The Information Commissioner’s Office (ICO) has reprimanded Post Office Limited after a serious data breach saw the names and home addresses of more than 500 postmasters caught up in the Horizon IT scandal published on the organisation’s own website.
The incident occurred when the Post Office’s communications team accidentally uploaded an unredacted version of a legal settlement document to its corporate site. The file, which included the names, home addresses and postmaster status of 502 people involved in the landmark group litigation, remained publicly accessible for nearly two months between 25 April and 19 June 2024. It was eventually taken down after an external law firm alerted the organisation.
READ MORE: Spotify Wrapped 2025: Inside the most successful marketing campaign of the moment
An ICO investigation found the breach was “entirely preventable”, concluding that the Post Office had failed to implement basic technical and organisational safeguards to protect sensitive information. According to the regulator, there were no adequate policies, quality assurance checks or documented processes governing how documents were published on the corporate website. Staff also lacked specific training on handling sensitive information or understanding the risks associated with online publication.
Sally Anne Poole, the ICO’s Head of Investigations, said: “The people affected by this breach had already endured significant hardship and distress as a result of the Horizon IT scandal. They deserved much better than this.
“The postmasters have once again been let down by the Post Office. Our investigation highlighted that this data breach was entirely preventable and stemmed from a mistake that could have been avoided had the correct procedures been in place.
“Other organisations should take notice of this reprimand and apply its learnings, so they don’t find themselves making the same mistake. Data protection by design must be embedded into everyday operations so people’s information is handled appropriately.”
READ MORE: Liverpool’s creative ecosystem: thriving, bold, and built on collaboration
The ICO had considered issuing a fine of up to £1.094m but ultimately concluded the failings did not meet its threshold of “egregious” under its public sector approach, opting instead for a formal reprimand.
Following the breach, the Post Office offered compensation to those affected, provided identity protection services including two years of fraud monitoring and dark web surveillance, contacted search engines to remove cached versions of the document, and set up an emergency working group to strengthen internal controls. It has since introduced a documented policy governing how information is published on its website.
The regulator said the case underlined the need for clear publication protocols, proper data classification, defined responsibilities, and tailored training for teams that handle public-facing content. It encouraged organisations across all sectors to reassess their internal processes and ensure they meet data protection standards, pointing to its data protection audit framework as a starting point.
