Current timestamp: 23/06/2026 10:36:03
AgeAlertAnonymousAppealsApplicationsApply Or RegisterArea OutlineArrow DownArrow LeftArrow RightArrow UpAutomatic DoorsBack ArrowBusinessCalendarCashArrow DownArrow LeftArrow RightArrow Down[Missing text '/SvgIcons/Symbols/Titles/icon-chrome' for 'English (United Kingdom)']ClockCloseContactDirectionsDocumentDownloadDrawDrugExpandExternal LinkFacebookFb CommentFb LikeFiletype DefaultFiletype DocFiletype PdfFiletype PptFiletype XlsFinance[Missing text '/SvgIcons/Symbols/Titles/icon-firefox' for 'English (United Kingdom)']First AidFlickrFraudGive FeedbackGlobeGuide DogHealthHearing ImpairedInduction LoopInfoInstagramIntercom[Missing text '/SvgIcons/Symbols/Titles/icon-internet-explorer' for 'English (United Kingdom)']LaptopLiftLinkedinLocal Activity[Missing text '/SvgIcons/Symbols/Titles/icon-location' for 'English (United Kingdom)']LoudspeakerLow CounterMailMapMap PinMembershipMenuMenu 2[Missing text '/SvgIcons/Symbols/Titles/icon-microsoft-edge' for 'English (United Kingdom)']Missing PeopleMobility ImpairmentNationalityNorth PointerOne Mile RadiusOverviewPagesPaper PlaneParkingPdfPhonePinterestPlayPushchairRefreshReportRequestRestart[Missing text '/SvgIcons/Symbols/Titles/icon-rotate-clockwise' for 'English (United Kingdom)']Rss[Missing text '/SvgIcons/Symbols/Titles/icon-safari' for 'English (United Kingdom)']SearchShareSign LanguageSnapchatStart AgainStatsStats And Prevention AdviceStopSubscribeTargetTattosTell Us AboutTickTumblrTwenty Four HoursTwitter LikeTwitter ReplyTwitter RetweetUploadVisually ImpairedWhatsappWheelchairWheelchair AssistedWheelchair ParkingWheelchair RampWheelchair WcYoutubeZoom InZoom Out

Leave this site

Skip to main content

Skip to main navigation

Welcome

This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.

FOI 715/25

FOI 715/25

Request

 Under the Freedom of Information Act 2000, please can you disclose the following information:

  1. The number of data breach incidents the force has had in the last three years (Broken down by financial years  2022/23, 2023/24 and 2024/25)

1a) Of those, how many were cyber incidents? (Broken down by years as above)

1b) Can these be broken down by year and by incident type? E.g. instances where data was emailed to the incorrect recipient or cases of loss/theft of devices containing personal data etc.? (Broken down by years as above)

  1. How many compensation claims have been brought against the force for data breaches in the last three years (Broken down by financial years  2022/23, 2023/24 and 2024/25)

2a) Of those, how many were settled with compensation and how many were refused?

2b) How much has the force paid out in compensation for data breach claims in the last three years? (Broken down by years as above)

Clarification: In regards to question 1b, I am requesting a breakdown of question 1 by incident type, not question 1a.

 Response 

We consulted with our Information Governance team who have provided the below response to your request.

Question 1 & 1b

 

2022

2023

2024

2025*

Total Breaches

149

176

274

119
 

 

 

 

 

Breakdown

2022

2023

2024

2025*

Unauthorised access of police systems

4

19

18

0

Unauthorised/accidental disclosure of information - Email

52

53

68

26

Unauthorised/accidental disclosure of information - SMS

0

2

0

0

Unauthorised/accidental disclosure of information - Physical

31

81

155

60

Unauthorised/accidental disclosure of information - Verbal

16

16

23

15

Unauthorised/accidental corruption of data

21

4

7

15

Lost / unavailability of data

25

1

3

3

Please note these are data incidents that were reported to Information Governance they may not all have resulted in a personal data breach being identified.

We consulted with our Joint Legal Services who have provided the below response to your request.

