The Post Office has been formally reprimanded by the UK's data watchdog following a serious breach that exposed the personal information of hundreds of people connected to the long-running Horizon IT scandal.
ICO Investigation Uncovers Security Failings
The Information Commissioner's Office (ICO) confirmed it issued the reprimand to the state-owned company after an investigation into an incident in May 2024. The breach occurred when the Post Office published a document on its website which contained a hidden cache of personal data.
Within the document were the names and, where applicable, postal addresses of 555 people who were claimants in the landmark group litigation against the Post Office. The ICO's report states that the visible document was a response to a Freedom of Information request, but an embedded Excel spreadsheet within the file held the sensitive information.
This hidden data was accessible to anyone who downloaded the file and knew how to access the embedded spreadsheet. The exposed individuals included not only the claimants themselves but also postmasters, mistresses, and their family members.
Scope and Impact of the Breach
The ICO determined that the personal data of 350 people was unlawfully processed due to this security failure. The watchdog's investigation concluded that the Post Office failed to implement appropriate technical and organisational measures to ensure data security, a core principle of the UK General Data Protection Regulation (UK GDPR).
Stephen Bonner, the ICO's Deputy Commissioner for Regulatory Supervision, was direct in his criticism. He stated that the people affected by this breach were "already in a vulnerable position" due to their involvement in the Horizon scandal. The breach, he said, risked causing further distress by exposing their personal details.
The reprimand, dated 20th November 2025, is a formal, public censure. While the ICO considered issuing a substantial fine, it noted that any financial penalty would ultimately be funded from the public purse. Instead, the watchdog has ordered the Post Office to demonstrate improvements to its data protection practices.
Post Office Response and Ongoing Scrutiny
A Post Office spokesperson acknowledged the reprimand, stating they had taken steps to notify those affected and had removed the document immediately upon discovering the error in June 2024. They apologised for the distress caused and claimed to have reviewed their processes to prevent a recurrence.
This incident adds another layer of controversy to the Post Office's handling of the Horizon scandal, which saw hundreds of sub-postmasters wrongly prosecuted due to faults in the Fujitsu-developed accounting software. The breach is seen as a further failure in the organisation's duty of care towards those whose lives were upended by the miscarriage of justice.
The ICO has mandated that the Post Office must now provide evidence that it has updated its data protection training and implemented new technical measures for publishing documents. This formal reprimand will remain on the organisation's record as it continues to operate under intense public and governmental scrutiny.
