Breaches of employee data surged to the highest level in at least six years, jumping by 14% in 2024.

According to an analysis by law firm Nockolds, reports to the Information Commissioner’s Office (ICO) of breaches of employee data jumped from 3,208 in 2023 to 3,679 in 2024. The number of reported breaches relating to employees’ data is at the highest level since at least 2019 when 3,010 breaches were reported to the ICO.

Nockolds claimed that the surge in remote working since the pandemic had made it more difficult for employers to have the same security protections in place across all devices. It also means more devices being transported, and potentially lost or stolen, increasing the risk of physical breaches alongside cyber-attacks.

Joanna Sutton, principal associate at Nockolds, said: “Remote working has introduced new cybersecurity challenges for organisations. Employees increasingly use personal devices and home networks that may lack robust security measures, increasing the risk of both accidental and malicious data breaches.”

The analysis also revealed that phishing attacks targeting employee data jumped by 56% over the past year, from 486 to 758. Phishing is a type of cyberattack in which attackers target employee data by impersonating legitimate sources like HR or IT to trick employees into revealing sensitive information, login credentials, or clicking malicious links.

Sutton said breaches involving employee data could have serious repercussions for HR teams.

“Employers hold sensitive information on staff and bear a legal responsibility to safeguard it,” she added. “Unfortunately, the weak point in organisational defences are often employees, which is why phishing attacks which try to trick employees into disclosing private data are on the rise. The increase in such attacks suggests that training staff to recognise threats will need to go together with technical solutions, which means that HR will play a pivotal role.”

She said employee engagement was a crucial component of effective cybersecurity. It was very easy for robust defences to be compromised because staff were not familiar with cybersecurity protocols or complying with them, she said. “The rise in employee data breaches, particularly phishing attacks directed at staff, suggests that there would be value in enhanced and regular training for employees in response to emerging threats.”

Organisations that give higher priority to cyber security would have a much stronger legal defence in the event of a data breach, Nockolds advised. Employees were also likely to be more understanding of unauthorised access to their data if policies were regularly reviewed, updated and stress tested.

