UK Government Two-Decade Data Breach Record

The UK government's information-security track record from 2007 to 2026 is a systematic list of large-scale data breaches with minimal consequences for the responsible institutions — providing the core argument against trusting the same government to run the biometric **gov.uk One Login** / **BritCard** / **gov.uk Wallet** digital ID scheme. ## HMRC 2007 — the foundational disaster - **25 million records** lost on **2 CDs sent via internal mail** (TNT post) from HMRC Waterview Park in Washington, Tyne and Wear to the National Audit Office. - Data: names, addresses, children's DOBs, National Insurance numbers, bank and building society details. - 7.25 million families claiming child benefit → **25M people total**. - Password-protected but **easily crackable** (WinZip-level encryption). - Junior HMRC staff sent via **unrecorded internal mail**. - Publicly disclosed 20 November 2007 by Chancellor Alistair Darling. - HMRC chairman resigned. - HMRC refused to strip bank details beforehand because 'too costly' — **actual cost would have been £650**. - Jeremy Clarkson published his bank details to prove it didn't matter — within days someone set up a fraudulent direct debit for £500 to a diabetes charity. ## MoD Afghan breaches — the most harmful ### September 2021 CC email - MoD official emailed Afghan interpreters hiding from the Taliban, **used CC not BCC**. - **~250 names and email addresses** exposed to every recipient. - £350,000 ICO fine. ### February 2022 spreadsheet leak - **18,714 principal ARAP applicants plus family (~33,000 people total)**. - Included names of special forces personnel and intelligence officers. - Accidentally emailed outside the government system. - MoD remained **unaware for 18 months** — discovered August 2023 when the data appeared in a Facebook group. - Triggered secret **Afghanistan Response Route (ARR)** resettlement scheme. - Total estimated cost: **£850 million**. - Actual relocations so far: ~900 principals + 3,600 family members, £400M spent with £850M projected total. - Officials described it as 'likely the most expensive email ever sent.' - **At least 49 Afghan relatives or colleagues killed in Taliban reprisals** linked to the leak (verified, though Fine Print / Andy didn't cite this specific figure). - **87% of notified individuals** received direct threats to their safety. - Nearly half reported direct threats to life. ## Northern Ireland PSNI — August 2023 - FOI request → staff compiled response in spreadsheet → **hidden tab contained surnames, first initials, ranks, departments, location of all 9,483 PSNI officers and staff**. - Data reached dissident Republican groups within days. - Officers forced to move house, some left the country. - Chief constable Simon Byrne resigned. - **Compensation expected to exceed £119 million** (~£450 per household in Northern Ireland). ## Electoral Commission — 14 months inside - Hackers sat in systems for **14 months** accessing **40M voters**. - Exploited Microsoft Exchange vulnerabilities with patches available for months. - Staff still using passwords assigned at hire. - Commission had **failed own Cyber Essentials test** that year. - ICO response: formal reprimand, **no fine**. ## Capita ransomware — March 2023 - UK's **largest outsourcing company**. - Security system flagged intrusion within 10 minutes; target response 1 hour; **actual response 58 hours**. - 1TB stolen, **6.6M people across 325 pension schemes** affected. - ICO: single admin account had unrestricted network access. **Three separate pentests had flagged this exact vulnerability**. Capita never fixed it. - ICO fined £14M (reduced from £45M). - Weeks later Capita found to have left benefits data in publicly accessible cloud storage bucket (no password, no encryption). - Government then awarded Capita **£606M new contract** for DWP/Home Office/MoJ/DERA. Chair of Public Accounts Committee called it 'extraordinary.' ## Fujitsu + Post Office Horizon - Fujitsu still runs Police National Computer database. - **Defective Horizon software** led to wrongful convictions of **900+ postmasters** (one of worst UK miscarriages of justice ever; 2024 ITV drama *Mr Bates vs The Post Office*). - Government has awarded Fujitsu **nearly 200 contracts worth £6.8B** since 2012. - After announcing 'voluntary bidding pause,' internal documents showed staff were given flow diagrams on how to keep bidding. ## Local councils - **Hackney Council (Oct 2020)**: Pisa ransomware gang got in through dormant account where username = password. 440K files encrypted. Residents' race/religion/sexual orientation/health/criminal history published on dark web. Housing benefits stopped. Staff used pen-and-paper for over a year. £50M+ cost. ICO gave reprimand only. - **Leicester City (March 2024)**: 3TB stolen. Passport scans, driving licenses, bank statements for up to 400K residents. Hackers compromised central management system → city's street lights stayed on 24/7 for weeks. ## Transport for London — September 2024 - Initially described as affecting 'some customer data.' - BBC investigation early 2026 revealed actual scope: **~10 million people**. - All 30,000 TfL employees had to attend in-person appointments just to reset passwords. - £39M cost. - ICO **cleared TfL** of wrongdoing. - Two teenagers were arrested. ## Sheffield Council ANPR — April 2020 - Security researcher typed IP address into browser, **no authentication**. - **8.6M records** of vehicle movements: number plates, timestamps, camera images of driver faces and pedestrians. - Council's 32-page document on the ANPR system **doesn't contain the word 'privacy' once**. ## Pattern 1. Government or government-contracted entity loses massive amounts of sensitive data, sometimes lethally so (49+ Afghan deaths). 2. ICO rarely imposes meaningful penalties (reprimand-only or fines paid by one government body to another). 3. Failed contractors get rewarded (Capita £606M new contract weeks after fine; Fujitsu £6.8B despite Horizon). 4. Whistleblowers get marginalized (gov.uk One Login escalated for 3+ years). See gov.uk One Login Digital ID for how this record intersects with the current biometric digital-ID scheme.