Current timestamp: 23/06/2026 19:26:39
AgeAlertAnonymousAppealsApplicationsApply Or RegisterArea OutlineArrow DownArrow LeftArrow RightArrow UpAutomatic DoorsBack ArrowBusinessCalendarCashArrow DownArrow LeftArrow RightArrow Down[Missing text '/SvgIcons/Symbols/Titles/icon-chrome' for 'English (United Kingdom)']ClockCloseContactDirectionsDocumentDownloadDrawDrugExpandExternal LinkFacebookFb CommentFb LikeFiletype DefaultFiletype DocFiletype PdfFiletype PptFiletype XlsFinance[Missing text '/SvgIcons/Symbols/Titles/icon-firefox' for 'English (United Kingdom)']First AidFlickrFraudGive FeedbackGlobeGuide DogHealthHearing ImpairedInduction LoopInfoInstagramIntercom[Missing text '/SvgIcons/Symbols/Titles/icon-internet-explorer' for 'English (United Kingdom)']LaptopLiftLinkedinLocal Activity[Missing text '/SvgIcons/Symbols/Titles/icon-location' for 'English (United Kingdom)']LoudspeakerLow CounterMailMapMap PinMembershipMenuMenu 2[Missing text '/SvgIcons/Symbols/Titles/icon-microsoft-edge' for 'English (United Kingdom)']Missing PeopleMobility ImpairmentNationalityNorth PointerOne Mile RadiusOverviewPagesPaper PlaneParkingPdfPhonePinterestPlayPushchairRefreshReportRequestRestart[Missing text '/SvgIcons/Symbols/Titles/icon-rotate-clockwise' for 'English (United Kingdom)']Rss[Missing text '/SvgIcons/Symbols/Titles/icon-safari' for 'English (United Kingdom)']SearchShareSign LanguageSnapchatStart AgainStatsStats And Prevention AdviceStopSubscribeTargetTattosTell Us AboutTickTumblrTwenty Four HoursTwitter LikeTwitter ReplyTwitter RetweetUploadVisually ImpairedWhatsappWheelchairWheelchair AssistedWheelchair ParkingWheelchair RampWheelchair WcYoutubeZoom InZoom Out

Leave this site

Skip to main content

Skip to main navigation

Welcome

This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.

Data Breaches 561/2025

FOI Reference: 561/2025

Request

  1. The number of data breach incidents the force has had in the last three years (Broken down by financial years  2022/23, 2023/24 and 2024/25)

1a) Of those, how many were cyber incidents? (Broken down by years as above)

1b) Can these be broken down by year and by incident type? E.g. instances where data was emailed to the incorrect recipient or cases of loss/theft of devices containing personal data etc.? (Broken down by years as above)

  1. How many compensation claims have been brought against the force for data breaches in the last three years (Broken down by financial years  2022/23, 2023/24 and 2024/25)

2a) Of those, how many were settled with compensation and how many were refused?

2b) How much has the force paid out in compensation for data breach claims in the last three years? (Broken down by years as above)

 

Response Q1:

I can confirm that Dyfed-Powys Police does hold the information requested, as outlined below:-

 

Total number of Non-Cyber related breaches

2022

104

2023

134

2024

126

2025

42 (up to 28/05/2025)

Please note:  The above figures are recorded by calendar year. The categories used to record have changed over these years. Numbers could be provided in financial years – but it would not then be possible to provide the accurate breakdown by category.

These figures are the number of reports submitted to/received by the Data Protection department. This figure may include duplicates and/or reports which were found not have resulted in a breach, or breaches caused by other organisations.

Additionally, Dyfed-Powys Police can neither confirm nor deny that it holds any other information with regard to cyber related breaches as the duty in Section 1(1)(a) of the Freedom of Information Act 2000 does not apply by virtue of the following exemptions which are detailed below in response 1a.

Response Q1a:

Section 1 of the Freedom of information Act 2000 (FOIA) places two duties on public authorities.  Unless exemptions apply, the first duty at s1(1)(a) is to confirm or deny whether the information specified within a request is held.  The second duty at s1(1)(b) is to disclose information that has been confirmed as being held.  Where exemptions are relied upon Section 17 of the FOIA requires that we provide the applicant with a notice which:

a) states that fact,

b) specifies the exemption(s) in question and

c) state (if that would not otherwise be apparent) why the exemption applies.

