Oxford City Council has announced a data breach involving its legacy systems, resulting in unauthorised access to personally identifiable information. The incident has also led to a disruption in ICT services. Although most systems have been restored, some backlogs may continue to cause delays. The council manages essential public services for approximately 155,000 residents.
According to a statement on the council’s website, attackers accessed databases containing personal information of current and former council officers from 2001 to 2022. The investigation is ongoing to determine the extent of the breach and whether any data was exfiltrated. The council has indicated that there is currently no evidence of further dissemination of the exposed data. Additionally, there is no indication that data belonging to members of the public has been compromised.
Affected individuals notified as council enhances cybersecurity measures
The council has begun notifying affected individuals directly, providing details about the breach, available support resources, and assurances of improved security measures to prevent future incidents. Relevant government authorities and law enforcement agencies have also been informed of the breach. The council is taking steps to ensure transparency and to mitigate any potential fallout from the incident.
“Unfortunately, the attackers were able to access some historic data on legacy systems,” said Oxford City Council in its statement on the cybersecurity incident. “We have now identified that people who worked on Oxford City Council-administered elections between 2001 and 2022, including poll station workers and ballot counters, may have had some personal details accessed. The majority of these people will be current or former Council officers. There is no evidence to suggest that any of the accessed information has been shared with third parties.”
This incident is part of a broader pattern of cyberattacks targeting UK organisations. Recent victims include government agencies and major retailers such as Marks & Spencer, Co-op, and Harrods. Last month, the Legal Aid Agency alerted law firms to a potential security breach, while the Co-op Group acknowledged a significant data breach linked to the DragonForce group. Harrods confirmed it was targeted in a cyberattack, prompting precautionary measures. Marks & Spencer reported a breach in April 2025 that exposed customer data, including names, phone numbers, home addresses, and birth dates.
Read more: Legal Aid Agency warns law firms of potential data breach
