When Excel files proliferate without governance, data security risks multiply significantly. Sensitive information in spreadsheets frequently reside on unsecured personal devices, unauthorized cloud storage platforms, or shared through unapproved communication channels, creating multiple points of exposure. Since spreadsheets often lack robust, enterprise-grade access controls, anyone who obtains a copy can potentially access all contained data. Excel’s built-in security features, such as basic password protections, are notoriously easy for malicious actors to bypass, leaving critical business data, customer details, employee personal information, and financial records highly vulnerable to unauthorized access. Consequently, a simple mistake—like sending a file to the incorrect email recipient or saving it inadvertently in a publicly accessible folder—can quickly lead to substantial data leaks and compliance violations.
Furthermore, the widespread practice of emailing spreadsheets as attachments compounds these risks. Once a spreadsheet is sent via email, IT departments face severe challenges in tracking or retracting the distributed copies. Such attachments can be forwarded indefinitely without oversight, leaving organizations without a reliable audit trail to determine who has accessed, modified, or redistributed sensitive content. This untraceability greatly increases the chance of sensitive data falling into unauthorized hands, escalating the risk of breaches, reputational harm, and regulatory penalties. To mitigate these substantial threats, organizations must adopt stringent spreadsheet governance measures, implement stronger access controls and encryption, and utilize centralized management solutions that enable comprehensive tracking and auditing of data usage and distribution.
Analyzing Two Decades of Spreadsheet-Related Data Breaches (2006–2025)
To gain deeper insight into the security risks associated with spreadsheets, we conducted comprehensive research into publicly reported incidents involving exposure of sensitive data through spreadsheet files over the past two decades (2006–2025). Our analysis identified a total of 51 publicized incidents. We organized the details of each incident into a structured table with the following fields:
- Organization
- Organization Type
- Country
- Financial Loss Description
- Reported Loss Amount
- What Happened
- Type of Data Stolen/Exposed
- Cause
- Category
- Subcategory
- Impact
- Year
- Reference URL
Our research focused exclusively on English-language sources. Although we acknowledge the actual number of incidents is likely higher, this dataset is sufficiently detailed and statistically significant to yield valuable insights into spreadsheet-related data breaches.
Over 75% of Incidents Originated in the USA and UK
More than 75% of the identified spreadsheet-related data breach incidents occurred in the USA and the UK. One primary factor contributing to this result is that our research was restricted to English-language sources. Another significant reason is that countries like the USA, UK, Australia, and Canada have stricter data breach reporting regulations, leading to higher public disclosure rates compared to other regions.
Government Organizations Represented 37% of All Incidents
Our analysis also categorized incidents based on the type of organization involved. Government organizations accounted for the highest proportion at 37%, followed by healthcare with 23%, education at 14%, finance at 10%, and public organizations also at 10%.
A common factor across these sectors is the presence of strict regulatory disclosure requirements. In the government sector, the Federal Information Security Modernization Act (FISMA) mandates that U.S. federal agencies promptly report cybersecurity incidents, including data breaches, to relevant federal bodies and Congress. Similarly, state-level laws such as California SB-1386 and New York’s SHIELD Act require public disclosure of breaches involving personal data. The European Union’s General Data Protection Regulation (GDPR) also stipulates that public institutions must notify national supervisory authorities of personal data breaches within 72 hours, along with prompt notification to affected individuals if there is significant risk.
In healthcare, the Health Insurance Portability and Accountability Act (HIPAA) requires entities to notify affected individuals no later than 60 days after discovering a breach. Education organizations fall under the Family Educational Rights and Privacy Act (FERPA), which mandates prompt notification to students or parents if breaches involve personally identifiable information. Financial institutions, governed by the Gramm-Leach-Bliley Act (GLBA), must quickly notify customers when sensitive financial data is compromised.
Interestingly, only 6% of the incidents identified involved private organizations, which generally face less rigorous disclosure requirements. This raises a critical question: is the actual number of data breaches in private companies genuinely low, or are many incidents simply going unreported due to weaker regulatory obligations?
