Current timestamp: 23/06/2026 09:25:50
AgeAlertAnonymousAppealsApplicationsApply Or RegisterArea OutlineArrow DownArrow LeftArrow RightArrow UpAutomatic DoorsBack ArrowBusinessCalendarCashArrow DownArrow LeftArrow RightArrow Down[Missing text '/SvgIcons/Symbols/Titles/icon-chrome' for 'English (United Kingdom)']ClockCloseContactDirectionsDocumentDownloadDrawDrugExpandExternal LinkFacebookFb CommentFb LikeFiletype DefaultFiletype DocFiletype PdfFiletype PptFiletype XlsFinance[Missing text '/SvgIcons/Symbols/Titles/icon-firefox' for 'English (United Kingdom)']First AidFlickrFraudGive FeedbackGlobeGuide DogHealthHearing ImpairedInduction LoopInfoInstagramIntercom[Missing text '/SvgIcons/Symbols/Titles/icon-internet-explorer' for 'English (United Kingdom)']LaptopLiftLinkedinLocal Activity[Missing text '/SvgIcons/Symbols/Titles/icon-location' for 'English (United Kingdom)']LoudspeakerLow CounterMailMapMap PinMembershipMenuMenu 2[Missing text '/SvgIcons/Symbols/Titles/icon-microsoft-edge' for 'English (United Kingdom)']Missing PeopleMobility ImpairmentNationalityNorth PointerOne Mile RadiusOverviewPagesPaper PlaneParkingPdfPhonePinterestPlayPushchairRefreshReportRequestRestart[Missing text '/SvgIcons/Symbols/Titles/icon-rotate-clockwise' for 'English (United Kingdom)']Rss[Missing text '/SvgIcons/Symbols/Titles/icon-safari' for 'English (United Kingdom)']SearchShareSign LanguageSnapchatStart AgainStatsStats And Prevention AdviceStopSubscribeTargetTattosTell Us AboutTickTumblrTwenty Four HoursTwitter LikeTwitter ReplyTwitter RetweetUploadVisually ImpairedWhatsappWheelchairWheelchair AssistedWheelchair ParkingWheelchair RampWheelchair WcYoutubeZoom InZoom Out

Leave this site

Skip to main content

Skip to main navigation

Welcome

This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.

FOI 0200-2025/26- Data breaches

Request:

Clarification

To clarify, Q1b) is in relation to Q1 not Q1a.

Original request

Q1. The number of data breach incidents the force has had in the last three years (Broken down by financial years  2022/23, 2023/24 and 2024/25)

Q1a) Of those, how many were cyber incidents? (Broken down by years as above)

Q1b) Can these be broken down by year and by incident type? E.g. instances where data was emailed to the incorrect recipient or cases of loss/theft of devices containing personal data etc.? (Broken down by years as above)

Q2. How many compensation claims have been brought against the force for data breaches in the last three years (Broken down by financial years  2022/23, 2023/24 and 2024/25)

Q2a) Of those, how many were settled with compensation and how many were refused?

Q2b) How much has the force paid out in compensation for data breach claims in the last three years? (Broken down by years as above)

Response: 

Extent and Result of Searches to Locate Information

To locate the information relevant to your request searches were conducted within North Yorkshire Police.

I can confirm that the information you have requested is held by North Yorkshire Police. 

Decision

I have today decided to disclose the following information to you.

Q1 & Q1b. Please see the table below showing the total number incident reports recorded relating to data breach incidents, broken down by calendar years and type of breach. North Yorkshire Police have noted your preference in receiving this information in financial years however, the data has been provided in calendar years as this is our method of recording

Year

Email sent to wrong recipient

Lost items

Total

2022

37

55

92

2023

45

28

73

2024

43

43

86

2025 up to 06/06

28

14

42

Total

153

140

293

Please note that this does not include data quality incidents as we would not constitute these as data breaches as these are contained or dealt with at source before they potentially become a data breach.

Further to the above, North Yorkshire Police neither confirms nor denies whether any other information in relation to cyber related incidents is held by virtue of Section 31(3) – Law Enforcemnet and Section 24(2) – National Security. Please see the exemption explanation below.

Q1a. North Yorkshire Police can neither confirm nor deny whether information relevant to this part of the request is held, as the duty in Section 1(1)(a) of the Freedom of Information Act 2000 does not apply by virtue of the following exemptions: Section 31(3) – Law Enforcemnet and Section 24(2) – National Security. Please see the exemption explanation below.

Q2. Q2a.Q2b. Please see the table below showing the number of data breach claims where files were opened within the requested timeframe, broken down by financial years and if compensation was given or not.

