Set your privacy preferences

We use necessary cookies to make our website work. Cookies are small files stored on your device. We also use optional cookies to improve our services and tell us if you have seen our advertising. The data we collect is anonymised. Are you happy to accept these cookies?

View cookies

This website uses cookies. Your browser currently has cookies disabled.

Skip to main content

Making workplace pensions work

Cyber security breaches 2020 to 2026

FOI reference - FOI-462

Date - 6 April 2026

Request

For each calendar year from 2020 to 2026 inclusive:

  1. The number of cyber security breaches that have being identified that were found to be a result of a malicious threat actor (i.e. not accidental data breach).
  2. The breakdown in high-level causes of these breaches as identified by cyber security incident response teams (CSIRTs), for example (but not limited to) unpatched software/hardware, lack of multi-factor authentication (MFA), leaked user credentials, lack of in-transit encryption, etc.
  3. The number of breaches that occurred that were attributed to a previously known vulnerability to the organisations hardware, software, policies, or processes, for example where system was known to be at risk due to being unpatched or out of support, or security controls were recommended but not enforced, and was defined within the resulting incident response report.

The estimated combined costs incurred as a result of cyber security breaches defined in request number one in each year.

Response

I can confirm no cyber security breaches (i.e. a cyber security incident resulting in a data breach) have occurred at TPR for the timescales referred to above.

Please note that we define a data breach as:

“…an incident that affects the confidentiality, integrity or availability of our information.  

    • Confidentiality - where there is an unauthorised or accidental disclosure of, or access to, information. 
    • Integrity - where there is an unauthorised or accidental alteration of information leading to a security incident or other actual or potential adverse impact. 
    • Availability – where there is an accidental or unauthorised loss of access to, or destruction of, information.”

This definition is based on the definition of information security contained in ISO 27000:2018 and the Information Commissioners Office guidance on personal data breaches.

For the purposes of this response we have included data breaches, as defined above, which are a result of a cyber-attack (i.e. a cyber security incident), as defined by the National Cyber Security Centre here: Glossary | National Cyber Security Centre.

Back to top