Data Breach Statistics 2020
Data breaches happen all the time – whether due to human error, such as sending an email containing sensitive data to the wrong person, or due to malicious activity, such as cyber criminals hacking a company’s systems. But how common are data breaches? What are companies doing to minimise the risks of a data breach occurring?
We recently commissioned a study of UK office workers to look at how companies are dealing with data protection issues whilst working from home during the coronavirus pandemic, which has become the norm in 2020.
The study looked at various issues, including what companies have been doing to comply with their data protection obligations. It also looked at where mistakes have been made and what effects home working and the lockdown have had on the risks posed to the public’s personal data.
We also looked more generally at how common data breaches are, what the consequences are for companies facing them and whether lessons are being learned following a data breach.
According to the respondents to our survey:
- 1 in 5 had received no data protection guidelines while working from home during lockdown.
- 1 in 5 had received no training for handling company data, GDPR or cyber security.
- 1 in 4 companies are not using encrypted email software.
- 2 in 3 companies are failing to get both password protection and encryption security policies in place.
- 2 in 3 employees who printed documents at home admitted to putting these documents in the bins both in and outside their house.
What does this mean for the general public?
“These are very basic data protection failings that companies and their employees are making. All of these issues significantly increase the risk of data breaches occurring whilst home working continues, which we have to assume is going to be the norm during the rest of the pandemic.
“This is likely to have real world consequences for the general public as it makes it much easier for your data to end up in the wrong hands. This could be fraudsters getting hold of your financial details or someone finding out sensitive information about you or your family. The impact of this could be devastating.” – Richard Forrest, Senior Associate at Hayes Connor.
Data breaches and lockdown
When the COVID-19 lockdown began in March 2020, it had a huge impact on the way people worked. There have been significant implications for data protection, as many people began working from home for the first time, often without the right equipment or training in order to keep people’s data safe.
Our research uncovered serious failings in the way many companies responded to the challenges of the move to home working and complying with their data protection obligations.
1. Companies were too slow to react to the move to home working
When lockdown happened, companies and their employees were left scrambling to adapt and figure out how to make working from home happen. Unfortunately, our research found that many businesses simply didn’t react fast enough or well enough when it came to complying with their data protection obligations.
- Less than half (47%) said their company was “very quick” to ready their employees for protecting client and company data, when remote working began as a result of lockdown.
- Around 1 in 3 (35%) said they were somewhat quick but could have been even quicker.
- 1 in 10 (10%) said they were not really that quick.
- A further 1 in 10 (13%) gave a doubtful response that their company had done this.
- Of the 250 respondents those who gave a doubtful response:
- 1 in 4 (28%) said their company had failed to make any preparations, since then, to protect client and company data from breaches
- 2 in 5 (42%) were unsure
Hayes Connor’s view:
“Whilst the lockdown may have caught companies off-guard, data protection is never something companies should take lightly. The organisations that did not react at all or even those that did not react fast enough to the change to home working have really let down the people’s whose data they hold.
“If data breaches happen as a result of these failings then people affected will draw no comfort in the companies blaming the impact of the pandemic” – Christine Sabino, Senior Associate at Hayes Connor.
2. Not providing employees with data protection guidelines
Employers have a legal duty to provide employees with clear data protection guidelines to ensure they are taking the right actions to protect any data they deal with.
When lockdown happened, many companies needed to quickly update those guidelines to reflect the change to home working. However, our research found that many employees reported not having received the appropriate guidance.
- 1 in 5 (20%) said their employer had not provided them with data protection guidelines.
- A further 1 in 10 (10%) said they were unsure whether guidelines have been provided.
- 1 in 5 (18%) said their company did not have a Data Protection Officer or they did not know if they did.
Hayes Connor’s view:
“The stats confirm a worryingly high number of employees haven’t received data protection guidelines or aren’t sure if they have or not. Human error is the leading cause of data breaches so companies not doing enough to inform their staff of what they need to be doing to protect sensitive data is shocking.
“Companies are putting people’s data at serious risk by not providing employees with data protection guidelines during the pandemic.” – Richard Forrest, Senior Associate at Hayes Connor.
3. Careless storage and disposal of documents
Whilst office work is increasingly becoming paperless, there will always be times when documents with sensitive data need to be printed off. This creates the potential for that data to be mislaid, stolen or simply read by someone who shouldn’t have seen it.
Working from home increases this risk, especially when it comes to having somewhere secure to store sensitive documents and how documents are disposed of when they are no longer needed.
- Just under half of employees (45%) said that they had been printing work documents at home.
- Of those who said this, more than a third (35%) said they put them in the bin at their house, while 31% said they put them in the bin outside.
- 2 in 5 (43%) said that they did not shred their documents before disposing of them.
Hayes Connor’s view:
“The fact that so many people are putting work documents in bins is perhaps the single most shocking finding to come out of this research. This is completely unacceptable. By doing this the documents can easily fall into the wrong hands and the impact of this can be devastating.
