Central Bedfordshire Council has paid out more than £70k in compensation for 450 data breach claims

Payouts of more than £70,000 have been made by Central Bedfordshire Council in compensation for 450 data breach claims, amid a “worrying rise” in both cyber and non-cyber security attacks across the UK.

But the council says the rise is “likely” due to increased staff awareness, with all breaches reported – even if no data has left the council.

A total of 114 incidents were recorded by CBC in 2021, increasing to 136 in 2022, according to an investigation by DataBreachClaims.org.uk. A further 200 were logged last year, representing a 75 per cent growth during the last three years, said the organisation.

The majority of these are likely to be for emails being sent to the wrong recipient or incorrect disposal of paperwork, it explained, while its research uncovered “a stark increase both in terms of human error and cyber attacks across UK local authorities”.

Councils are expected to collect, store, use, share and dispose of personal information or data about individuals, in line with the general data protection regulation (GDPR) and the Data Protection Act (DPA).

CBC confirmed a total of 450 data breach incidents since 2021, with figures rising year-on-year. A council spokesman said: “CBC takes its responsibility under the DPA extremely seriously, and our employees receive regular training and reminders around protecting personal and sensitive information.

“The figures provided are likely to reflect an increased awareness among staff of the need to report all data breaches, even where no data has left the council.

“In circumstances where there’s a more significant breach, we’ve apologised to those affected and taken steps to prevent similar occurrences happening again.

“We actively notify the Information Commissioner’s Office (ICO) of any serious breaches, and the ICO has always been satisfied with the actions we’ve taken to mitigate and contain these breaches.”

In an incident two years ago, in response to a freedom of information request (FOI), CBC included the full names of dozens of children with special educational needs and disabilities (SEND).

It was branded “a complete failure of process” by Independent Ampthill councillor Mark Smith, while Independent Biggleswade South councillor Hayley Whitaker described it as “a truly shocking data breach, a new low for CBC”.

Personal data breaches are defined as “any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”.

Cyber attacks on local authority systems have “increased staggeringly” by almost a quarter between 2022 and 2023, said the ICO.

Personal data breaches reported by local government “have skyrocketed by 58 per cent” in the same time period, it confirmed.

Data breach expert at DBC, Eleanor Coleman warned: “This rise is worrying and we hope organisations are ensuring they’ve sufficient security in place to protect people’s personal information.”

Security breaches have the potential to put thousands of people’s personal details at risk, potentially harming victims psychologically and financially, added the DBC.

It asked the council how many cyber attacks happened within the same time period, with CBC acknowledging there was one incident in 2022.

The council revealed it paid out £70,650 in data breach compensation claims between April 1, 2021 and February 2024, the second highest figure for a unitary authority.

Victims of a breach could claim compensation providing a certain set of criteria is met.