A tale of two data breaches
Two Data Breaches
Here is a comparison of two data breaches that were discovered around the same time, in October 2025 in two different Councils, South Glos Council and Bristol City Council.
Residents whose personal data was exposed
In both of these breaches, the names and contact details (email, or telephone number) were disclosed when they should not have been.
In the South Glos Breach the personal details were linked to a consultation about their Local Plan.
In the Bristol City Council Breach the personal details were linked to reports made by residents about road safety problems and suggested improvements.
In both these cases, the personal details of the submitters were confidential and should not have been published for everyone in the world to see.

Days that personal data was exposed

Action Taken

See: Hundreds of residents' details shared in data breach
ICO Notification
Bristol City Council: IC-435729-F4H9
South Glos Council: Reference Unknown
Where has this information about the BCC data breach come from?
I know the details behind the BCC data breach because I was the person who discovered it. I didn't hack their systems, I just accessed the open data that is published by BCC and available to anyone.
I take open data published by Bristol City Council to analyse the data and provide insights to Bristol residents.
I was analysing the data from the "Street Improvements", and "Walking and Cycling Improvements" survey tools where residents are invited to submit reports.
During my analysis, I discovered that personal details (name and e-mail) were being published. This was clearly a data breach. I had previously made a report using this tool and my personal details were included in this data breach

- I informed BCC of the data breach on 03/10/2025.
- BCC then disabled the tools so that the data could no longer be accessed.
- BCC enabled to their new Tooling for Street Improvements Reporting.
- But the new tool also exposed the same data as the old tools.
- I informed BCC that they had the same problem with the new reporting tool.
- BCC disabled the new tool.
- BCC fixed the new tool.
Why is this important?
The personal data on the BCC tools was probably available for anyone to access for 6 years.
If this data had been accessed by scammers then it could have been used to contact the individuals who had logged reports.
See: A - Z of Cyber Crime and Fraud
There could have been information in some reports that referred to sensitive data (e.g. disabilities) that were linked to the individuals name and contact details.
There is no evidence that this data was used to facilitate any crimes and it is possible that I was the only person who discovered that this personal data was available.
But, with the growing use of AI tools anyone can discover for this type of personal data without having to have any specialist knowledge or skills. This means it is even more important than ever that people's personal data is properly secured.
The comparison of these 2 data breaches shows that the BCC attitude to transparency falls well below the standard that South Glos have shown.
ICO Response
Data Source: Personal data breach cases - data sets
BCC reported this data breach to the ICO on 10/10/2025
The ICO completed their investigation/assessment on 25/03/2026 (this took over 5 months)
The ICO published the information about this data breach in July 2026.

The ICO took informal action and gave advice to BCC.
I can only assume that the ICO assessed this breach as low risk and did not require BCC to contact individuals whose personal data was disclosed.
See: When do we need to tell individuals about a breach?

If the ICO do not require an organisation to notify impacted individuals, then they can still choose to notify people themselves, as South Glos did for their much smaller data breach.
The ICO have been dealing with a large backlog, whish is probably why it took them over 5 months to assess the self reported data breach.
Looking at the data for BCC Data Breaches you can see that BCC reported 18 Data Breaches in 2025, but the ICO only completed 1 investigation.
But the ICO completed 38 investigations in the first 3 months of 2026. This implies that the ICO are clearing their backlog, but how confident can we be that they have properly investigated data breaches that could have taken place one or more years ago?

Looking at BCC data breaches reported since 2024 you can see that 17 of them took almost 2 years to investigate.

One of the data breaches was reported on 25/06/2024, but the investigation was not completed until 25/03/2026 (almost 2 years later).

Guide to assessing personal data breaches
The PDB team has a target for closing or referring 80% of breach reports within 30 days of them being received at the ICO.
ICO Performance and Impact Report (Q4 2025/2026)

During Q4, intake remained high, reflecting sustained use of the ICO’s regulatory functions across the year. While activity began to stabilise following the large-scale incident reported in Q2, overall workloads remained elevated.
Against this backdrop, we maintained a deliberate focus on progressing and closing our oldest cases. This resulted in a significant reduction of cases over 12 months old, falling from 126 at the end of Q3 to 38 by the end of Q4. This also represents a significant decrease from the year’s high of 745. These cases now account for just 0.6% of the total open caseload, demonstrating steady progress in addressing the most aged cases despite sustained pressure.
It is ironic that the ICO have published enforcement notices for BCC relating to their poor performance in dealing with data requests, but the ICO performance seems to be even worse when it comes to investigating data breaches!
Why have I published this information?
As soon as I discovered this data breach I reported it to BCC so that they could deal with it. I acted as a "good citizen" and did not publish any of the confidential data that was available in the BCC tool.
I have not publicised information about this data breach until the ICO had completed their investigation and published the outcome on their web site.
BCC investigated and fixed the problem (after a few false starts) as quickly as they could.
BCC want to make more use of technology and data in order to provide better services to residents, but I believe they need to put more resources and effort into securing the data they hold to reduce the risk of data breaches in the future.
Why is it important to show people you protect their personal information?
A breach may damage your reputation and affect the trust and confidence people have in your organisation. On the other hand, showing people you have high standards for data protection enhances your reputation and will help you to secure the public’s trust and confidence.
The steps you take to protect people’s personal information, including responding swiftly, appropriately and empathetically to any breaches, is a crucial part of sustaining people’s trust and confidence. It demonstrates clearly that you understand and care about the harmful impact a breach may have.
Comments ()