The recent Ministry of Defence data breach highlights persistent vulnerabilities in public sector data security efforts, while unrelenting ransomware and AI-driven attacks reveal structural weaknesses in wider cyber resilience

The digital battlefield is shifting quickly, and government services risk falling behind as attackers exploit every gap in their defences, leaving vital services exposed and data at risk. Human error, under-investment and structural weaknesses make public bodies low-hanging fruit for criminal groups and hostile states, whose toolkits are advancing rapidly, with artificial intelligence-powered attacks an increasing concern for organisations already struggling on a daily basis to keep pace with more traditional digital risks.

Ransomware is among the top threats. The high-profile 2024 attack on Synnovis, a pathology laboratory processing blood tests, led to the theft of patient data and severe operational disruption, contributing to at least one patient death due to delays in testing. Ransomware has disrupted local council services – from social care and waste collection, and schools were this year unable to process GCSE and A Level coursework as a result of attacks made during these critical periods.

The HMRC phishing scam in 2025 exposed a different kind of digital risk, resulting in £47 million being stolen when organised groups used stolen identity data from outside HMRC systems to impersonate taxpayers and manipulate accounts. While HMRC’s core systems were not breached, the incident revealed critical vulnerabilities in identity verification and fraud controls, highlighting an urgent need for enhanced digital risk management and security measures.

“It feels like cyber risk is accelerating away from public sector organisations’ ability to keep up,” says Chris Butler, resilience director at Databarracks, which provides managed services including data back-up, disaster recovery and business continuity planning. He notes an increasing level of engagement among senior leaders in the sector as they grapple with the threats.

“There’s an ever-greater realisation [of] these risks and the need to minimise the disruption they can cause,” he says. “That means looking at people and processes and running complex simulations.”

The unique structural and procedural challenges faced by public sector organisations make cyber security a tough risk to grapple with.

Alistair Clarke, UK cyber broking leader at Aon, whose team places cyber insurance and reinsurance for public sector organisations, cautions that bureaucracy can slow response and inhibit joined-up network security strategies. Leadership turnover following elections disrupts strategic planning and continuity, while resource constraints leave many organisations underprepared.

“Those structural issues, as well as a lack of funding, can make all of this really difficult,” Clarke says. “I’m sure they’re doing everything that they feel they can, but there are reasons why some organisations are more at risk than others.”

Clarke also highlights the dangers posed by new AI-powered threats. “They are finding ways to reach people at senior levels within organisations and present themselves as part of the organisation requesting funds,” he explains. “The technology is moving so quickly.”

Clarke also points to traditional cyber risks, particularly those caused by human error.
“You can risk manage some of that, but it’s difficult,” he says. “Human error and a lack of awareness are set against evolving cyber threats. Unfortunately, public sector organisations present themselves as low-hanging fruit: they have lots of data and in many cases there has been under-investment in their cyber security capabilities.”

Endemic data security issues

Device security remains a stubborn issue, with multiple departments reporting increases in lost or stolen equipment despite audits and mitigation efforts. Freedom of Information requests submitted by Apricorn earlier this year show more than 1,200 organisational devices lost or stolen across 17 departments in 2024, with HMRC alone accounting for 804, including 499 mobile phones – adding to mounting evidence of systemic security weaknesses at the tax authority. Many losses arose during audits of legacy equipment, exposing ongoing inventory management challenges. The House of Commons reported 100 devices lost or stolen, up from 65 the previous year. The Department for Education saw device losses climb from 78 in 2023 to 107 in 2024. The Department for Energy Security and Net Zero also reported an increase, from 122 lost devices in 2023 to 150 in 2024, while the Department for Science, Innovation and Technology disclosed 113 missing devices.

Apricorn’s FOI request also revealed continuing personal data breaches. The House of Commons reported 49 incidents in 2024, up from 41 the previous year. Both the Ministry of Justice and DfE refused to disclose breaches or reports made to the Information Commissioner’s Office, citing exemptions under Section 24(2) of the FOI Act.

The most recent high-profile incident to underscore the potential fallout from data security missteps came to light in July 2025, when a Ministry of Defence data breach from February 2022 was uncovered. An MoD official mistakenly emailed a spreadsheet containing personal details of around 18,700 Afghan applicants and their families. The breach was kept secret under a super-injunction until July 2025.

As a result, about 6,900 at-risk Afghans were secretly resettled under the Afghanistan Response Route, costing up to £850 million amid efforts to protect them from Taliban reprisals.

Improvement efforts

Despite all these incidents – and no doubt a number of un- or under-reported cases besides – efforts to combat these incidents abound, with initiatives launched by both the current and previous governments in an effort to stem the tide.

As the UK’s technical authority for cyber threats, and part of GCHQ, the National Cyber Security Centre monitors cyber incidents, provides early warnings, threat assessments, guidance and support to both the public and private sectors. The NCSC is the single point of contact for cyber incidents under UK and EU regulations, coordinating responses and cooperation nationally and internationally to mitigate cyber risks and protect critical infrastructure.

“We identify vulnerabilities, share threat intelligence, provide practical advice, and help organisations prepare for and respond to incidents,” says Jonathon Ellison, director for national resilience at the National Cyber Security Centre. Its Early Warning Service flags emerging threats, while the Cyber Assessment Framework provides guidance for managing cyber risks.

The National Audit Office, meanwhile, has published a Good Practice Guide for managing risks in government. Recommendations include establishing a strong leadership and risk culture, building capability and expertise while knowing when to bring in external assistance, and enabling “interdependent and interconnected risks to be identified and managed in a robust and integrated manner.”

Elsewhere, both the National Cyber Security Council and the Local Government Association have produced guidance, training and resources to help organisations understand risks and improve cyber resilience. And in July 2025, the government announced new measures designed to protect the sector against ransomware attacks, by officially banning payment of ransomware demands and introducing a mandatory reporting regime to help identify perpetrators.

Emphasising the need for a cultural shift, Ellison says cyber security should not be reduced to being seen as a cost, barrier or compliance issue, but framed as a “critical enabler for success”.

“As in other aspects of managing and delivering public services, sometimes an investment really can deliver much greater value than a cut,” he adds.

Local government

For local government specifically, the Ministry of Housing, Communities and Local Government runs a Cyber Support programme for local councils, a capability still conspicuously absent.

“Local councils have struggled with under-investment,” Clarke says, pointing to the persistent reluctance of councils and authorities to buy cyber insurance.

A separate FOI request by Apricorn underlines the scale of the gap. Of 41 local councils questioned, only two had a cyber insurance policy in place. The majority either declined to respond, confirmed they had no cover, or made clear they had no intention of investing in it. Suffolk County Council, which disclosed 334 breaches in the same request, said it manages cyber risk in-house.

This lack of cover exposes a structural weakness. Speaking at the British Insurance Brokers’ Association Conference in Manchester earlier this year, NCSC chief executive, Lindy Cameron, stressed that cyber insurance remains one of the few market-based levers for driving organisations to adopt stronger security controls and resilience measures. She said the sector could be a “force for good in making the UK the safest country in the world to do business”.

The catalogue of breaches and disruptions shows that when it comes to digital risk, the stakes are higher than ever for public sector organisations. These are the systems that keep the country running and protect its most sensitive data, underscoring the urgent need for stronger security, better leadership and a culture that takes resilience seriously.



This article was published in the Q3 2025 issue of CIR Magazine.

View as PDF

Contact the editor