New data disclosed by the Department of Work and Pensions (DWP) has shown that there were hundreds of data security incidents across Jobcentres in 2024, affecting an untold number of claimants. The new information has been released just as the DWP caused another major data breach – this time, involving dozens of disabled people’s personal emails.
DWP: breaching data for the online Green Paper consultation
Currently, the DWP is doing online consultations on the Green Paper it recently released. This is about its planned cuts to Universal Credit, and changes and cuts to Personal Independence Payment (PIP). Understandably, countless chronically ill and disabled people had signed up for the online meeting. However, last Thursday as one participant told the Canary:
DWP are doing online consultations regarding the green paper. Me and other people signed up to one on Eventbrite. The online consultation is happening on 6 May.
This afternoon we received an email with the zoom joining details.
All of our email addresses were included in the “to” section.
It is also worth noting that I cancelled my “ticket” to this event a couple of weeks ago and confirmed I had cancelled my attendance to the DWP via email. So, I should not have even been on this email list.
I am disabled. This major breach is linking me to that protected characteristic.
The email address used is my main one, on a domain that I own.
I now feel that my identity as a disabled person has now been shared without my consent.
As Benefits and Work noted, “an attachment with the email even set out which of the DWP staff were ‘required’ participants, which were ‘optional’ and detailed which section of the DWP they work in, such as, corporate support and development, occupational psychology, private pensions, labour market directorate, disability and health, customer experience”.
A shambles
Another participant told the Canary:
I discovered that the DWP shared our personal information without consent by sending out a blanket invitation to all involved. Everyone in attendance could see each other’s personal information. What shocked me is that DWP has responded by labelling it as a technical difficulty without understanding or taking ownership around the seriousness of this breach. Understandably so, there were attendees emailing collectively to raise their concern as well spreading awareness about ICO if anyone wants to formally address it.
As Benefits and Work noted, the DWP response said:
Apologies for the Teams invite that was shared, there was a technical difficulty. The previously scheduled Teams meeting has now been cancelled, and a new meeting invitation will be shared with you shortly.
In the meantime, if you would like us to use a different email address for the updated invitation, please reply to this email by 02/05/2025.
That is, the DWP failed to even acknowledge it had broken the law. However, when it comes to the department this is just the tip of the iceberg.
A spokesperson for Harmony Party UK told the Canary:
The DWP employs tens of thousands of people and has safeguarding responsibility for millions: that it must do better than this could not be more obvious given the recent example of the case of “David” – a man who died after his benefits were cut by the DWP, but which were subsequently reinstated, possibly after they learned of his death.
Given that the DWP is responsible for safeguarding the data of millions of people in this country it is beyond reprehensible that a breach of this nature should take place, even if it does seem relatively minor. Benefit claimants must feel secure in sending incredibly privileged information to the DWP as a natural part of claiming; keeping data safe is an integral part of the department’s role.
Disability Activism Society member Abi Broomfield said:
This massive failure to protect Disabled people’s personal details epitomises the disasters Labour and these green proposals have proven to be.
The tip of the iceberg
Compensation experts Data Breach Claims UK learned through a Freedom of Information request that 238 Jobcentres experienced at least one breach between November 2023 and January 2025.
There were also 261 ‘postal security incidents’, where documents containing personal data were sent to the wrong address and opened by an unauthorised person.
The DWP was reprimanded by the ICO in 2022 after a failure to redact sensitive information by its Child Maintenance Appeals service led to 16 people’s personal data being sent to ‘inappropriate’ third parties. It was reported that among the recipients of that data was an ex-partner with a history of domestic abuse, an error for which the DWP apologised after its ICO rebuke.
The department was bullish in defending their mail security record, telling Data Breach Claims UK that the:
DWP issues over 80,000,000 mail notifications per annum and the number of recorded Postal Security Incidents recorded equates to 0.00027%.
DWP data breaches are no small matter, says expert
A data breach is defined by information security watchdog the ICO as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”.
DWP claimants are expected to share sensitive information when using the service, including names, addresses, National Insurance numbers, job histories and bank details, plus medical information in some cases.
A breach of said data can have a catastrophic effect, such as one case of a Jobcentre Plus data breach from 2014 where the impacted person was forced to move across the country.
“In this current climate, claimants already have more than enough to worry about without a mistake causing their personal data to become public,” said Data Breach Claims UK specialist Bethan Hakesley:
Even one data breach is too many, especially if it causes a person significant stress. If personal data gets in the wrong hands, it can have a devastating impact.
We’ve supported many people who have had their lives turned upside down by a simple error with serious consequences. If someone suffers mental harm or financial damage because of a personal data breach, they’re well within their rights to look into claiming compensation.
London and East Midlands centres post most data breach incidents
The DWP counted 369 data breaches across its Jobcentres through 2024, spread across 218 locations.
Letter mishaps affect over 250 claimants
The DWP said that there were 261 ‘postal security incidents’ between November 2023 and January 2025. Such incidents involve letters being sent to the wrong address and their contents–including an individual’s personal data–being seen by the wrong person.
This happened most often in Coventry, where 30 incidents were recorded. A postal mishap was more than twice as likely in Coventry than in the place affected second-most often (Torquay, 14 incidents).
Birkenhead (12), Makerfield (11) and Norwich (10) all had postal incidents in the double-digits.
103 of the incidents affected the personal data of people on the DWP’s Work & Health programme, with the north east (27 errors) and southern England (26) the most affected regions.
The DWP says…
The Canary contacted the DWP for a response over the data breach relating to the Green Paper. It told us:
As part of our Plan for Change, we are seeking views on the approaches we should consider creating a sustainable welfare system that genuinely supports sick and disabled people into work.
We take our responsibility to protect data very seriously and apologise to those impacted by this isolated incident.
However, given the information Data Breach Claims UK has discovered, it is far from an isolated incident. When the DWP cannot be bothered to even handle chronically ill and disabled people’s personal data properly, how can they trust it to deal with their actual claims?
As one claimant told the Canary:
It is violating my privacy.
It is leaving me open to scams, hacks, and abuse.
It makes me feel more vulnerable than I already feel as a disabled woman.
It removes any trust I had in the DWP that this consultation will be handled professionally and with dignity.
History has repeatedly proven the DWP is not fit for purpose, and exists purely to work against chronically ill and disabled people. These latest revelations just cement that notion further.
Data Breach Claims UK is a service dedicated to offering guidance and support to people who have been emotionally or financially affected by a personal data breach.
Its phone and online service is available 24/7 and provides a free compensation claim assessment.
Featured image via the Canary
