5% annual rise and the highest level in at least seven years.

The headline figure hides a more important shift. Cyber-related breaches actually fell by 6% over the year, from 1,675 to 1,568. Non-cyber breaches rose by 15% to 2,304, and now make up the larger share of all reported incidents.

Analysis by the law firm Nockolds links the rise to hybrid working. As laptops, paper files and devices move between home and office more often, physical loss, misdelivery and theft of personal data become more likely.

Source: Personnel Today, Hybrid working blamed for rising number of data breaches, reporting analysis by Nockolds of ICO breach data.

Why This Matters

Most employers think of a data breach as a cyber attack: ransomware, phishing or a hacked system. The 2025 figures show that the bigger and faster-growing risk is now mundane. A lost laptop, a misdirected email, a file left on a train, or paperwork taken home and never returned.

Employee data is particularly sensitive. Payroll records, bank details, National Insurance numbers, health information, disciplinary records and home addresses all attract a high level of protection under the UK GDPR.

The move to home and hybrid working has pushed that data outside the controlled office environment, often without the policies, equipment and training catching up. The result is a record number of breaches involving the people an employer is most directly responsible for: its own staff.

What the Numbers Show

The 2025 ICO data, as analysed by Nockolds, breaks down as follows:

• 3,872 total employee data breaches reported in 2025, up 5% on 2024 and the highest in seven years.
• Cyber breaches fell 6%, from 1,675 to 1,568. Investment in technical security is having an effect.
• Non-cyber breaches rose 15% to 2,304. These now make up the majority of reported employee data breaches.

Non-cyber breaches include lost or stolen laptops, phones and USB drives, paperwork left in the wrong place, post sent to the wrong address, and emails sent to the wrong recipient. None of these require an attacker. They are everyday operational failures made more frequent by dispersed working.

Why Hybrid Working Increases the Risk

Hybrid and home working multiply the points at which personal data can go astray. The same record might exist on an office server, a home laptop, a personal phone and a printout on a kitchen table.

Common failure points include:

• Devices in transit. Laptops and phones carried between locations are more easily lost or stolen than equipment that never leaves a secured office.
• Personal devices. Staff using their own laptops or phones for work often lack encryption, managed updates and remote wipe.
• Paper records at home. Printed documents taken home for convenience sit outside any secure storage or disposal process.
• Home networks. Domestic Wi-Fi and shared family computers are harder to secure than a corporate network.
• Misdelivery. Working at speed across email and messaging makes sending data to the wrong person more likely.

None of these are exotic. They are the predictable consequence of asking staff to handle sensitive data in an environment the employer does not fully control.

What Counts as a Personal Data Breach

A personal data breach is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. It is not limited to deliberate attacks.

A laptop left on a train is a breach. An email containing a staff list sent to the wrong client is a breach. A box of HR files lost in an office move is a breach. So is a manager accessing a colleague's records without a lawful reason.

This broad definition is why the non-cyber category is so large. Many employers under-report because they only recognise the cyber scenarios, which itself creates a compliance gap.

The 72-Hour Reporting Duty

Where a breach is likely to result in a risk to people's rights and freedoms, the employer must report it to the ICO without undue delay and within 72 hours of becoming aware of it. The clock starts when the organisation becomes aware, not when it finishes investigating.

The report must describe the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed in response. Where not all details are known at first, the ICO accepts reporting in phases.

If a breach is likely to result in a high risk to individuals, those affected must also be told without undue delay. Guidance and a self-assessment tool are available from the ICO at ICO, 72 hours: how to respond to a personal data breach.

Failing to report a notifiable breach is itself an infringement, separate from the breach that caused it.

The Penalties

Under the UK GDPR and the Data Protection Act 2018, the most serious infringements can attract a fine of up to £17.5 million or 4% of total annual worldwide turnover, whichever is higher. Lesser infringements carry a maximum of £8.7 million or 2% of turnover.

These are UK figures. They differ from the EU GDPR maximum of 20 million euros, which is sometimes quoted in error for UK businesses.

The ICO does not impose maximum fines automatically. It weighs the seriousness of the breach, whether it was intentional, the steps taken to mitigate it, and the organisation's compliance history. The statutory basis is set out at ICO, the maximum amount of a fine under UK GDPR and the DPA 2018.

