Post Office Data Breach
Downtime Duration
55 days
Estimated Costs
£5000 individual payouts to victims.
Records Exposed
555 Postmasters
Operational Impact
- Names, Addresses and Contact Details leaked
- Post Office officially reprimanded by ICO
- Policy and Data mishandling exposed
Summary
Despite winning their lawsuit against the Post Office for their handling of the Horizon IT Scandal, UK postmasters were about to receive a bittersweet ending
Full Analysis
Summary
The Horizon IT scandal is arguably the largest miscarriage of justice in UK history, as the Post Office unfairly wrongfully accused postmasters of theft and fraud due to faults within their Horizon IT system. By 2019, 555 postmasters successfully brought a group action lawsuit against the Post Office and won £58 million in compensation. By 2024, with more wrongful convictions being overturned, overall compensation had reached £1 billion.
Unfortunately, incompetence tends to reemerge at the worst possible times.
In 2024, the Post office accidently published a legal document containing the personal details of the 555 postmasters involved with the initial lawsuit. Names, Addresses and contact details were now publicly available, turning what could have been a happy ending into something more bittersweet.
Entry Vector (What happened and How)
On the 25th April 2024, the Post office’s communication team accidently posted a legal document containing the unredacted details of the 555 postmasters that had joined the initial group action ligation against the post office in 2017. It remained publicly available on their corporate website until the 19th June 2024, where an external law firm notified the Post Office of the blunder, to which they removed the document (Ico.org.uk, 2025).
Recovery
After removing the document, the Post Office contacted Information Commissioner’s Office (ICO) to report their mistake, pending an investigation into their activities (Thomas and Espiner, 2024).
Impact
Technological
According to ICO, the following technological actions were taken by the Post Office following the breach;
- “Providing identity protection services, including 24 months of fraud monitoring and dark web surveillance.
- Contacting search engines and archives to remove cached versions of the document.
- Establishing an emergency working group to review the incident and improve internal controls.
- Creating a new documented policy for publishing information on its corporate website.” (Ico.org.uk, 2025).
Public Reaction
Public reaction was overly, and rightfully, negative of the data breach, with newspapers such as the Daily Mail writing scathing articles of the data mishandling. Many postmasters were enraged by the breach, calling out the Post office for their ‘disgusting incompetence’ (Greenhill, 2024).
Legal
ICO officially reprimanded the Post office for the data breach after their investigation found that they had failed to properly implement the right technological and organisational measures for such an event, such as a lack of documented policies or staff training on information sensitivity and publishing (Ico.org.uk, 2025).
The legal firm Freeths were able to secure payouts as compensation for the breach, with the Post office agreeing to individual payments of up to £5000, with victims able to pursue further claims if desired (Simpson, 2025).
The Seamless Solution
This is a unique case; This wasn’t a case of a malicious third-party using malware to infiltrate a system and encrypt data, but rather incompetence and systematic failure in the wake of one of the biggest scandals in UK history. Therefore, the solution is based on policy, rather than IT solutions.
Staff should be better trained to understand the sensitivity of the documents they are handling, and to doublecheck what they publish on the Post Office website. Likewise, they should also be trained on a dedicated official policy in the event something like the 2024 breach was to happen again so they can act quickly and decisively.
Conclusion
The Horizon IT scandal was a wakeup call to the Post Office that their systems were in dire need of updating. Unfortunately, they had yet to learn of the dangers of policy mishandlings and a lack of common sense.
This data breach only added insult to injury to countless Postmasters who had already gone through so much pain and trauma form being wrongfully accused and even convicted.
Sources
- Simpson, E (2025): Post Office data breach victims to get compensation. Online New Article Published by BBC.com: https://www.bbc.co.uk/news/articles/cje7wnd3j57o
- Thomas, D; and Espiner, T (2024): Post Office sorry after sub-postmaster data leak. Online New Article Published by BBC.com: https://www.bbc.co.uk/news/articles/cd110nl7dppo
- Greenhill, S (2024): Post Office publishes names and addresses of more than 550 people wrongfully convicted in the Horizon scandal on its website in ‘horrific’ potential data breach. Online New Article Published by DailyMail.com: https://mol.im/a/13547517
- Ico.org.uk (2025): Post Office reprimanded over Horizon IT scandal victims’ ‘entirely preventable’ data breach. Online News Article published by Ico.org.uk: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/12/post-office-reprimanded-over-horizon-it-scandal-victims-entirely-preventable-data-breach/