“It is far more common than people might think for criminals to go through bins looking for sensitive data they can use for the purposes of fraud. There’s also the risk of very personal information about someone’s private life such as divorce or court proceedings becoming public knowledge due to the careless handling of documents.
“This type of complete disregard for basic data protection is completely unacceptable and it is something companies must make sure they are addressing with straight forward guidelines for storage and disposal of documents.
“The cost of basic training and supplying employees with a shredder is nothing compared to the potential consequences of not following the guidelines.” – Richard Forrest, Senior Associate and Hayes Connor.
4. Not providing the right equipment
For many people with work laptops, switching to homeworking may have seemed as simple as picking their laptop up and taking it home with them. However, not everyone who needs a work laptop has one and, even when they do, the way many people are using their work laptops is still creating a serious risk of data breaches occurring.
- Around 1 in 4 (24%) had been working remotely from a personal laptop.
- Around 2 in 5 (39%) said that they had been using their work laptop for personal use as well as work. Just over a third (35%) said they had been doing the same with their smartphone that was provided by work.
- 1 in 5 (20%) said they had not been working from home on a secure network.
Hayes Connor’s view:
“Nobody should be doing work on their personal laptop, especially if they are going to be accessing or downloading sensitive data. The way we use our personal laptops and the fact they will often have less effective cybersecurity, means they are at much greater risk of being hacked.
“There is also the increased risk of someone else using the laptop or even the laptop being left in a cafe or on the train meaning the data that should have been kept private gets seen by someone who shouldn’t have seen it.
“Using your work laptop for personal use also means there is more of a chance of picking up a virus or other form of malware, putting the data on the laptop at risk.
“Similarly, not using a fully secure network to connect to essential business systems makes the whole business much more vulnerable to cyberattacks, putting any data the company holds at risk.” – Christine Sabino, Senior Associate at Hayes Connor.
5. Poor cyber security
There are various measures organisations should take to protect the data they handle. These include everything from the basics, such as ensuring their systems are password protected, to more technical measures, such as using encrypted email software.
While most people are aware of the need for such measures, our research found that many companies are failing to put them in place.
- Only around a third (34%) said their company had both password protection and encryption security policies in place.
- Just under a third (32%) said that their company only had encryption security policies in place.
- Around 1 in 4 (24%) said that they only had password protection.
- Around 1 in 3 (34%) of companies are not using encrypted email software.
- 1 in 5 (20%) said they had received training no at work for GDPR, cyber security, or handling company data.
Hayes Connor’s view:
“It is not surprising that companies are not doing enough in this area as these types of failings were an issue long before COVID-19 impacted on us all. However given the move to homeworking these issues have taken on an even greater importance. This is because there isn’t even the basic protection of your computer being stored in a secure office.
“If you have weak security in place for systems that can be accessed by laptops that are just lying around at home, it makes it much easier for the wrong person to see something they shouldn’t. That’s not to mention the risk of cybercriminals hacking into your systems which as we have discussed before is more likely if you are on an unsecured network at home.
“Getting basic cyber security measures, such as password protection and encryption, is something no organisation should ignore. If a data breach does occur, these types of failing will almost certainly be seen by the Information Commissioner’s Office (ICO) as a failure by an organisation to meet its obligations under the Data Protection Act.” – Christine Sabino, Senior Associate at Hayes Connor.
General data breach statistics
As well as looking at the impact of lockdown on data protection and breaches, we also wanted to build a more general picture of what the data breach landscape looks like.
This included looking at issues such as how common data breaches are, how often regulatory action is taken, and when compensation is awarded. We also looked at some of the factors that affect the likelihood of data breach, as well as employees’ awareness of these issues.
1. How common are data breaches?
- 2 in 5 workers (40%) said their company had been affected by a data breach.
- 1 in 5 (20%) said they were unsure.
- Just 2 in 5 (40%) said they were sure their company had not suffered a data breach.
Our research showed that, where workers said their company had experienced a data breach:
- Their companies experienced an average of just under 19 data breaches each year.
- Just over 1 in 5 (22%) said that their company experienced 30 or more data breaches each year.
2. Are companies doing a good job of keeping data safe?
Companies have a legal duty under the Data Protection Act 2018 (the UK’s version of GDPR) to take appropriate steps to safeguard any personal data they collect, process and/or store.
Our research showed that:
- Around 1 in 3 (37%) employees thought their company was not doing all they could to keep client and company data safe.
- Over two thirds of employees thought their company could do more to ensure the safety of client data
3. How often is compensation paid for data breaches?
Where a data breach occurs, the person or people whose data was involved can potentially claim compensation from the organisation responsible for the breach.
We found that:
- Just over 1 in 4 (29%) of those surveyed said that, to their knowledge, their organisation had received claims for compensation in relation to a data breach by their firm
- A further 1 in 4 (24%) said they weren’t sure. Just under half (46%) were sure their company had never received a data breach compensation claim.
