According to Verizon’s 2025 DBIR (Data Breach Investigations Report), some 60% of data breaches now involve “the human element” – in other words, errors and non-malicious activity.
Failing to use the bcc function when emailing groups of people, accidentally emailing spreadsheets full of unencrypted personal data to entire mailing lists without checking, mistakenly misconfiguring an AWS bucket… each of these simple errors can expose personal information and damage reputations.
Recent years have seen several large–scale incidents where accidental disclosure has had significant consequences. These examples show how even organisations with extensive resources and responsibilities can fall victim to basic human error.
Examples of accidental breaches
Police Service of Northern Ireland, 2023
In August 2023, the PSNI (Police Service of Northern Ireland) mistakenly published a spreadsheet online as part of its response to a routine Freedom of Information request. The file contained the names, ranks, locations and departments of every serving police officer and civilian staff member – more than 9,000 individuals in total.
The data remained available for several hours before being taken down, but by that time it had been downloaded and shared online. The breach was described as “monumental” by local politicians and created severe personal safety concerns for officers, given the ongoing security situation in Northern Ireland. Some officers were forced to move house and change daily routines.
The PSNI later apologised, calling the breach an “unacceptable” human error. It also faced multiple investigations into how internal processes had failed to prevent such a sensitive file from being released unchecked. The ICO (Information Commissioner’s Office) fined the PSNI £750,000 for the breach.
Australian Department of Finance, 2024
In February 2024, Australia’s Department of Finance admitted that it had accidentally sent a spreadsheet to 236 suppliers that contained sensitive information about other companies. The data, which related to government contracts, was embedded within a pivot table that was not properly cleansed before being circulated.
This incident followed a similar error in November 2023, when procurement information was uploaded to the wrong location, exposing details of bids and suppliers. The Department apologised, requested recipients to delete the emails, and undertook a review of its internal practices.
The fact that two breaches occurred within a short period highlighted the dangers of systemic weaknesses in how spreadsheets and procurement documents were handled. It also illustrated a recurring problem: the failure to apply technical checks, such as metadata stripping or locked templates, to prevent sensitive information being inadvertently shared.
Australian Human Rights Commission, 2025
Between late March and early April 2025, the Australian Human Rights Commission discovered that files uploaded through its website forms had become publicly accessible. Attachments intended to support complaints and submissions – some of them containing highly sensitive information – were inadvertently available online and indexed by search engines.
The Commission emphasised that the incident was not the result of a malicious attack, but of a technical misconfiguration. Once the issue was identified, the Commission took down the files and contacted affected individuals.
The case shows how easily digital systems can fail if configuration changes or updates are not thoroughly tested. It also demonstrates that data breaches are not limited to email errors but can arise from any point where personal information is collected and stored.
ICO guidance on accidental breaches
Cases like these show that even experienced organisations can fall victim to simple mistakes. The ICO’s latest guidance on personal data breaches sets out clear steps for data controllers to prevent accidental breaches and respond effectively when they occur.
Accidental breaches are typically the result of disclosure to the wrong person. Common causes include:
- Misaddressed emails, often due to the autofill function.
- Failure to use bcc in bulk communications, exposing all recipients.
- Spreadsheets circulated without checking for hidden rows, columns or metadata.
- Files uploaded or shared without confirming access restrictions.
What to do when a breach occurs
The ICO is clear that speed and accuracy of response are critical. If a breach occurs, the first step should be to notify the data protection officer or nominated individual immediately.
Data controllers must then:
- Record the breach: Keep a full record of the facts, the effects and the remedial action taken, regardless of whether reporting to the ICO is required.
- Report to the ICO: Notify the regulator without undue delay and within 72 hours, where the breach is likely to affect individuals’ rights and freedoms.
- Notify individuals: Where the risk is high, those affected must also be informed promptly so they can take protective action.
Beyond these requirements, organisations should:
- Act swiftly to contain the breach, such as recalling emails or securing exposed files.
- Assess the risk and document the likely impact on individuals.
- Follow internal processes to ensure consistency of response.
- Investigate root causes and implement changes to prevent recurrence.
Why this matters
The human consequences of accidental breaches are not abstract, either. Indeed, in some cases, data breaches can put lives at risk.
In 2023, the ICO issued a warning after reprimanding seven organisations for data breaches affecting victims of domestic abuse, most of which related to the organisations disclosing the victims’ addresses to their alleged abusers.
Another high–profile case involved the UK Ministry of Defence, where a spreadsheet containing more than 30,000 resettlement applications from Afghan nationals was mistakenly emailed to an individual outside government. The MOD staff member believed they were sending data on just 150 individuals. The breach exposed names and contact details of people associated with British forces – a mistake that could have had fatal consequences for those affected.
Such incidents show why the ICO continues to stress that personal data breaches must be treated with urgency and seriousness. The updated guidance also includes practical resources, such as a checklist on securely disclosing documents and removing hidden information, aimed at reducing avoidable errors.
Reducing the human–error risk
The DBIR’s 60% statistic underlines the scale of the challenge. Most breaches are not the result of external attackers exploiting zero-day vulnerabilities, but of ordinary staff carrying out routine tasks. Preventing accidental disclosures requires a blend of policy, training and technical safeguards.
Organisations should consider:
- Email controls: Disable risky autofill features, enforce bcc for bulk mail, and implement pre-send warning systems to flag external recipients or bulk sends.
- File handling policies: Ensure staff check spreadsheets for hidden data before sharing. Use sanitisation tools to strip metadata and sensitive information.
- Access control reviews: Regularly audit permissions on shared drives, collaboration platforms and web applications to prevent accidental exposure.
- Testing and configuration management: Apply robust change control and testing procedures for any system that collects or processes personal data.
- Staff awareness training: Provide clear, practical training on how breaches occur, using real-world case studies such as the PSNI or MOD. Awareness is more effective when staff see the tangible consequences of mistakes.
- Incident readiness: Assume mistakes will happen and prepare accordingly. Have policies for reporting, containing and escalating incidents. Rehearse breach scenarios to test readiness and response times.
The ICO guidance makes clear that a breach does not always have to be reported, but it must always be recorded. Even where the impact is judged to be low, organisations should use the opportunity to learn and strengthen controls.
How IT Governance, a GRC Solutions company, can help
The ICO’s updated guidance provides a clear framework for how data controllers should respond, from prompt containment and reporting to longer–term preventive action.
For organisations, the lesson is simple: people make mistakes, but those mistakes need not become disasters. With effective processes, appropriate safeguards and regular training, the risk of accidental disclosure can be reduced – and when breaches do occur, they can be managed in a way that protects individuals and preserves trust.
If you’re unsure about your practices and whether they comply with UK data protection law, our GDPR Gap Analysis service is the most comprehensive way to identify risks, prioritise remediation and demonstrate accountability.
It will assesses your organisation’s compliance with the UK GDPR and DPA 2018 using our exclusive GDPR RADAR™ methodology.
You’ll get expert insight, a practical action plan and a detailed report you can share with stakeholders or regulators.
