Outsourcing negotiations led to police transferring employee information to G4S
In a series of events that have unfolded over the past year, three UK police forces - Bedfordshire Police, Cambridgeshire Constabulary, and Hertfordshire Constabulary - have found themselves embroiled in a controversial data-sharing incident. The police forces have admitted that the sharing of personal employee data with private security company G4S during IT and back-office outsourcing negotiations was not appropriate.
However, it is important to clarify that as of August 2025, there has been no verified data breach or consequent investigation related to personal data leaking to G4S during UK police IT outsourcing talks. This conclusion is based on the absence of such reports in publicly accessible security or news sources.
The data breach occurred during the development of an outline business case with G4S. Five files containing personal information about staff from the three police forces were sent electronically, breaching the Data Protection Act 1998. A non-disclosure agreement with G4S was in place, stating that no data would ever have left the hands of the police forces.
In response to the incident, Deputy chief constable John Feavyour, senior information risk officer for the three forces, wrote to the affected staff in February explaining the data breach and apologizing. G4S, for their part, appointed an Information Assurance Professional to ensure that all personal data was deleted from their hard drives and records, and that no hard copies existed.
Despite the data breach, G4S went on to win a £200 million, ten-year contract with Lincolnshire Police to provide outsourced services, with a projected saving of £28 million. However, the plan to set up a private, "high tech" police station, including custodial cells, as part of Lincolnshire Police's outsourcing deal with G4S was put on hold in September last year.
Interestingly, Hertfordshire Police and Crime Commissioner David Lloyd stated that the G4S framework contract through Lincolnshire Police was not suitable for the unique position of the three forces. Commissioner Lloyd is currently in discussion with other market providers and will continue to talk with G4S about how they can assist policing support services in Hertfordshire.
The Information Commissioner's Office (ICO) has been notified of the data breach incident involving the three police forces and G4S, and will investigate the matter further. The ICO has a history of proactive reporting, with 80% of fines issued in 2012 being for organizations that reported themselves to the data watchdog.
It is essential to note that while the data breach incident occurred, neither G4S nor any UK police force has been reported to have been involved in any significant cybersecurity incidents that targeted police forces or G4S outsourcing, such as the social engineering attacks that affected large UK retail brands earlier in 2025.
As always, for the most current and specific updates, it may be necessary to consult official UK police or government cybersecurity bulletins or trusted investigative journalism sources.
- Despite the data breach incident involving personal employee data shared between three UK police forces and G4S, no significant cybersecurity incidents related to technology have been reported regarding either the police forces or G4S outsourcing, such as social engineering attacks that affected large UK retail brands.
- In an effort to ensure the protection of personal data, G4S appointed an Information Assurance Professional to delete all personal data from their hard drives and records, ensuring that no hard copies existed.
