Skip to main content
Hafan

Post Office reprimanded over Horizon IT scandal victims' ‘entirely preventable’ data breach

  • Date 3 December 2025
  • Type News

The Information Commissioner’s Office (ICO) has issued a reprimand to Post Office Limited following a data breach that resulted in the unauthorised disclosure of personal information belonging to hundreds of postmasters involved in the Horizon IT scandal.  

The breach occurred when the Post Office’s communications team mistakenly published an unredacted version of a legal settlement document on its corporate website. The document contained the names, home addresses and postmaster status of 502 people who were part of a group litigation against the organisation. It remained publicly accessible from 25 April to 19 June 2024, before being removed following notification from an external law firm.

When investigating the circumstances of this data breach, the ICO found that the Post Office failed to implement appropriate technical and organisational measures to protect people’s information. We found there to be a lack of documented policies or quality assurance processes for publishing documents on the corporate website, as well as insufficient staff training, with no specific guidance on information sensitivity or publishing practices.

“The people affected by this breach had already endured significant hardship and distress as a result of the Horizon IT scandal. They deserved much better than this. 

“The postmasters have once again been let down by the Post Office. Our investigation highlighted that this data breach was entirely preventable and stemmed from a mistake that could have been avoided had the correct procedures been in place. 

“Other organisations should take notice of this reprimand and apply its learnings, so they don’t find themselves making the same mistake. Data protection by design must be embedded into everyday operations so people’s information is handled appropriately.”

- Sally Anne Poole, ICO Head of Investigations

The ICO had initially considered imposing a fine of up to £1.094 million. However, the ICO did not consider that the data protection infringements identified reached the threshold of ‘egregious’ under its public sector approach, and a reprimand has been issued instead.  

The ICO’s public sector approach focuses on raising data protection standards across the UK public sector. It prioritises early engagement and other enforcement tools such as warnings, reprimands, and enforcement notices, while issuing fines for only the most egregious breaches in the public sector. 

Remedial action taken 

Following the breach, the Post Office took a number of steps to mitigate the impact on affected people, including: 

  • Offering compensation to all people named on the deed and affected by the publication, with payments made to the majority.
  • Providing identity protection services, including 24 months of fraud monitoring and dark web surveillance.
  • Contacting search engines and archives to remove cached versions of the document.
  • Establishing an emergency working group to review the incident and improve internal controls.
  • Creating a new documented policy for publishing information on its corporate website. 

Lessons learned 

This incident highlights the critical role everyone in an organisation plays in safeguarding personal information. The breach was not caused by malicious intent, but by a failure to follow basic data protection principles and to have the correct procedures in place. 

Key lessons for organisations across all sectors include: 

  • Establish clear publication protocols: Sensitive documents should go through a formal review and approval process before being published online. A multi-step sign-off process can help prevent errors.
  • Understand the data you handle: Every team, especially those handling public-facing content, must be trained to recognise personal information and assess its sensitivity in context. This includes understanding the reputational and emotional impact of disclosure.
  • Centralise and classify documents: Use secure, shared repositories with clear access controls and classification labels. Avoid reliance on personal storage systems such as OneDrive and Google Drive.
  • Define roles and responsibilities: Ensure that everyone involved in publishing content understands their role and the checks required before publication.
  • Tailor training to the task: General data protection training is not enough. Teams need specific guidance on publishing protocols, data classification, and risk awareness. 

The ICO encourages all organisations to review their internal processes, particularly those involving public communications, to ensure they meet the standards required under data protection law. Our data protection audit framework provides a useful starting point for organisations to assess their privacy management.