ICO Data Security Incident Trends
Hayes Connor takes a deep dive into recent statistics released by the Information Commissioner’s office to see how businesses have been conforming to GDPR since its inception.
In our digitally led society, personal data is a valuable commodity, and when it falls into the wrong hands, the repercussions can be severe. Individuals trust organisations with their personal data on a daily basis, and it’s the responsibility of those companies to follow the correct data protection laws.
Since the GDPR was introduced, organisations that handle personal data have been obliged to follow GDPR rules to protect the data they collect and store. Negligent data protection practices can leave companies in legal trouble, which is why it’s vital that businesses take steps to understand their accountabilities.
The ICO publishes an ongoing data security report presenting key insights into data security incident trends since the introduction of the GDPR. The findings in this report can support organisations with data protection and handling, so that they are aware of what to look for and can take the correct action where necessary.
Hayes Connor has explored this data to see what patterns have emerged.
Data breach findings since the introduction of the GDPR
Since the GDPR was introduced, there have been a reported 32,541 data breaches recorded by the ICO. The highest number of incidents so far occurred in 2021, where there were a reported 9,473 cases.
Perhaps surprisingly, 80% of incidents over this time period were non-cyber related. These instances refer to a type of breach without a clear technological or online element involving a third-party with malicious intent. This includes incidents whereby information is emailed to the wrong recipient(s) by mistake, or where errors are made with paper filing systems.
According to the ICO, incidents where data is emailed to the wrong recipient, are the most common type of data breach reported. This is true across almost all industries, from the finance world to the legal sector to the social care industry.
Cyber incidents appear to have decreased over time. However, this could be in part due to the way that the ICO categorise incidents. In 2019, the ICO chose to re-categorise hardware/software misconfiguration incidents. As a result, the number of cyber incidents may have decreased because hardware/software misconfiguration was recategorised as a non-cyber incident.
Trends in data breach types
Interestingly, nearly 1 in 5 data breaches since the GDPR have been breaches of victims’ health data. Regardless, as the years go by, health data breaches are steadily decreasing. In 2019 and 2020, 28% of cases were health data breaches. This decreased to 21% of cases in 2021, and just 13% of cases so far in 2022.
During 2019, 84% of data breaches revealed the basic personal identifiers of victims, rising to 86% the following year. Personal identifiers refer to common identifiers that, when accessed, may lead to the identification of the individual. These identifiers may include names, location data, identification numbers, or online information such as IP addresses.
The exposure of personal identifiers can be incredibly damaging for victims. There are various potential negative consequences, including invasion of privacy, financial losses, identity theft and emotional distress.
The number of cases where personal identifiers were exposed decreased substantially in 2021 and 2022 so far, dropping first to 57% and then 29% to date. Despite this, there has been a steady increase in each of these years of data breaches involving “unknown” data types, which is somewhat concerning. This demonstrates that companies are perhaps unable to identify the threat posed during a data breach.
Since the introduction of the GDPR, an average of 15% of data breaches have exposed economic and financial data. These types of breaches are particularly concerning because victims of such data breaches may fall victim to financial fraud. The organisations responsible are likely to face significant reputational damage.
Insights on data breach victims
The UK GDPR asserts that children need specific protection when it comes to their personal data. Naturally, they are likely to be less aware of the safeguards, consequences, and risks with regard to personal data processing.
ICO data shows that approximately 650 data breaches since the GDPR was introduced have involved children’s data.
A large majority of breaches involving children’s data occur in the education sector. According to the GDPR, the sector was responsible for, ‘at least 172 data breaches in 2021, making it the second most vulnerable to security incidents.’
Stats show that schools are often vulnerable to ransomware attacks, making up ‘41% of all incidents.’ Throughout the COVID-19 pandemic, schools were met with IT security challenges as they proceeded to quickly move all educational activities online.
Patterns concerning incident type
Since the GDPR came into effect, stats show that 15% of data security cases have been caused by emails being sent to the wrong recipient(s). These types of cases seem to be steadily increasing every year, climbing from 11% in 2019 to now 18% so far in 2022.
Timesaving tools, such as autofill prediction, may be partly responsible for the increase in this type of data breach. If you begin typing the correct recipient’s name and autofill predicts an incorrect recipient with a similar or the same name, it’s easy to miss this type of error.
Besides these types of data breaches, other notable patterns on incident type include:
- 1 in 10 data breaches are phishing
- 1 in 10 involve data being faxed or posted to the wrong person
- 1 in 20 incidences involved ransomware attacks
How do phishing breaches occur?
Phishing breaches occur when criminals pose as trusted organisations or individuals in an attempt to persuade the victim to provide sensitive data, or give them the credentials to access certain systems. Phishing attacks often take place via email - common examples include:
- Company impersonation: Cyber criminals may send emails pretending to be the CEO of a company, or the HR department. With these tactics, they can attempt to steal sensitive data, whether it’s the request to transfer money, or to update personal details.
- Malware: The recipient of the email is tricked into clicking on an email attachment which then installs malicious software onto the company network or a computer.
