Is HR Putting Your Data Security At Risk?

January 22, 2026

Cybercriminals are increasingly targeting human resources information, placing employees at risk of identity theft and fraud.

New research analyzed 141 million files from more than 1,000 cyber attacks, finding HR data involved in 82 percent of breaches.

The sensitive nature of HR records - such as payroll and CV details - makes them highly valuable for attackers aiming to commit fraud or impersonate employees. Within these attacks, company emails appeared in most cases, making it easier for criminals to use them in phishing or impersonation schemes. Recruitment data was another frequently-exposed category because candidate names, addresses, and Social Security numbers appeared in more than half of incidents.

The way HR teams collect and manage data, with some still using simple spreadsheets and outdated systems, amplifies their vulnerability.

Industry experts emphasize that holding on to unnecessary or outdated records, particularly of former staff or rejected candidates, increases risk by leaving sensitive information accessible for years.

Source: https://www.peoplemanagement.co.uk/article/1926368/four-five-data-breaches-involve-hr-files-study-finds

Commentary

As the above source indicates, HR departments face significant risks because of the sensitive nature of the data they manage, making them a primary target for cybercriminals.

To lower breach risk, HR teams need strategic changes to both technology and culture. Reliance on outdated systems and retention of unnecessary records increase exposure to phishing, data theft, and impersonation.

Here are some prevention steps:

  • Enhance data collection policies by minimizing sensitive information to what is strictly necessary for operations
  • Implement security features on HR systems such as encryption, detailed audit logs and role-based access controls
  • Replace spreadsheets and legacy programs with secure, centralized platforms
  • Establish regular cybersecurity training specific to HR scenarios
  • Run simulated phishing drills and communicate common scam tactics to HR staff
  • Develop procedures for timely deletion of outdated, unnecessary or rejected candidate records. Note that there may be retention requirements to consider for equal employment opportunity risk protection
  • Avoid shared local folders and use protected, centralized storage for employee information
  • Maintain clear employee notifications about what data is collected and how it is protected
  • Foster a culture where data privacy and security are part of routine HR operations
  • Encourage ongoing feedback from HR staff about process vulnerabilities and awareness gaps

The final takeaway is that HR is a cyber target. Like other departments, steps need to be taken to help prevent data risks.

Finally, your opinion is important to us. Please complete the opinion survey: