Data breach impact rises sharply as cyber incidents affect thousands on Isle of Man

Information Commissioner says fewer breaches were reported in the third quarter, but large-scale cyber incidents meant far more people were affected

An estimated 12,000 people on the Isle of Man were affected by personal data breaches during the third quarter of the 2025/26 financial year, according to figures published by the Isle of Man Information Commissioner (ICO).

The total represents a sharp rise on earlier quarters, with around 2,200 individuals affected in the second quarter, and 800 in the first, despite an overall fall in the number of breaches being reported.

In its latest quarterly update, the ICO recorded 39 personal data breaches between July and September, compared with 52 the previous quarter.

Of the breaches reported in the third quarter, 36 percent were classified as ‘high risk’, down from 42 percent in the previous quarter. However, 28 percent were assessed as carrying a risk of identity theft or fraud.

Most incidents were reported promptly, with 92 percent notified with the required 72-hour timeframe - an improvement on the 82 percent reported within that window in the second quarter.

Under data protection law, organisations must report breaches to the ICO as soon as possible, and no later than 72-hours after becoming aware of the incident, unless its likely to post a risk to individuals’ rights and freedoms.

Public-sector bodies accounted for 54 percent of reported breaches in the quarter, with 46 percent coming from the private sector, marking a slight shift from the previous quarter when reports were evenly split.

During the same period, 49 personal data breaches were closed.

Across the calendar year, 186 personal data breaches were reported in 2025, up from 154 in 2024.

Around 33 percent of those involved ‘high risk’ special category data, such as information relating to health, political opinions, religion, trade union membership, or sexual orientation.

Overall, 56 percent of breaches reported in 2025 came from the private sector - the remainder coming from public bodies.

The ICO concludes by reiterating advice including the importance of staff training, robust cyber security safeguards, and rehearsed incident response plans, as well as clear and timely communication with affected individuals if a breach occurs.

In a statement, Senior Compliance Officer Laura Doyle said: "The increase [this quarter] was largely driven by cyber security incidents - mainly phishing attacks - targeting large-scale organisations, leading to bigger numbers of people being caught up in single breaches.

"It’s extra important to stay alert for ‘phishers’ during busier times. But cyber incidents can happen to any organisation - it’s often not a matter of ‘if’ but 'when'".