Question 2

In the following financial years, the Chief Constable was notified of the following numbers of claims (claims may have arisen in previous financial years):

2022/23 – 8 claims

2023/24 – 7 claims

2024/25 – 9 claims

Question 2a

Of the claims notified above, the outcomes were as follows: -

2022 /23 – 2 settled, 6 denied (refused)

2023/24 – 2 settled, 5 denied (refused)

2024/25 – 4 settled, 5 denied (refused)

Question 2b

Of the claims set out in 2, 2(a) and 2(b), the Force made payments totalling the following per financial year: -

2022 /23 – £9300

2023/24 - £8500

2024/25 – £28750

Questions 1a, 1b & 2

For any information requested in relation to cyber incidents South Wales Police neither confirms nor denies that it holds information by virtue of the following exemptions:

Section 24(2) – National Security

Section 31(3) – Law Enforcement

Sections 24(2) and 31(3) being prejudice based and qualified, the harm (prejudice) in confirming or denying should be evidenced, the public interest considered, and both articulated to the applicant. 

Harm in Confirming or Denying that Information is held

To confirm or deny whether any further information is held in respect of successful or attempted cyber-attacks resulting in Data Breaches would provide actual knowledge of where an attempt has been made, if it has or has not been successful. Confirming that such information is not held may assist potential attackers by indicating that an attack had gone undetected. Equally, confirming information is held would enable understanding of where attacks have been successful, and possible weaknesses exist. Attackers may then be able to tailor their methods to increase their chances of success.

To confirm or deny whether information is held in respect of any leaked data as a result of an attack would, in effect, confirm that there had been successful cyber-attacks made against the force, which would present harm as detailed above.

Furthermore, in order to counter criminal and terrorist behaviour it is vital that the police and other agencies have the ability to work together, where necessary covertly, in order to obtain intelligence within current legislative frameworks to ensure the arrest and prosecution of offenders who commit or plan to commit acts of terrorism, whereby their modus operandi may involve cyber-attacks on secure databases. In order to achieve this goal, it is vitally important that information sharing takes place with other police forces and security bodies within the United Kingdom in order to support counter-terrorism measures in the fight to deprive terrorist networks of their ability to commit crime. To confirm or deny specific details of any breaches of information technology and security would be extremely useful to those involved in terrorist activity as it would enable them to map vulnerable information security databases.

Public Interest Considerations

Section 24(2) - National Security

Factors in favour of confirming or denying that information is held

The public are entitled to know how public funds are spent and how resources are distributed within an area of policing. To confirm information is held regarding successful cyber-attacks causing Data Breaches would enable the general public to hold the police to account ensuring all such breaches are recorded and investigated appropriately. With the call for transparency of public spending this would enable improved public debate.

Factors against confirming or denying that information is held

Security measures are put in place to protect the community we serve. As evidenced within the harm to confirm whether any cyber-attacks have been successful would highlight to terrorists and individuals’ intent on carrying out criminal activity vulnerabilities within the police which could be further exploited.

Taking into account the current security climate within the United Kingdom, no information (such as the citing of an exemption which confirms information pertinent to this request is held, or conversely, stating ‘no information is held’) which may aid a terrorist should be disclosed. To what extent this information may aid a terrorist is unknown, but it is clear that it will have an impact on a force’s ability to monitor terrorist activity.

Irrespective of what information is or isn’t held, the public entrust the Police Service to make appropriate decisions with regard to their safety and protection and the only way of reducing risk is to be cautious with what is placed into the public domain.

The cumulative effect of terrorists gathering information from various sources would be even more impactive when linked to other information gathered from various sources about terrorism. The more information disclosed over time will give a more detailed account of the tactical infrastructure of not only a force area but also the country as a whole.

Any incident that results from such a disclosure would, by default, affect National Security.

Section 31 (3) – Law Enforcement

Factors favouring confirming or denying that information is held

Confirmation that information exists relevant to this request would lead to a better-informed public which may encourage individuals to provide intelligence in order to reduce such security breaches.

Factors against confirming nor denying that information is held.

Confirmation or denial that information is held in this case would suggest the police take their responsibility to protect information and information systems from unauthorised access, destruction, etc., dismissively and inappropriately.

Balancing Test

The points above highlight the merits of confirming or denying the requested information exists. The Police Service is charged with enforcing the law, preventing and detecting crime and protecting the communities we serve. As part of that policing purpose, information is gathered which can be highly sensitive relating to high profile investigative activity. Weakening the mechanisms used to monitor any type of criminal activity, and specifically terrorist activity would place the security of the country at an increased level of danger.

In addition, anything that places that confidence at risk, no matter how generic, would undermine any trust or confidence individuals have in the Police Service. Therefore, at this moment in time, it is our opinion that for these issues the balance test favours neither confirming nor denying that information is held.

In accordance with the Act, this letter represents a refusal notice for this part of your request.