Human Error Caused 68% of Spreadsheet-Related Data Breaches
Human errors represented by far the leading cause of spreadsheet-related data breaches, accounting for 68% of all incidents. These errors typically include accidental disclosures, inadvertently sharing files containing hidden sensitive data, or failing to anonymize sensitive information prior to release, especially in Freedom of Information (FOI) requests. Software misconfigurations leading to inadvertent access ranked second, causing 14% of the incidents.
A deeper examination of human error incidents revealed that 54% resulted specifically from accidental disclosures. For instance, in 2024, a staff member at Winter Haven Hospital in Florida mistakenly emailed a spreadsheet containing names, contact details, and treatment data of 2,101 patients from the cardiac rehabilitation department to the wrong recipient. Upon recognizing the error, the employee quickly notified the recipient, who agreed to delete the file.
Additionally, 29% of human error-related incidents involved hidden sensitive data within Excel worksheets. A notable example occurred in 2023 when the Police Service of Northern Ireland (PSNI) inadvertently exposed personal data of 9,483 officers and staff through a hidden Excel worksheet included in an FOI response. The oversight led to a substantial fine of £750,000 imposed on the PSNI.
Furthermore, 8% of incidents arose from failing to anonymize sensitive data prior to publication. In May 2023, South Lanarkshire Council in Scotland unintentionally published personal details—including names, workplaces, salaries, and National Insurance numbers—of around 15,000 employees due to an unredacted spreadsheet mistakenly uploaded in response to an FOI request. While bank details, birth dates, and addresses were not exposed, the council acknowledged the error and quickly removed the data upon discovery.
Upon further analysis of accidental disclosure incidents, we discovered that 84% were specifically associated with sharing sensitive spreadsheets via email. This finding indicates that nearly one-third (31%) of all spreadsheet-related data breaches occurred when users inadvertently emailed spreadsheets containing confidential information to unauthorized recipients.
Average Cost of a Spreadsheet-Related Data Breach: $4 Million USD
Spreadsheet-related data breaches can carry significant financial consequences. Although many incidents analyzed did not explicitly report financial losses, seven of the 51 breaches reviewed provided clear financial loss figures. After converting these amounts to U.S. dollars and adjusting for inflation using CPI data, we determined the average cost per spreadsheet-related data breach to be approximately $4 million USD.
It is important to note that several incidents without reported financial losses are currently undergoing legal proceedings or awaiting regulatory actions, meaning future disclosures may further influence these figures. For instance, the 2020 Virgin Media breach could result in substantial financial penalties, with potential compensation claims reaching up to £4.5 billion based on estimates of around £5,000 per affected individual for financial and emotional distress. However, since no official fines or settlement amounts have been confirmed yet, this incident was excluded from our current average calculation of $3.9 million per breach.
How to Prevent Spreadsheet-Related Data Breaches
Businesses can adopt several strategies to significantly reduce or even eliminate spreadsheet-related data breaches. One effective method involves deploying Data Loss Prevention (DLP) solutions, such as Microsoft Purview or Google Workspace DLP, which scan, quarantine, or block outgoing emails containing Excel files with sensitive data. Additionally, organizations should enhance their defenses against cyberattacks by implementing robust security measures across all systems. Regular configuration audits, supported by automated scanning tools like Varonis or Microsoft Purview, can help detect and rectify misconfigured access permissions promptly, reducing vulnerabilities from software misconfigurations.
However, addressing the root cause of spreadsheet-related breaches can offer even greater protection. For example, in a 2022 incident, a spreadsheet containing nearly 200,000 rows of sensitive data was accidentally emailed to 587 incorrect recipients. Such risks are prevalent when spreadsheets—particularly those serving as standalone applications like reporting tools that summarize data through formulas or pivot tables—are routinely distributed via shared drives or email attachments.
A safer alternative involves transforming these spreadsheets into secure, centralized web applications. This strategy ensures controlled user access without sharing the actual spreadsheet files. While the underlying data and business logic remain securely within the spreadsheet, users only interact through a protected web interface. Platforms like SpreadsheetWeb specialize in converting traditional spreadsheets into secure web applications, allowing businesses to continue leveraging their existing spreadsheet resources while effectively restricting user access to precisely defined parameters.