Financial Years

No: of compensations claims brought against the Chief Constable of North Yorkshire Police for alleged data breaches

No: of such claims where compensation was paid

No: of such claims where liability was denied

Total amount of compensation paid for such claims

2022/23

6

6

0

£25,440

2023/24

2

2

0

£5,000

2024/25

4

0

4

£0

TOTAL

12

8

4

£30,440

*Please note this does not necessarily mean that the alleged breach took place in those financial years.

Further to the above, North Yorkshire Police neither confirms nor denies whether any other information in relation to cyber related incidents is held by virtue of Section 31(3) – Law Enforcemnet and Section 24(2) – National Security. Please see the exemption explanation below.

Exemption Explanation

Section 31(3) and 24(2) are prejudice based qualified exemptions and any prejudice (harm) that confirming or denying information is held would cause must be articulated as well as the public interest considerations.

Harm in Confirming or Denying that Information is held

To confirm or deny whether any further information is held in respect of successful cyber attacks resulting in Data Breaches would provide actual knowledge that where an attempt has been made, it has or has not been successful. Confirming that such information is not held may assist potential attackers by indicating that an attack had gone undetected. Equally, confirming information is held would enable understanding of where attacks have been successful, and possible weaknesses exist. Attackers may then be able to tailor their methods to increase their chances of success.

To confirm or deny whether information is held in respect of any leaked data as a result of an attack would, in effect, confirm that there had been successful cyber attacks made against the force, which would present harm as detailed above.

Furthermore, in order to counter criminal and terrorist behaviour it is vital that the police and other agencies have the ability to work together, where necessary covertly, in order to obtain intelligence within current legislative frameworks to ensure the arrest and prosecution of offenders who commit or plan to commit acts of terrorism, whereby their modus operandi may involve cyber attacks on secure databases. In order to achieve this goal, it is vitally important that information sharing takes place with other police forces and security bodies within the United Kingdom in order to support counter-terrorism measures in the fight to deprive terrorist networks of their ability to commit crime. To confirm or deny specific details of any breaches of information technology and security would be extremely useful to those involved in terrorist activity as it would enable them to map vulnerable information security databases.

Public Interest Considerations

Section 24(2) National Security

Factors in favour of confirming or denying that information is held

The public are entitled to know how public funds are spent and how resources are distributed within an area of policing.  To confirm information is held regarding successful cyber-attacks causing Data Breaches would enable the general public to hold North Yorkshire Police to account ensuring all such breaches are recorded and investigated appropriately.  With the call for transparency of public spending this would enable improved public debate.

Factors against confirming or denying that information is held

Security measures are put in place to protect the community we serve.  As evidenced within the harm to confirm whether any cyber-attacks have been successful would highlight to terrorists and individuals intent on carrying out criminal activity vulnerabilities within North Yorkshire Police which could be further exploited.

Taking into account the current security climate within the United Kingdom, no information (such as the citing of an exemption which confirms information pertinent to this request is held, or conversely, stating ‘no information is held’) which may aid a terrorist should be disclosed.  To what extent this information may aid a terrorist is unknown, but it is clear that it will have an impact on a force’s ability to monitor terrorist activity.

Irrespective of what information is or isn’t held, the public entrust the Police Service to make appropriate decisions with regard to their safety and protection and the only way of reducing risk is to be cautious with what is placed into the public domain.

The cumulative effect of terrorists gathering information from various sources would be even more impactive when linked to other information gathered from various sources about terrorism.  The more information disclosed over time will give a more detailed account of the tactical infrastructure of not only a force area but also the country as a whole.

Any incident that results from such a disclosure would, by default, affect National Security.

Section 31 – Law Enforcement

Factors favouring confirming or denying that information is held

Confirmation that information exists relevant to this request would lead to a better informed public which may encourage individuals to provide intelligence in order to reduce such security breaches.

Factors against confirming nor denying that information is held.

Confirmation or denial that information is held in this case would suggest North Yorkshire Police take their responsibility to protect information and information systems from unauthorised access, destruction, etc., dismissively and inappropriately. 

Balancing Test    

The points above highlight the merits of confirming or denying the requested information exists. The Police Service is charged with enforcing the law, preventing and detecting crime and protecting the communities we serve.  As part of that policing purpose, information is gathered which can be highly sensitive relating to high profile investigative activity. Weakening the mechanisms used to monitor any type of criminal activity, and specifically terrorist activity would place the security of the country at an increased level of danger. 

In addition anything that places that confidence at risk, no matter how generic, would undermine any trust or confidence individuals have in the Police Service.  Therefore, at this moment in time, it is our opinion that for these issues the balance test favours neither confirming nor denying that information is held.

Pursuant to Section 17(4) of the Act this letter also acts as a refusal notice in relation to the duty to confirm or deny.

Please note that systems used for recording information are not generic, nor are the procedures used locally in capturing the data.  It should be noted therefore that this force’s response to your questions should not be used for comparison purposes with any other responses you may receive.