> pattern.update.2026 —— target: UK Government —— period: May 2024 – April 2026 —— new_breaches: MULTIPLE —— pattern_broken: NO —— getting_worse: YES<span class="cursor-blink">_</span>_
In November 2023, we published the first of two articles examining the UK Government's fifteen-year history of data breaches — a pattern of systemic failure spanning every department, agency, and tier of government. In May 2024, we published our six-month update, documenting the MOD payroll hack, the PSNI civil claims reaching an estimated £140 million, and the Electoral Commission receiving only a reprimand for exposing 40 million voters' data. We concluded with a prediction: until the incentives change, the pattern will not break.
We were right. In the twenty-three months since our last update, the pattern has not merely continued — it has intensified to an extent that would be difficult to believe if the evidence were not so thoroughly documented. The Legal Aid Agency suffered one of the most sensitive data breaches in UK history, exposing 18 years of applicant data including criminal histories and domestic abuse records. HMRC lost £47 million to a basic phishing attack. The Government's own flagship digital identity system lost its security certification. The Foreign Office was hacked by a suspected Chinese state actor. Four London councils were breached simultaneously. And a secret Cabinet Office review — which found the exact same recurring weaknesses we had identified in our public analysis — was kept from the public for over a year.
Today, we catalogue the full scope of UK Government data failures since our last update, assess what they reveal about the state of public sector security in 2026, and update our assessment of what it would take to break the cycle. We approach this update with no satisfaction in having been proven correct — only frustration that the warnings continue to go unheeded.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call| Date | Department / Body | Incident | Impact |
|---|---|---|---|
| April 2025 | Legal Aid Agency (Ministry of Justice) | A criminal group hacked the LAA's digital services, accessing and downloading a significant amount of personal data from applicants dating back to 2007. The breach was discovered on 23rd April but not confirmed as extensive until 19th May. Systems were taken offline. The LAA's IT systems had been described as 'too fragile to cope' and 'antiquated' for years prior. | Potentially millions of legal aid applicants affected over an 18-year period. Exposed data includes names, addresses, NI numbers, dates of birth, criminal history, employment status, financial data, and information about applicants' partners. Described in Parliament as 'one of the most sensitive data breaches in UK history.' Group Litigation Orders being organised. Systems not fully restored until December 2025 — seven months of disruption. |
| June 2025 | HMRC | A phishing attack compromised 100,000 taxpayer accounts. Criminals used stolen personal information to create fake PAYE accounts and claim fraudulent tax repayments. This was not a sophisticated technical attack — it exploited basic social engineering against a system with inadequate authentication controls. | £47 million stolen from the public purse. 100,000 taxpayers directly affected. A basic phishing operation — the most common and well-understood attack vector in cyber security — was sufficient to bypass HMRC's defences. The department that collects the nation's taxes could not protect the nation's taxpayers from a commodity attack. |
| May 2025 | GOV.UK One Login (Government Digital Service) | The Government's flagship digital identity system — with 6 million users accessing over 50 government services — lost its certification against the Government's own Digital Identity and Attributes Trust Framework. A whistleblower from GDS raised concerns about data protection shortcomings after internal warnings were ignored. | The system complied with only 21 of 39 NCSC Cyber Assessment Framework outcomes at the time of the failure — up from just 5 previously, but still representing systematic non-compliance with the Government's own security standards. The Cabinet Office had warned GDS about 'serious data protection failings' as early as November 2022. The NCSC had flagged 'significant shortcomings' in September 2023. The warnings were ignored. |
| October 2025 | Foreign, Commonwealth & Development Office | A system operated by the FCDO on behalf of the Home Office was hacked. The breach was attributed to a Chinese state-backed group known as Storm 1849, exploiting vulnerabilities in Cisco networking equipment. Visa application data was potentially accessed. | A suspected nation-state attack on the Foreign Office — the department responsible for the UK's international relationships. Trade minister Chris Bryant confirmed the hack publicly in December 2025. The incident followed an NCSC warning in September 2025 about Cisco ASA vulnerabilities — a warning that evidently did not prevent the breach. |
| November 2025 | London Councils (Kensington & Chelsea, Hackney, Westminster, Hammersmith & Fulham) | Four London borough councils suffered cyber attacks in quick succession. Three of the four shared an IT service, creating a single point of compromise. Westminster Council admitted that potentially sensitive data had been copied from its systems. | Local government services disrupted across four boroughs serving millions of Londoners. The NCSC launched an investigation. The shared IT service — intended to reduce costs — had become a shared vulnerability, illustrating the supply chain risk we identified in our original analysis. |
| 2025 | Oxford City Council | Election workers' personal data stolen in a cyber breach of the council's systems. | Yet another local authority breach, adding to the pattern established by Leicester City Council's 1.3 TB ransomware exposure in 2024. |