Dyfed-Powys Police can neither confirm nor deny that information is held relevant to your request as the duty in Section 1(1)(a) of the Freedom of Information Act 2000 does not apply by virtue of the following exemptions:

Section 24(2) National Security

Section 31(3) Law Enforcement

Sections 24 and 31 are prejudice based qualified exemptions and there is a requirement to articulate the harm that would be caused in confirming or denying that any other information is held as well as carrying out a public interest test.

Overall Harm for NCND:

To confirm or deny whether any information is held in respect of successful cyber attacks resulting in Data Breaches would provide actual knowledge that where an attempt has been made, it has or has not been successful. Confirming that such information is not held may assist potential attackers by indicating that an attack had gone undetected. Equally, confirming information is held would enable understanding of where attacks have been successful, and possible weaknesses exist. Attackers may then be able to tailor their methods to increase their chances of success.

To confirm or deny whether information is held in respect of any leaked data as a result of an attack would, in effect, confirm that there had been successful cyber attacks made against the force, which would present harm as detailed above.

Furthermore, in order to counter criminal and terrorist behaviour it is vital that the police and other agencies have the ability to work together, where necessary covertly, in order to obtain intelligence within current legislative frameworks to ensure the arrest and prosecution of offenders who commit or plan to commit acts of terrorism, whereby their modus operandi may involve cyber attacks on secure databases. In order to achieve this goal, it is vitally important that information sharing takes place with other police forces and security bodies within the United Kingdom in order to support counter-terrorism measures in the fight to deprive terrorist networks of their ability to commit crime. To confirm or deny specific details of any breaches of information technology and security would be extremely useful to those involved in terrorist activity as it would enable them to map vulnerable information security databases.

Public Interest Test

Factors favouring confirmation or denial for Section 24:

The public are entitled to know how public funds are spent and how resources are distributed within an area of policing.  To confirm information is held regarding successful cyber-attacks causing Data Breaches would enable the general public to hold Dyfed-Powys Police to account ensuring all such breaches are recorded and investigated appropriately.  With the call for transparency of public spending this would enable improved public debate.

Factors against confirmation or denial for Section 24:

Security measures are put in place to protect the community we serve.  As evidenced within the harm to confirm whether any cyber-attacks have been successful would highlight to terrorists and individuals intent on carrying out criminal activity vulnerabilities within Dyfed-Powys Police which could be further exploited.

Taking into account the current security climate within the United Kingdom, no information (such as the citing of an exemption which confirms information pertinent to this request is held, or conversely, stating ‘no information is held’) which may aid a terrorist should be disclosed.  To what extent this information may aid a terrorist is unknown, but it is clear that it will have an impact on a force’s ability to monitor terrorist activity.

Irrespective of what information is or isn’t held, the public entrust the Police Service to make appropriate decisions with regard to their safety and protection and the only way of reducing risk is to be cautious with what is placed into the public domain.

The cumulative effect of terrorists gathering information from various sources would be even more impactive when linked to other information gathered from various sources about terrorism.  The more information disclosed over time will give a more detailed account of the tactical infrastructure of not only a force area but also the country as a whole.

Any incident that results from such a disclosure would, by default, affect National Security.

Factors favouring confirmation or denial for Section 31:

Confirmation that information exists relevant to this request would lead to a better informed public which may encourage individuals to provide intelligence in order to reduce such security breaches.

Factors against confirmation or denial for Section 31:

Confirmation or denial that information is held in this case would suggest Dyfed-Powys Police take their responsibility to protect information and information systems from unauthorised access, destruction, etc., dismissively and inappropriately. 

Balancing Test    

The points above highlight the merits of confirming or denying the requested information exists. The Police Service is charged with enforcing the law, preventing and detecting crime and protecting the communities we serve.  As part of that policing purpose, information is gathered which can be highly sensitive relating to high profile investigative activity. Weakening the mechanisms used to monitor any type of criminal activity, and specifically terrorist activity would place the security of the country at an increased level of danger. 