Data shows that the advent of phishing attacks has decreased so far in 2022. In a business context, this could be down to the fact that many companies have provided employees with improved and consistent security training over the last few years.
Size and scale of data breaches
Research concludes that nearly 1 in 2 data breaches are small scale, involving just 1 to 9 subjects. For example, in 2021, 41% of breaches affected 1 to 9 subjects compared to just 1% that affected 100k and above.
According to ICO research, there are several factors that impact whether a data breach incident will result in an investigation. One of these factors is the number of people affected.
ICO data showed that, ‘54% of incidents affecting more than 100k data subjects result in an investigation being potentially pursued vs. 6% of those affecting less than 10 data subjects.’
While these numbers seem small scale, the significance of the issue should not be ignored. Even small data breaches can have hugely negative consequences for both individuals and companies. Individuals whose data has been compromised risk privacy invasion, and potentially identify theft, while businesses risk financial trouble and legal issues.
Average data breach reporting time frames
According to the UK GDPR, all organisations are obligated to report personal data breaches within 72 hours of being aware of the breach.
The introduction of these rules is reflected in recent data breach reporting time patterns. For instance, since the GDPR, an average of 38% of data breaches were reported in between 24 and 72 hours, compared to just 17% of data breaches that took over one week to report.
Data breach statistics by industry
The ICO data not only provides statistics across one dimension; they also cross-referenced each element of the stats to show you how areas of data are compared. A key example of this was the industry statistics, which have been broken down in greater detail. These shed an interesting light on how each industry compares when we take into account:
- Time frames to report data breaches
- Number of subjects affected
- Incident category
- Incident type
- Data type
Industry comparisons for data breach reporting timeframes
Across industries, there were some significant differences in the time it took to report a data breach.
In the health sector, 1,702 data breach cases were reported in under 24 hours, which was 28% of the time. In the education sector, 1,277 cases were reported in under 24 hours, also representing 28% of the time. These were the highest scoring sectors for reporting breaches in under 24 hours, closely followed by the social care sector at 27%.
Industries like marketing and media were far less likely to report data breach cases in under 24 hours, scoring just 23% and 16%, respectively.
Breaches of health information and children’s data are arguably more serious and sensitive in nature, which could explain the fast response times. However, it’s worth noting that the marketing and media sectors experienced far less data breaches overall compared to sectors like health and education.
Where the marketing sector did experience data breaches, reporting times fell between 24 to 72 hours 52% of the time (a higher score than all other sectors for this reporting timeframe).
Industry comparisons for number of subjects affected
The health care sector experienced the highest percentage of small-scale data breaches; 63% of cases affected between 1 to 9 subjects. Other sectors that experienced a significant amount of small-scale breaches were central governments (63%) and the legal sector (63%).
The marketing industry held the lowest score again, at 16%. However, 37% of data breaches in the marketing sector affected an ‘unknown’ number of subjects, making it difficult to accurately assess data breach scale across all incidents.
Industry comparisons for incident category
The highest number of cyber related data breaches occurred in the marketing industry, at 46%. Cyber related breaches were lowest occurring in central government, accounting for just 5% of breaches. A huge 95% of data breaches in central government were non cyber related.
Interestingly, the majority of industries had high scores for non cyber related breaches, for instance, 80% in the legal sector, 96% in the justice sector, and 92% in the health sector.
Industry comparisons for incident type
As previously discussed, the majority of non-cyber related incidents were caused by emails sent to the wrong recipient. These incidences have been a particularly prevalent issue in the legal sector, where nearly 28% of cases were caused this way.
Other high scoring sectors for this incident type, included:
- Nearly 20% of cases in the education sector
- Almost 20% of cases in the social care industry
- Nearly 19% in the finance and insurance sector
In contrast, the sector which has experienced the lowest occurrence of incorrect email incidents is the justice sector, with just 6.60% of such cases.
In central governments, emails sent to the wrong recipient accounted for around 10% of cases. However, events where data was posted or faxed to the wrong person, made up a significant 30%.
Industry comparisons for data type
Data breaches involving basic personal identifiers are commonplace across the majority of sectors. Since the GDPR introduction, the sectors with the highest incidents involving personal identifiers have included:
- The political sector 74%
- General business 75%
- Finance, insurance, and credit 74%
- Religious 75%
Personal identifier related breaches were the least prevalent in the online technology and telecoms sector, though still a substantial figure at 61%.
Health data breaches were particularly common in the charity and voluntary sector (25%), as well as the education and childcare (25%) and social care sectors (39%). This is because these sectors are more likely to collect and store personal health information compared to the more commercial based industries.
How can Hayes Connor help
If your personal data has been compromised as a result of security failings by an organisation, you may be entitled to claim GDPR compensation.
At Hayes Connor Solicitors, we have significant expertise supporting clients who’ve had their data exposed due to data protection negligence. We can support claims for privacy loss, distress, and financial losses.
Equally, if you are a business leader looking for support and guidance with the GDPR, we can support you.