More than 25% of UK councils have had their computer systems breached in the past five years, campaigners say.
A report by privacy group Big Brother Watch based on freedom of information requests found 114 councils experienced at least one incident between 2013 and 2017.
The group said it was “shocked” that staff often lacked cyber-training.
The Local Government Association said councils took their privacy responsibilities “extremely seriously”.
Big Brother Watch said it had received responses from 395 local authorities and that, of the 114 that said their systems had been breached, 25 reported they had experienced a data loss or breach as a result.
It said the majority of successful cyber-attacks began with so-called phishing emails designed to trick staff into revealing passwords and other data.
Big Brother Watch said humans were the weakest link the cyber-security chain and the risk could only be reduced by introducing training for all council employees.
Three-quarters of councils did not provide mandatory cyber-security training, and 16% did not provide any at all, according to the report.
Jennifer Krueckeberg, lead researcher at Big Brother Watch, said: “One would assume that they [councils] would be doing their utmost to protect citizens’ sensitive information.
“Local authorities need to take urgent action and make sure they fulfil their responsibilities to protect citizens,” she added.
Based on the FoI data, the report estimates the number of cyber-attacks on local authorities, which hold the data of millions of residents, at 98 million between 2013 and 2017.
This amounts to 37 attacks every minute.
A Local Government Association spokesman said: “Very few of these attacks actually manage to breach the firewalls or scanning systems in place.”
He added that councils were working with the National Cyber Security Centre to ensure their systems “are as robust and resilient as possible”.
It comes as figures released earlier this month by the National Cyber Security Centre showed Britain is repelling millions of attacks a month.
They showed that councils are among the organisations most commonly imitated in emails designed to gain trust.