Fines are not the only exposure. A breach of employee data can also lead to claims from affected staff, Employment Tribunal proceedings where the breach overlaps with how an employee was treated, and reputational damage that is hard to quantify and harder to recover.

What Employers Should Do

1. Audit how personal data moves in a hybrid setting. Map where employee data is created, stored, accessed and transferred, including home laptops, personal devices and paper records.
2. Encrypt devices. Full-disk encryption on every laptop and phone that holds personal data means a lost device is far less likely to be a reportable breach.
3. Use secure file transfer. Replace ad hoc email attachments of sensitive data with managed, access-controlled sharing.
4. Set a clear-desk and clear-screen standard at home. Paper records should be stored securely, returned for secure disposal, and never left where household members can see them.
5. Control personal device use. Either provide managed equipment or set out clear rules for using personal devices, backed by an acceptable use policy.
6. Train staff on misdelivery. The single most common non-cyber breach is sending data to the wrong recipient. Simple habits, such as confirming recipients before sending and using delayed send, reduce it.
7. Maintain a breach response procedure. Every member of staff should know how to report a suspected breach internally and quickly, so the 72-hour clock can be met.
8. Check your suppliers. You remain liable for employee data processed by payroll bureaux, HR platforms and other vendors. Confirm their security arrangements and breach-reporting commitments in writing.

Worked Example: A Lost Company Laptop

A regional sales manager leaves a work laptop on a train. It holds a spreadsheet of the team's payroll details and several HR files. Whether this is a reportable breach, and how serious, depends almost entirely on what the employer did beforehand.

If the laptop is encrypted, password protected and capable of remote wipe, the personal data is very unlikely to be accessible. The risk to individuals is low, and in many cases the incident is recorded internally but does not meet the threshold for reporting to the ICO.

If the laptop is unencrypted, the data is exposed the moment someone opens it. That is a notifiable breach, the 72-hour clock applies, the affected staff may need to be told, and the employer faces ICO scrutiny of why the device was not protected.

The event is identical in both cases. The difference is preparation: encryption, a clear remote working policy, and staff who know to report the loss immediately.

Insider Access and Unauthorised Viewing

Not every breach involves data leaving the building. A manager who looks at a colleague's salary, sickness record or disciplinary file without a legitimate business reason has caused a breach, even though nothing has been lost or stolen.

Hybrid working can blur these boundaries. Shared drives, broad access permissions and informal cover arrangements make it easier for staff to reach records they have no need to see.

The control is least-privilege access: people can reach only the data their role requires, access is logged, and the rules are set out in writing. This is as much a governance question as a technical one.

The Non-Cyber Blind Spot

Many information security policies were written for a cyber threat model: firewalls, passwords, anti-malware and access control. They say far less about a laptop bag on a train or a printout left at home.

With non-cyber breaches now the majority, the documentation needs to catch up. A policy that only addresses hacking leaves the larger share of real-world incidents ungoverned.

The practical fix is to align three documents: a remote working policy that sets out how data is handled away from the office, an information security policy that covers physical as well as technical controls, and a data breach procedure that everyone knows how to follow.

Documentation That Reduces the Risk

The breaches in the 2025 figures are largely procedural, which means clear, current documentation genuinely reduces them. The core set for a hybrid workforce is:

• A data breach policy setting out how to identify, contain, report and record a breach within the 72-hour window.
• A remote working policy covering devices, paper records, home networks and secure disposal.
• An acceptable use policy governing personal and company devices.
• An information security policy that addresses physical loss and misdelivery, not just cyber threats.
• A data protection and confidentiality policy aligned to the UK GDPR.
• An information asset register so you know where employee data sits in the first place.

For employers reviewing wider security posture, our IT security policies pillar and the UK Cyber Resilience Pledge guide set out what good looks like.

How Policy Pros Can Help

Policy Pros writes and reviews data protection and information security documentation for UK employers. We can produce or update your data breach procedure, remote working policy and acceptable use policy on a fixed-price basis, written to fit your sector and size.

If you are not sure where the gaps are, our policy review service audits your existing documents against the UK GDPR and the ICO's expectations, and tells you exactly what needs changing. For data protection specifically, see our GDPR policies and consultancy.