The key UK data breach statistics in one place — how many personal data breaches are reported to the ICO, how many businesses and charities are attacked each year, which organisations are hit hardest, and what a breach actually costs, with the data period stated next to every figure.

Reliable UK data breach figures are scattered across a handful of official releases: the Information Commissioner's Office (ICO) publishes a quarterly dataset of every personal data breach reported to it, the government's Cyber Security Breaches Survey measures how many businesses and charities are attacked each year, the Office for National Statistics (ONS) tracks computer misuse crime, and the National Cyber Security Centre (NCSC) reports on the incidents it handles at a national level. Add IBM's annual UK breach-cost research and you have the full picture — volumes, prevalence, sectors and costs.

This page brings the headline numbers from each of those sources together. It is scoped to breach volumes, sectors and costs; every figure carries its data period, and every source is linked in full at the end.

Key facts and figures

  • 3,600 personal data breach reports were made to the ICO in Q4 2025 — up 16% year on year.
  • 43% of UK businesses — around 612,000 firms — experienced a cyber breach or attack in the 12 months before the 2025/26 survey.
  • 69% of large UK businesses experienced a breach or attack in the same period, against 42% of micro firms.
  • 38% of UK businesses were hit by phishing in 2025/26 — the most common attack type by far.
  • £3.29 million — the average cost of a UK data breach in 2025.
  • £5.74 million — the average breach cost in UK financial services, the costliest sector in 2025.
  • 429 incidents were handled by the NCSC from September 2024 to August 2025; the 204 nationally significant cases were up 130% in a year.
  • 62,151 computer misuse offences were recorded by police in the year ending September 2025 — up 29%.

The headline measures at a glance:

MeasureLatest figureData periodTrend / detail
Personal data breach reports to the ICO3,600Q4 2025Up 16% year on year
UK businesses experiencing a breach or attack43% (~612,000 firms)2025/26 survey (published April 2026)Rises to 69% among large businesses
Businesses hit by phishing38%2025/26 surveyMost prevalent attack type; 25% of charities
Average cost of a UK data breach£3.29 million2025 (IBM report, July 2025)Financial services highest at £5.74 million
Incidents handled by the NCSC429 (204 nationally significant)Sept 2024 – Aug 2025Nationally significant incidents up 130%
Police-recorded computer misuse offences62,151Year ending Sept 2025Up 29% year on year

These are the latest figures available as of July 2026, and this page is updated as new data is released — the ICO's incident dataset refreshes quarterly, the Cyber Security Breaches Survey is published each spring, IBM's cost report each summer and the NCSC Annual Review each autumn.

How many data breaches are reported to the ICO?

3,600 personal data breach incidents were reported to the ICO in Q4 2025 — a 16% increase on the same quarter a year earlier. The ICO is the UK's data protection regulator, and UK GDPR requires organisations to report any breach likely to pose a risk to individuals within 72 hours of becoming aware of it; our 72-hour breach response guide covers that duty in detail.

In Q4 2025, 77% of reported incidents were non-cyber and 23% were cyber — for the detail on what sits behind the non-cyber category, and the role staff mistakes play in it, see our human error data breach statistics guide.

Three things stand out from the 2025 reporting data:

  • Most reported breaches are small. Just over 50% of the breaches reported in 2025 affected between one and nine people.
  • Most lead to no action. In around 70% of reported incidents in 2025 the ICO took no further action — organisations err on the side of caution and report incidents that turn out to be low risk.
  • Reporting is often slow. In 2025, 18% of organisations took up to a week to report a breach and a further 19% took more than a week — well outside the 72-hour expectation.

A note on the source: the ICO publishes these figures as downloadable CSV datasets — the quarterly data security incident trends dataset and the self-reported personal data breach cases dataset — rather than as a narrative report. Each report is broken down by quarter, incident type, sector and the number of people affected, and the datasets are refreshed quarterly, typically a quarter or so in arrears. Only a small minority of reported breaches end in enforcement; our ICO fine and enforcement statistics page tracks fines, reprimands and enforcement notices separately.

How many UK businesses experience a data breach or cyber attack?

43% of UK businesses — an estimated 612,000 firms — experienced a cyber security breach or attack in the 12 months before the 2025/26 survey, according to the Cyber Security Breaches Survey published on 30 April 2026. Among charities the figure was 28%, around 57,000 organisations.

The survey — run by Ipsos for the Department for Science, Innovation and Technology and the Home Office, with fieldwork between August and December 2025 — is the UK's official measure of breach and attack prevalence, and it has been repeated annually for a decade, which makes it the best series for tracking direction of travel.

Phishing was experienced by 38% of businesses and 25% of charities in 2025/26 — by far the most prevalent type of breach or attack, and the one organisations consistently rate as the most disruptive to deal with.

The survey also isolates the narrower subset of incidents that meet the Home Office definition of cyber crime. 19% of businesses (about 267,000) and 14% of charities (about 28,000) were victims of at least one cyber crime in the 12 months before the 2025/26 survey. Grossed up across the economy, that equates to roughly 5.19 million cyber crimes against UK businesses and 525,000 against charities in a single year — and 93% of the businesses that experienced a cyber crime were hit by phishing.

Which businesses and sectors are hit hardest?

