Is HR Putting Your Data Security At Risk?

January 22, 2026

Cybercriminals are increasingly targeting human resources information, placing employees at risk of identity theft and fraud.

New research analyzed 141 million files from more than 1,000 cyber attacks, finding HR data involved in 82 percent of breaches.

The sensitive nature of HR records - such as payroll and CV details - makes them highly valuable for attackers aiming to commit fraud or impersonate employees. Within these attacks, company emails appeared in most cases, making it easier for criminals to use them in phishing or impersonation schemes. Recruitment data was another frequently-exposed category because candidate names, addresses, and Social Security numbers appeared in more than half of incidents.

The way HR teams collect and manage data, with some still using simple spreadsheets and outdated systems, amplifies their vulnerability.

Industry experts emphasize that holding on to unnecessary or outdated records, particularly of former staff or rejected candidates, increases risk by leaving sensitive information accessible for years.

Source: https://www.peoplemanagement.co.uk/article/1926368/four-five-data-breaches-involve-hr-files-study-finds

Commentary

As the above source indicates, HR departments face significant risks because of the sensitive nature of the data they manage, making them a primary target for cybercriminals.

To lower breach risk, HR teams need strategic changes to both technology and culture. Reliance on outdated systems and retention of unnecessary records increase exposure to phishing, data theft, and impersonation.

Here are some prevention steps:

  • Enhance data collection policies by minimizing sensitive information to what is strictly necessary for operations
  • Implement security features on HR systems such as encryption, detailed audit logs and role-based access controls
  • Replace spreadsheets and legacy programs with secure, centralized platforms
  • Establish regular cybersecurity training specific to HR scenarios
  • Run simulated phishing drills and communicate common scam tactics to HR staff
  • Develop procedures for timely deletion of outdated, unnecessary or rejected candidate records. Note that there may be retention requirements to consider for equal employment opportunity risk protection
  • Avoid shared local folders and use protected, centralized storage for employee information
  • Maintain clear employee notifications about what data is collected and how it is protected
  • Foster a culture where data privacy and security are part of routine HR operations
  • Encourage ongoing feedback from HR staff about process vulnerabilities and awareness gaps

The final takeaway is that HR is a cyber target. Like other departments, steps need to be taken to help prevent data risks.

Finally, your opinion is important to us. Please complete the opinion survey:

Product

Articles

Is HR Putting Your Data Security At Risk?

New research shows 82 percent of breaches involve HR data. What are some steps HR can take to lower the risk? We provide a list.

Designing Legal And Ethical Video Camera Policies For Healthcare Employers

A healthcare manager stands accused of planting video cameras in workplace bathrooms. We review how camera bans, tight controls, and documented inspections can reduce risk.

Insider Sabotage: Preventing Kill Switch Attacks In Corporate Networks?

We comment on how retaliatory "kill switch" and logic-bomb attacks by trusted insiders are treated as intentional cyber sabotage under federal law. Learn how to reduce the risk.

Residual Annuities And The High Cost Of Miscalculated Lump Sums

An employer settles an ERISA claim for hundreds of millions. We examine how misapplied residual annuity formulas and actuarial assumptions can trigger systemic underpayments and litigation.

Is Ghost Growth Real Or Imaginary? You Make The Call

What is ghost growth and is it an issue? You make the call and join the conversation.