Is HR Putting Your Data Security At Risk?

January 22, 2026

Cybercriminals are increasingly targeting human resources information, placing employees at risk of identity theft and fraud.

New research analyzed 141 million files from more than 1,000 cyber attacks, finding HR data involved in 82 percent of breaches.

The sensitive nature of HR records - such as payroll and CV details - makes them highly valuable for attackers aiming to commit fraud or impersonate employees. Within these attacks, company emails appeared in most cases, making it easier for criminals to use them in phishing or impersonation schemes. Recruitment data was another frequently-exposed category because candidate names, addresses, and Social Security numbers appeared in more than half of incidents.

The way HR teams collect and manage data, with some still using simple spreadsheets and outdated systems, amplifies their vulnerability.

Industry experts emphasize that holding on to unnecessary or outdated records, particularly of former staff or rejected candidates, increases risk by leaving sensitive information accessible for years.

Source: https://www.peoplemanagement.co.uk/article/1926368/four-five-data-breaches-involve-hr-files-study-finds

Commentary

As the above source indicates, HR departments face significant risks because of the sensitive nature of the data they manage, making them a primary target for cybercriminals.

To lower breach risk, HR teams need strategic changes to both technology and culture. Reliance on outdated systems and retention of unnecessary records increase exposure to phishing, data theft, and impersonation.

Here are some prevention steps:

  • Enhance data collection policies by minimizing sensitive information to what is strictly necessary for operations
  • Implement security features on HR systems such as encryption, detailed audit logs and role-based access controls
  • Replace spreadsheets and legacy programs with secure, centralized platforms
  • Establish regular cybersecurity training specific to HR scenarios
  • Run simulated phishing drills and communicate common scam tactics to HR staff
  • Develop procedures for timely deletion of outdated, unnecessary or rejected candidate records. Note that there may be retention requirements to consider for equal employment opportunity risk protection
  • Avoid shared local folders and use protected, centralized storage for employee information
  • Maintain clear employee notifications about what data is collected and how it is protected
  • Foster a culture where data privacy and security are part of routine HR operations
  • Encourage ongoing feedback from HR staff about process vulnerabilities and awareness gaps

The final takeaway is that HR is a cyber target. Like other departments, steps need to be taken to help prevent data risks.

Finally, your opinion is important to us. Please complete the opinion survey:

Product

Articles

When Managers Are Happy, Are Your Employees Happy? You Make The Call

A survey reveals that when managers are happy, employees are happy. What do you think? You make the call and join the conversation.

Is Strict Control Of Business Applications Necessary To Protect Data?

A particular nation state bad actor is at it again - this time using business apps to hide malware. We provide the sourced reporting and some solutions.

ADA Job Reassignments: What Healthcare Employers Should Consider To Avoid Liability

A hospital settles with the EEOC regarding its claim that it failed to accommodate a nurse's disability. We comment on how healthcare employers must treat reassignment to vacant positions as an ADA accommodation.

Stopping Employee Credit Line Fraud Before It Starts

An employee steals $100K from her employer, in part by opening new lines of credit. We comment on practical steps employers can take to tighten authorization, monitoring, and enforcement to prevent employees from opening credit lines.

Do Your Employees Feel Empowered To Decline Extra Work? You Make The Call

A new survey states that most U.S. workers are ready and willing to decline extra work. Is that how it works in your organization? We want to know.