69% of large businesses and 65% of medium businesses experienced a breach or attack in 2025/26, compared with 46% of small firms and 42% of micro firms. Exposure climbs steeply with size: bigger organisations hold more data, run more systems and present a bigger attack surface — but they are also more likely to have the monitoring in place to detect an incident at all, so some of the gap is better detection rather than worse luck.

By cost, financial services was the most expensive UK sector to suffer a breach in, at an average of £5.74 million per breach in 2025 — down 5% on the previous year, but still around 74% above the £3.29 million all-sector UK average in IBM's 2025 study. Heavily regulated, data-rich sectors sit at the top of the cost table because breaches there carry regulatory exposure, complex notification duties and higher customer-churn costs on top of the technical clean-up.

For sector-level counts of reported personal data breaches, the ICO's self-reported breach cases dataset is the canonical source: every report to the regulator is categorised by sector and incident type in the downloadable CSV, so sector league tables can be built directly from the official data rather than from vendor surveys.

How much does a data breach cost in the UK?

The average cost of a UK data breach was £3.29 million in 2025, according to IBM's Cost of a Data Breach Report 2025, published in July 2025. That figure covers detection, notification, response, lost business and regulatory exposure across substantial confirmed breaches at UK organisations.

Two findings from the 2025 UK study stand out. First, the sector gap: financial services averaged £5.74 million per breach in 2025, comfortably the costliest UK industry. Second, the technology gap: UK organisations making extensive use of security AI and automation had an average breach cost of £3.11 million in 2025, against £3.78 million for those without — and they identified breaches in 148 days and contained them in 42, versus 168 and 64 days respectively, a 42-day faster cycle overall.

Set against those seven-figure averages, the Cyber Security Breaches Survey 2025/26 found the median perceived cost of a business's most disruptive breach or attack was £0. The two figures measure different things. IBM studies serious, confirmed breaches — the incidents that trigger investigations, notification duties and lost business — while the government survey counts every breach or attack a business experienced, including the large majority (intercepted phishing emails, blocked malware) that carry no direct cost. Both are true at once: the typical incident costs nothing, and the serious one costs millions.

How serious is the UK's wider cyber threat picture?

The NCSC handled 429 incidents between September 2024 and August 2025, of which 204 were nationally significant — a 130% rise on the 89 nationally significant incidents of the previous year. Eighteen of those were rated highly significant, meaning they had a serious impact on central government, essential services, a large share of the population or the economy. The figures come from the NCSC's Annual Review 2025, published in October 2025, and they are the clearest official signal that the top end of the UK threat picture is escalating fast.

The household-level picture is more mixed. The Crime Survey for England and Wales estimated around 663,000 computer misuse incidents against individuals in the year ending June 2025 — down 30% year on year — while police recorded 62,151 computer misuse offences in the year ending September 2025, up 29%. Both series are published by the ONS in its Crime in England and Wales bulletin.

Those two numbers point in opposite directions because they measure different things. The crime survey estimates everything people experienced, whether or not they told anyone; the police series counts only what was reported and recorded, so it rises when reporting improves as well as when crime does. Read together with the ICO and NCSC data, the pattern for 2025 is fewer incidents against individuals, more recorded and reported incidents, and a sharply more serious picture at the organisational and national level.

Frequently asked questions

How many data breaches are reported to the ICO each year?

The latest quarterly figure is 3,600 personal data breach reports in Q4 2025, up 16% year on year. The ICO publishes the underlying data quarterly as downloadable CSV datasets, so annual totals are assembled from the four quarterly releases rather than published as a single headline.

What was the biggest data breach in the UK?

Among recent incidents, the 2023 Capita ransomware attack affected around 6.6 million people and led to a £14 million ICO fine in 2025 — the largest UK GDPR penalty since British Airways' £20 million fine in 2020 for a breach affecting more than 400,000 customers. Our GDPR fines statistics page has the full largest-fines table.

What is the average cost of a data breach in the UK?

£3.29 million in 2025, per IBM's Cost of a Data Breach Report, rising to £5.74 million in financial services. For the everyday incidents captured by the government's Cyber Security Breaches Survey 2025/26, the median cost of the most disruptive breach was £0 — most incidents are caught before they do costed damage.

Which sector has the most data breaches in the UK?

The ICO's quarterly CSV datasets categorise every reported breach by sector, and they are the official source for sector counts. On cost, financial services was the most expensive UK sector in 2025 at £5.74 million per breach; on prevalence, exposure rises with size — 69% of large businesses experienced a breach or attack in 2025/26 against 42% of micro firms.

Do all data breaches have to be reported to the ICO?

No. Only breaches likely to result in a risk to individuals' rights and freedoms must be reported, within 72 hours of the organisation becoming aware. In practice organisations over-report: the ICO took no further action in around 70% of the incidents reported in 2025. Our breach response guide explains the reporting test.

Are data breaches increasing in the UK?

By most measures, yes. ICO breach reports were up 16% year on year in Q4 2025, nationally significant NCSC incidents rose 130% in 2024/25, and police-recorded computer misuse was up 29% in the year ending September 2025. The one falling measure is survey-estimated computer misuse against individuals, down 30% in the year ending June 2025.

Sources & references

Most data breaches start with everyday handling mistakes — train your team to manage personal data safely and meet UK GDPR duties.

Explore the GDPR & Data Protection Course →
Mark McShane
Mark McShane
Health & Safety Training Specialist, Online CPD Academy

Mark writes about data protection, workplace compliance and accredited online training for GDPR & Data Protection Course, part of Online CPD Academy.