ICO to investigate Prospect data breach with Guernsey, Jersey and Isle of Man counterparts

A joint investigation has been launched by Information Commissioner’s Office and the Data Protection authorities of Jersey, Guernsey, and Isle of Man into the cyber incident that compromised data of the trade union Prospect Custodian Trustees Ltd (Prospect) in June 2025. 

Prospect has more than 160,000 members who work as scientists, engineers, tech experts and in other specialist roles. The organisation holds members’ personal information including financial data and sensitive data such as trade union membership, ethnic origin, sexual orientation, disability, and religious belief. 

The joint investigation reflects the regulators’ commitment to collaborate on protecting people’s data rights across jurisdictions. By pooling resources and expertise, we will deliver a focused and efficient inquiry. 

The investigation will examine: 

• the scope of personal information exposed by the breach and potential harms to affected people;
• whether Prospect had adequate technical and organisational measures in place to protect the sensitive information it holds.
• whether Prospect upheld their breach notification obligations; 
• whether Prospect took appropriate steps, in their initial response to the breach, to mitigate any identified risks posed to affected data subjects. 

John Edwards, UK Information Commissioner, said:

"When people share their most sensitive information with an organisation, they do so with the expectation that it will be handled responsibly and securely. We will be scrutinising the cyber incident at Prospect to check whether those expectations were met. This joint investigation demonstrates our determination to work more closely with our international counterparts to ensure that data protection standards are upheld across all jurisdictions.”

Paul Vane, Jersey Information Commissioner, said:

“Cyber and Phishing attacks are on the rise and are progressively targeting organisations and businesses which span multi-jurisdictionally. We must work collaboratively with other Authorities in order to strengthen our enforcement mechanisms and protect the information and rights of data subjects in affected jurisdictions.”

Dr Alexandra Delaney-Bhattacharya, Isle of Man Information Commissioner, said:

“People place enormous trust in organisations when they hand over their personal information, and that trust must be honoured. By undertaking this coordinated investigation into the incident at Prospect, we are strengthening our collective ability to safeguard individuals’ data.”

Brent Homan, Data Commissioner for ODPA Guernsey said:

"Cyber-attacks are increasingly impacting organisations holding data across borders and jurisdictions. International threats demand an international response. By joining forces with our partners in the UK and British Isles we will ensure an elevated level of protection for our collective citizens' data rights.”

Data protection legislation allows the authorities of the UK, Guernsey, Jersey and Isle of Man to work together on matters of impact across the jurisdictions. Each regulator will investigate compliance with the law that it oversees. No further comment will be made while the investigation is ongoing.