| 2025 | Cabinet Office (secret review revealed) | A secret review commissioned in 2023 after the PSNI breach examined high-profile data breaches across HMRC, the Metropolitan Police, the MOD, the benefits system, and cases involving Afghan nationals, child sexual abuse victims, and disability claimants. The review found recurring weaknesses — then was kept from the public. | The review found exactly what we found: lack of controls over ad hoc downloads and bulk exports, email mishandling, BCC failures, and inadequate data handling processes. The fact that the Government identified these patterns internally, documented them in a review, and then kept the review secret rather than acting transparently on its findings, tells you everything you need to know about the culture of accountability in Whitehall. |
The LAA breach deserves particular attention because of the extraordinary sensitivity of the data compromised. Legal aid applicants are, by definition, amongst the most vulnerable people in society — they include victims of domestic abuse seeking protection orders, asylum seekers fleeing persecution, defendants in criminal proceedings, and families in child custody disputes. The exposure of their criminal histories, financial details, and personal circumstances — in some cases dating back 18 years — represents a category of harm that goes beyond financial fraud or identity theft. For domestic abuse survivors whose former partners can now potentially access their current addresses and circumstances, this breach is not an inconvenience. It is a safety crisis. And it was enabled by IT systems that the Government's own Law Society had publicly warned were 'too fragile to cope' — warnings that were documented, published, and ignored.
Perhaps the most damning revelation of the past two years is the existence of the Cabinet Office's secret review into Government data breaches — commissioned in 2023 after the PSNI incident, completed and kept confidential, and only revealed publicly in September 2025 after sustained pressure.
The review examined breaches across HMRC, the Metropolitan Police, the MOD, the benefits system, and cases involving Afghan nationals, child sexual abuse victims, and disability claimants. Its findings were remarkably consistent with our own analysis published in November 2023: lack of adequate controls over ad hoc downloads and bulk exports of sensitive information; mishandling of email communications including repeated failures to use BCC; inadequate training and processes for handling sensitive data; and insufficient technical safeguards to prevent human error from becoming data exposure.
The fact that the Government conducted this review, identified these findings, and then kept them secret is more revealing than the findings themselves. A Government that was serious about improving its data protection practices would have published the review, shared the findings across all departments, and mandated remediation with defined timeframes and accountability. Instead, it buried the evidence of its own failings — a decision that is consistent with a culture of managing embarrassment rather than managing risk.
When our November 2023 analysis identified the same patterns of failure, we were working from publicly available information. The Cabinet Office had access to far more detailed evidence — and reached the same conclusions we did. The difference is that our analysis was published and theirs was concealed.
The GOV.UK One Login certification failure deserves extended analysis because it illustrates the systemic nature of the problem in a particularly stark way. This is not a legacy system inherited from a previous era of Government IT. It is the Government's current flagship digital identity platform — built from scratch, heavily promoted, and positioned as the foundation of digital government services. And it could not meet the Government's own security standards.
The system was warned about by the Cabinet Office in November 2022 ('serious data protection failings'), by the NCSC in September 2023 ('significant shortcomings in information security'), and by a GDS whistleblower who escalated concerns to an MP after internal inaction. At the time of its certification failure, it complied with only 21 of 39 NCSC Cyber Assessment Framework outcomes. The Inclusion and Privacy Advisory Group — which had provided input on accessibility and privacy — was quietly disbanded in early 2025.
If the Government cannot build a new digital identity system that meets its own security standards — despite explicit, documented, repeated warnings from its own security agencies — then the notion that Government can be trusted to protect the personal data of the entire population through any centralised system must be fundamentally questioned. Independent polling shows that 63% of the British public already do not trust the Government with their data. The One Login failure suggests they are right not to.
The breaches of 2024–2026 are qualitatively different from many earlier incidents in three important respects.
Our original estimates from November 2023 — that systematic penetration testing would reduce breach risk by 55–65% and Cyber Essentials Plus compliance would reduce it by 50–60% — were based on the assumption that the majority of Government breaches were caused by well-understood, identifiable, remediable technical and procedural weaknesses. The events of the past two years have confirmed this assumption emphatically.
Our estimates remain unchanged — not because they require no revision, but because the nature of the failures has not changed. The breaches of 2024–2026 are caused by the same categories of weakness that caused the breaches of 2007–2023: unpatched systems, inadequate authentication, absent monitoring, legacy technical debt, human error in data handling, and contractor supply chain failures. The controls we recommended two and a half years ago would address these weaknesses today just as effectively as they would have then. The problem is not that the controls are unknown. The problem is that they are not implemented.
