03 September 2025
UK police forces have experienced more than 13,000 data breaches over the last three years, according to figures obtained through freedom of information requests by Data Breach Claims UK.
The data reveals a steady rise in incidents, with police reporting 2,711 breaches in 2022/23, increasing to 4,643 the following year, and reaching 4,759 in the most recent period. Since 2022, this totals over 13,000 breaches, highlighting a growing challenge in managing sensitive data.
Police officers and staff handle substantial volumes of personal information, including names, contact details, and addresses, due to the investigative and administrative nature of their work. Under the Data Protection Act 2018, police forces are designated as data controllers, with a legal obligation to protect and handle personal data securely. Breaches can take many forms, from complex cyberattacks to routine human errors, such as misdirected emails, accidental disclosures, or loss of devices containing sensitive information. These incidents can expose individuals to financial fraud, identity theft, and emotional distress.
A 2020 study by VPNoverview already highlighted the scale of the problem, recording over 2,000 data breaches within UK police forces in that year alone. Threats such as ransomware, malicious insiders, and accidental mishandling continue to pose significant risks to data security.
Internal mishandling often contributes to breaches, with errors such as unauthorised access, failure to redact sensitive information, or mishandling of devices like laptops and USB sticks being common causes. Bethan Simons, a solicitor at JF Law, emphasised the importance of comprehensive staff training, encryption, and strict data sharing policies to mitigate these risks.
The freedom of information data also identified the police forces with the highest number of breaches. The Metropolitan Police Service led with 2,271 incidents, followed by Police Scotland with 1,398. Several other forces, including Cleveland, Derbyshire, Devon & Cornwall, Dorset, Greater Manchester, Humberside, Kent, Leicestershire, Merseyside, Norfolk, South Yorkshire, Suffolk, Thames Valley, and West Midlands either declined to provide data or did not respond.
Given the sensitive nature of police-held information, breaches can have serious consequences. The ICO reprimanded West Midlands Police in 2024 after records of two victims — one also a suspect — were wrongly merged, breaching data protection laws. Such errors can undermine investigations, lead to incorrect data processing, and cause emotional or financial harm to those affected.
Since 2022, 291 claims for compensation related to police data breaches have been filed, amounting to GBP £501,370 in total payouts. The largest payout occurred in 2022/23, when claimants received GBP £236,270. Bethan Simons warned that leaks can result in severe consequences, including identity theft, fraud, harassment, and emotional trauma. She urged victims to seek legal advice promptly if they believe they have suffered harm due to police data breaches.
Data Breach Claims UK continues to support individuals impacted by police data breaches, emphasising the importance of accountability and data security in safeguarding public trust.