In addition anything that places that confidence at risk, no matter how generic, would undermine any trust or confidence individuals have in the Police Service.  Therefore, at this moment in time, it is our opinion that for these issues the balance test favours neither confirming nor denying that information is held.

Response Q1b:

I can confirm that Dyfed-Powys Police does hold the information requested, as outlined below:-

2022

Total

Email to incorrect recipient

32

Inappropriate access to personal data

10

Inappropriate holding of data

7

Inappropriate sharing of data

29

Inappropriate use of data

5

Incorrect recipient telephoned

2

Letter sent to incorrect recipient

13

Lost/Misplaced data

5

Other

2

No category listed

4

2023

Total

Email to incorrect recipient

29

Excessive 3rd party data disclosed

1

Inappropriate accessing of data

15

Inappropriate holding of data

3

Inappropriate sharing of data

40

Inappropriate use of data

2

Incorrect recipient telephoned

1

Letter sent to incorrect recipient

30

Lost/Misplaced data

3

Other

9

No category listed

3

2024

Total

Email to incorrect recipient

14

Email to wrong recipient

2

Inappropriate accessing of data

9

Inappropriate holding of data

6

Inappropriate sharing of data

45

Inappropriate use of data

6

Incorrect recipient telephoned

2

Letter sent to incorrect recipient

19

Lost/Misplaced data

9

Other

14

2025 (Jan 1st – May 28th)

Total

Correspondence sent to incorrect recipient - INTERNAL

4

Correspondence sent to incorrect recipient - EXTERNAL

8

Attachment incorrect - INTERNAL

2

Attachment incorrect - EXTERNAL

2

Inappropriate accessing of data

2

Inappropriate disclosure of data

16

Inappropriate sharing of data

0

Inappropriate Processing of Data

2

Lost/misplaced data

2

Inaccurate data recorded on system

1

Information Found

1

Information Incorrectly Withheld

2

Please note:  The above figures are recorded by calendar year. The categories used to record have changed over these years. Numbers could be provided in financial years – but it would not then be possible to provide the accurate breakdown by category.

These figures are the number of reports submitted to/received by the Data Protection department. This figure may include duplicates and/or reports which were found not have resulted in a breach, or breaches caused by other organisations.

Additionally, Dyfed-Powys Police can neither confirm nor deny that it holds any other information with regard to cyber related breaches as the duty in Section 1(1)(a) of the Freedom of Information Act 2000 does not apply by virtue of the following exemptions which are detailed above in response 1a.

Response Q2:

I can confirm that Dyfed-Powys Police does partially hold the information requested, as outlined below.

Please note: the below relates to claims in relation to non-cyber related breaches only.

FY 2022-2023 – Nil

FY 2023-2024 – 2

FY 2024-2025 – 4

Response Q2a:

I can confirm that Dyfed-Powys Police does partially hold the information requested, as outlined below:-

Please note: the below relates to claims in relation to non-cyber related breaches only.

FY 2022-2023 – Nil

FY 2023-2024 – 1 refused. 1 settled.

FY 2024-2025 – 1 refused, 1 settled, 2 live files

Response Q2b:

I can confirm that Dyfed-Powys Police does partially hold the information requested, as outlined below:-

Please note: the below relates to claims in relation to non-cyber related breaches only.

FY 2022-2023 – Nil

FY 2023-2024 – £500.00

FY 2024-2025 – £6000.00

Additionally, Dyfed-Powys Police can neither confirm nor deny that it holds any other information with regard to claims in relation to cyber related breaches as the duty in Section 1(1)(a) of the Freedom of Information Act 2000 does not apply by virtue of the following exemptions which are detailed above in response 1a.

 

It should be noted that as a result of the systems adopted by Dyfed-Powys Police in relation to the recording of such information that the information released may or may not be accurate.

(This is a response under the Freedom of Information Act 2000 and disclosed on 09/07/2025)

Os oes angen y wybodaeth yma arnoch yn Gymraeg, cysylltwch â:
[email protected]

If you require this information in Welsh, please contact:
[email protected]