There is one genuinely new development since our last update, and it is not encouraging. The LAA breach — and the Parliamentary debate that followed — introduced a new dynamic into the Government's response to data breaches: the weaponisation of blame between successive administrations.
In the Commons debate on the LAA breach, the Minister stated that the breach was 'made possible by the long years of neglect and mismanagement of the justice system under the last Conservative Government.' The Opposition responded that 'the primary responsibility lies with the despicable criminals who carried it out.' Both statements contain elements of truth. Neither addresses the systemic factors that produce Government data breaches regardless of which party holds office.
The HMRC child benefit loss occurred under Labour. The NHS hard drive breaches occurred under the Coalition. The Electoral Commission breach occurred under the Conservatives. The Legal Aid Agency breach occurred under Labour. The pattern transcends party politics. It is a structural characteristic of UK Government IT — a product of chronic underinvestment, decentralised governance, cultural complacency, and regulatory asymmetry that persists regardless of the colour of the Government benches. Until all parties acknowledge this and commit to cross-party, sustained, funded reform of Government data handling, the blame game will continue whilst the breaches continue alongside it.
Our recommendations remain fundamentally unchanged from our November 2023 and May 2024 analyses — because the failures they address remain fundamentally unchanged. We repeat them not because we enjoy repetition, but because repetition is the only appropriate response to a Government that has heard the same advice for two and a half years and has not acted on it.
| Recommendation | Status Since 2023 |
|---|---|
| Mandate CE+ for all Government departments | NOT IMPLEMENTED. The Government still requires CE+ of its suppliers but not of itself. The LAA's systems would have failed any CE+ assessment. GOV.UK One Login meets only 21 of 39 NCSC framework outcomes. |
| Commission annual penetration testing for every department | NOT SYSTEMATICALLY IMPLEMENTED. The LAA's 'antiquated' systems were not adequately tested. The FCDO's Cisco vulnerabilities were publicly known but evidently not identified through proactive testing. |
| Apply equal ICO enforcement to public and private sectors | NOT IMPLEMENTED. The regulatory asymmetry persists. The Electoral Commission received a reprimand for 40 million voters' data. The public sector continues to face lighter consequences than the private sector for equivalent breaches. |
| Centralise security standards and oversight | PARTIALLY IMPLEMENTED. The Cabinet Office conducted a review — and kept it secret. The NCSC provides guidance but lacks enforcement authority. No single body has the power to mandate, audit, and enforce security standards across all departments. |
| Invest in replacing legacy systems | PARTIALLY IMPLEMENTED. £20 million allocated for LAA system stabilisation — after the breach, not before. The pattern of investing in remediation rather than prevention continues. |
| Implement automated data handling safeguards | INSUFFICIENT PROGRESS. The Cabinet Office review found that ad hoc downloads, email mishandling, and BCC failures remain recurring problems across Whitehall — the same human-error categories we identified in 2023. |
There is an aphorism, often misattributed to Einstein, that the definition of insanity is doing the same thing over and over again and expecting different results. By this definition, the UK Government's approach to data security is insane. The same categories of failure recur. The same recommendations are made. The same promises of improvement are issued. And the same breaches follow — year after year, department after department, administration after administration.
Since we began this analysis in November 2023, the Legal Aid Agency has been catastrophically breached — exposing the criminal histories and personal details of the most vulnerable people in the justice system. HMRC has lost £47 million to a basic phishing attack. The Government's flagship digital identity system has failed its own security certification. The Foreign Office has been hacked by a suspected state actor. Four London councils have been compromised simultaneously. And a secret Cabinet Office review found the exact same weaknesses we publicly identified — and was suppressed rather than published.
We will continue to update this analysis, because the pattern will continue to produce new material. We will continue to recommend penetration testing, Cyber Essentials Plus certification, device encryption, automated data safeguards, equal regulatory enforcement, and cultural change — because these measures would prevent the majority of the breaches that continue to occur. And we will continue to note, with diminishing surprise and increasing frustration, that the Government demands security standards of its suppliers that it refuses to meet itself.
The data the Government holds belongs to the people of this country. Twenty years of breaches demonstrate that the people's custodian has not earned the people's trust. Today, in April 2026, with the wreckage of the Legal Aid Agency breach still being cleared, with HMRC still recovering £47 million, with GOV.UK One Login still failing to meet its own standards, and with the Cabinet Office still sitting on a secret review of its own failures — we see no evidence that this is about to change.
We hope — more in stubborn optimism than in realistic expectation — that this will be the last update we need to write.
From penetration testing that identifies the vulnerabilities that Government systems continue to harbour, to Cyber Essentials Plus certification that verifies the baseline controls the Government mandates for its suppliers but not for itself — Hedgehog Security helps organisations meet the standard of data protection that the public deserves, even when the Government won't.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call