Breaches of employee data reported to the UK regulator have hit their highest level in at least seven years, according to new analysis from law firm Nockolds.
The company said that reports to the Information Commissioner’s Office (ICO) had increased 5% over the past year to reach 3872 breach incidents in 2025.
This is nearly 29% higher than the total number of reported breaches recorded in 2019 (3010), when these records began.
However, cyber-related breaches actually fell by 6% over the past year to 1568, while non-cyber incidents jumped 15% to 2304.
Read more on employee data breach incidents: Ericsson Breach Exposes Data of 15k Employees and Customers
Nockolds principal associate, Joanna Sutton, blamed hybrid working for the evolving picture.
“Organizations have strengthened their digital defenses, but many have not adapted their physical and procedural safeguards to match. The flow of devices and documents between homes and offices creates vulnerabilities that cyber tools alone cannot fix,” she claimed.
“These incidents have become more common as employees split their time between multiple locations. Sensitive and highly confidential information including HR and payroll documents, disciplinary records, medical information and identity documents are now routinely handled outside controlled office environments.”
HR and Security Must Work Together
Nockolds said that non-cyber incidents could include:
- Lost or stolen laptops, phones or USB drives
- Paperwork left on trains, in cars or shared home environments
- Post or emails sent to the wrong recipient
- Printed documents not disposed of securely
- Files transported between home and office without proper controls
Sutton warned that even if breaches are accidental, employees have the right to bring claims if the incident has caused them stress or anxiety. That puts the onus on employers to ensure they safeguard the large volumes of sensitive personally identifiable information (PII) held on staff.
“Even if an employee accidentally causes a breach, organizations may still be liable if policies are outdated or staff have not been properly trained. HR teams therefore play a critical role in ensuring that both the human and technical elements of data protection are aligned,” she concluded.
“Effective data security depends as much on employee awareness as on robust IT systems. The rise in non‑cyber incidents shows that organizations need to invest in regular, practical training and ensure that policies reflect the realities of hybrid working.”
A Mimecast report earlier this month claimed that rising use of AI in the workplace is putting sensitive data at risk of misuse and abuse.
It said that 42% of global organizations reported a rise in cybersecurity incidents because of employee negligence, and the same share (42%) from malicious insiders.