4. How does the size of a company affect the frequency of data breaches?
How common data breaches occurred and how certain employees were about whether their company had experienced a breach varied depending on the size of the company. This may reflect different levels of training and/or awareness around this issue depending on the type of company.
Our research showed that:
- Companies with 250-999 employees (medium to large sized companies) reported breaches the most, with more than half (53%) saying that in the past their company had been affected by a data breach.
- Companies of 1000+ employees (the largest sized businesses) reported the highest levels of uncertainty, with around a third (34%) saying they were unsure if this had happened in the past.
- Reflecting on the first point, companies with 250-999 employees averaged the highest amount of breaches to happen per year – with them averaging 23 breaches, as against an average of 16 breaches for companies with 1-249 employees, and 14 breaches for companies with 1000+ employees.
- For revenue, companies generating £5m-£25m were the most likely to say they had experienced data breaches in the past, with 56% saying this. This compares to 46% of companies with a revenue of £25m+ and to 34% of £1m-£5m businesses saying the same.
- Companies generating £1m-£5m revenue a year were the most likely to say this didn’t happen – with around half (53%) saying no.
- For revenue, companies generating £5m-£25m gave the highest average of breaches that happened a year – stating 21 breaches on average a year.
5. How does seniority affect employees’ awareness of data breaches?
Not everyone in a company will have the same level of data breach awareness, including knowing when a data breach occurs or what follow up action is taken. However, as companies have a duty to make sure all employees are doing the right things to minimise the risk of data breaches, it is important that employees of all levels are informed.
Our research showed that reports of data breaches increased with seniority. We found that:
- Just under a third (29%) of entry level workers said their company had experienced a breach.
- This gradually increased to over two thirds (71%) of C-level executives saying the same.
- C-level executives reported their companies experienced an average of 30 data breaches per year – much higher than the overall average of 19.
- Around a quarter (26%) of C-levels said they did not know what the ICO was as against around 1 in 10 (9%) of directors and around 1 in 6 (15%) of senior managers saying the same.
- Almost half (49%) of the C-levels that print work documents at home (88 C-levels in total) said they disposed of them in the bin outside.
6. How often is regulatory action taken over data breaches?
When a data breach happens, it must be reported to the Information Commissioner’s Office (ICO). They will investigate and recommend any action that needs to be taken, including potentially issuing a fine and/or requiring an organisation take steps to improve their data protection practices in future.
Our research showed:
- Two-thirds (66%) of those companies that experienced a data breach had regulatory advice issued to them by the ICO as a result.
- Of those who said this, the advice or actions that had been taken as a result of this are listed below – ranked most to least mentioned;
What regulatory advice or action has been taken in order to prevent future data breaches?
|Setting up multi-factor authentication on all systems and logins, for example any new login locations must verify identity through phone number or email address confirmation||29%|
|Contacting the correct organisation if you are notified of or detect any suspicious activity||26%|
|Making sure your company has a secure network, for example a VPN||26%|
|Cutting off old suppliers who may have been unsecure / less reliable||25%|
|Setting up all work PCs and laptops so they go to sleep automatically after a couple of minutes without use||25%|
|Bringing in a cyber security specialist to judge how the breach occurred||25%|
|Installing malware security software on all computers||24%|
|More staff awareness and training||24%|
|Increasing budget for our data protection||23%|
|Installing new protection software||22%|
|Providing the team with work laptops to use at home or in the office||22%|
|Providing secure passwords on the arrival of new employees||20%|
7. How do companies respond to ICO guidance following a data breach?
Companies are required to comply with any guidance issued by the ICO following a data breach. However this is not always taking place. Our research found that, where ICO guidance had been issued to a company:
- Around 2 in 5 (42%) said that their company engaged with guidance from the ICO.
- Just over 1 in 4 (28%) were unsure what the ICO was and around 1 in 6 (15%) were unsure if this guidance had been sought out and engaged with by the company.
- Shockingly, 1 in 10 (10%) of company owners and around 1 in 3 (32%) of partners were unsure what the ICO was.
An online survey was conducted by Atomik Research among 2,006 respondents from the UK, all working in an office. The research fieldwork took place on 19th October – 27th October 2020.
Atomik Research is an independent creative market research agency that employs MRS-certified researchers and abides to MRS code.
What to do if you have been the victim of a data breach?
If you have been the victim of a data breach, you may be entitled to compensation. Where you have experienced financial losses or emotional harm, this can be claimed for, however, you may still be able to claim even if you have not suffered any specific harm.
Hayes Connor is home to one of the largest teams of data breach claims specialists in the country, with a wealth of combined experience in securing compensation for victims of data breaches. We can advise you on whether you are likely to have grounds for a claim, the level of compensation you may be entitled to and what you need to do to start a claim.
Our goal is to ensure that anyone who is affected by a data breach is able to get the compensation they deserve, while making the claims process as simple and stress-free as possible.
You can find out more about our expertise and how we handle data breach claims here.