Post Office Reprimanded by ICO Over June 2025 Data Breach Exposing 502 Claimants
The Post Office has been reprimanded by the Information Commissioner's Office (ICO) following a June 2025 data breach that exposed sensitive personal details of 502 individuals involved in Horizon-related litigation. The breach occurred when a settlement document was published without redaction, revealing the names, home addresses, and operator status of the majority of the 555 claimants linked to the case.
The ICO described the breach as entirely preventable, citing several shortcomings within the Post Office including the absence of documented publishing policies, inadequate quality assurance processes, and insufficient staff training on handling sensitive information. Despite initially considering a fine of up to £1.09 million, the ICO ultimately ruled the breach did not meet the threshold for an egregious violation under its public-sector fining framework.
The Post Office issued a formal apology for the leak in June 2025, with CEO Nick Read leading the response. This incident follows the Post Office's December 2019 civil claim settlement related to the Horizon case, which amounted to £57.75 million before legal costs, with no admission of liability. Additionally, in May 2025, an unprecedented Act of Parliament exonerated hundreds of post office operators who had been convicted on charges such as false accounting connected to the same scandal.
The Open Rights Group criticized the ICO's decision to issue only a reprimand, labeling it ludicrous and expressing concern that it permits ongoing harm without enforceable consequences.
