Incidents involving employee data breaches climbed to their highest level in at least six years last year, increasing by 14 per cent on the year before, according to analysis by Nockolds.
Reports to the Information Commissioner’s Office (ICO) of breaches jumped from 3,208 in 2023 to 3,679 in 2024, the analysis found.
This marks the highest number of employee-related data breach reports since 2019, when the ICO received 3,010 breaches. The research also found phishing attacks targeting employee data jumped by 56 per cent in the past year, from 486 to 758.
Breaches of employee data hit five-year high, prompting fears over safety of workers’ details
What does the Manchester United data error teach us about workplace breaches?
Ensuring confidentiality of sensitive data in the workplace
Lorna Ferrie, legal and compliance director at Mauve Group, said HR teams must be “increasingly vigilant” and “cannot afford to take a backseat” when it came to this threat.
“Beyond the personal risks to employees, breaches can carry serious financial, legal and reputational consequences for organisations,” she warned. “If regulators identify areas of non-compliance or process gaps in safeguarding employee data, they aren’t afraid to hand out serious fines. Financial consequences can topple small businesses and penalise larger organisations.”
Elissa Thursfield, co-founder at HRoes, said the statistics should be a “wake-up call” for employers. “Safeguarding employee data is more than compliance, it is about demonstrating respect for the valuable information that you hold in your position as an employer,” she explained.
Remote work adds complexity to compliance
Joanna Sutton, principal associate at Nockolds, said remote working had introduced new cybersecurity challenges for organisations: “Employees increasingly use personal devices and home networks that may lack robust security measures, increasing the risk of both accidental and malicious data breaches.”
More than a quarter (28 per cent) of adults were hybrid working in the autumn of 2024, according to the Office for National Statistics.
This number jumped to close to half (45 per cent) for those in senior occupations, including managers and directors – often those handling large amounts of sensitive data.
Ferrie warned HR professionals to be “mindful of the evolving risk landscape” as more organisations adopted flexible and cross-border working models.
“With an increasing number of employees working remotely, it’s important for organisations to have a clear understanding of where their staff are located and what legal and compliance obligations apply,” she added.
What should HR be aware of?
Sutton explained that breaches could have “serious repercussions” for HR teams.
“The increase in such attacks suggests that training staff to recognise threats will need to go together with technical solutions, which means that HR will play a pivotal role,” she said, adding that employers could be liable if policies were out of date, even if data was leaked accidentally and an employee was responsible.
Sutton said effective cybersecurity was “dependent on employee engagement as much as robust IT systems”. “It is very easy for robust defences to be compromised because staff aren’t familiar with cybersecurity protocols or complying with them,” she explained.
Ferrie similarly advised regular and up-to-date training for employees, citing human error as one of the biggest causes of data breaches.
Thursfield added that employers and HR must remember that data protection was not just an IT issue, but should be an “organisational priority”.
“Everyone in the business needs to ensure they can spot a potential attack and also how to report suspicious activity,” she advised, recommending regular audits of the workplace to identify weak spots, ensuring policies were up to date, and ensuring a clear response plan ready in the event of a breach.