ICO Data Breach Trends
Hayes Connor takes a deep dive into recent statistics released by the Information Commissioner’s office to see how businesses have been conforming to GDPR since its inception.
In our digitally led society, personal data is a valuable commodity, and when it falls into the wrong hands, the repercussions can be severe. Individuals trust organisations with their personal data on a daily basis, and it’s the responsibility of those companies to follow the correct data protection laws.
Since the GDPR was introduced, organisations that handle personal data have been obliged to follow GDPR rules to protect the data they collect and store. Negligent data protection practices can leave companies in legal trouble, which is why it’s vital that businesses take steps to understand their accountabilities.
The ICO publishes an ongoing data security report presenting key insights into data security incident trends since the introduction of the GDPR. The findings in this report can support organisations with data protection and handling, so that they are aware of what to look for and can take the correct action where necessary.
In the UK, we saw some huge data breaches in 2023 that affected thousands of people. So, do the ICO statistics from 2023 reflect the news coverage we saw throughout the year? Hayes Connor have explored this data to see what patterns have emerged.
Data breach statistics 2019-2023
Since the GDPR was introduced, the data breach trends show there have been a reported 51,581 data breaches recorded by the ICO. The highest number of incidents so far occurred in 2023 where there were a reported 11,079 cases.
Perhaps surprisingly, 76% of incidents over this time period were non-cyber related. These instances refer to a type of breach without a clear technological or online element involving a third-party with malicious intent. This includes incidents whereby information is emailed to the wrong recipient(s) by mistake, or where errors are made with paper filing systems.
According to the ICO, incidents where data is emailed to the wrong recipient are the most common type of data breach reported. This is true across almost all industries, from the finance world to the legal sector to the social care industry.
Cyber incidents appear to have peaked moving into 2023, reaching an all-time high in Q2. This is surprising, considering most data breaches occur due to human error, so this reveals a clear increase in incidents related to hacking and technology, rather than misplaced information.
Trends in data breach types 2019-2023
Over the years, 81% of data breaches revealed the basic personal identifiers of victims. The number of cases where personal identifiers were exposed decreased substantially in 2021 and 2022, dropping first to 71% and then 79% respectively. However, this figure reached 83% in 2023.
Personal identifiers refer to common identifiers that, when accessed, may lead to the identification of the individual. These identifiers may include name, location data, identification numbers, or online information such as IP addresses. The exposure of personal identifiers can be incredibly damaging for victims. There are various potential negative consequences including invasion of privacy, financial losses, identity theft and emotional distress.
The second highest type of data breached since GDPR began is health data. In fact, over 1 in 4 data breaches since the GDPR have been breaches of victim’s health data, making up between 25% and 29% of data breaches each year since 2019, and reaching just over 27% in 2023.
Breaches of health information and children’s data are arguably more serious and sensitive in nature. It’s worth noting that marketing and media sectors experienced far less data breaches overall compared to sectors like health and education.
The third highest type of data breached is economic and financial data, at an average of 17.5% of data breaches exposing such information. These types of breaches are particularly concerning because victims of such data breaches may fall victim to financial fraud. The organisations responsible are likely to face significant reputational damage.
Insights on data breach victims 2019-2023
The UK GDPR asserts that children need specific protection when it comes to their personal data. Naturally, they are likely to be less aware of the safeguards, consequences, and risks regarding personal data processing.
ICO data shows that approximately 5,892 reported data breaches since the GDPR was introduced have involved children’s data. This amounts to just over 12% of data breaches overall.
Considering that the education sector is the second most likely to experience a data breach, making up 14% of breaches, this comes as little surprise.
Stats show that schools are often vulnerable to ransomware attacks, especially during Christmas, Easter, or Summer holidays, when systems are left unattended for long periods.
Above children, customers or prospective customers are at the top of the list, making up 32% of all breaches. Second comes employees, at 26%, and patients just surpass children, at 13%.
Patterns in data breach incident type 2019-2023
Since the GDPR came into effect, stats show that 16% of data security cases have been caused by emails being sent to the wrong recipient(s). These types of cases steadily increased every year, climbing from 11% in 2019 to 18% in 2022. However, come 2023, these figures have decreased to 16%.
Timesaving tools, such as autofill predict, may be partly responsible for the increase in this type of data breach. If you begin typing the correct recipient’s name and autofill predicts an incorrect recipient with a similar or the same name, it’s easy to miss this type of error.
Besides these types of data breach, other notable patterns for incident type include:
- 1 in 10 data breaches are phishing
- 1 in 10 involve data being faxed or posted to the wrong person
- Nearly 7% of incidences involved ransomware attacks
What percentage of data breaches start with phishing?
Phishing breaches occur when criminals pose as trusted organisations or individuals in attempt to persuade the victim to provide sensitive data, or give them the credentials to access certain systems. Phishing attacks often take place via email - common examples include:
- Company impersonation: Cyber criminals may send emails pretending to be the CEO of a company, or the HR department. With these tactics, they can attempt to steal sensitive data, whether it’s the request to transfer money, or to update personal details.
- Malware: The recipient of the email is tricked into clicking onto an email attachment which then installs malicious software onto the company network or a computer.
Data shows that 8.4% of data breaches occurred due to phishing attacks in 2023. On average across the full 5-year spectrum, this averaged at 9.38%. In a business context, the decrease over time could be down to the fact that many companies have provided employees with improved and consistent security training over the last few years.
Size and scale of data breaches 2019-2023
Research concludes that nearly 1 in 2 data breaches are small scale, involving just 1 to 9 subjects. For example, in 2023, 46% of breaches affected 1 to 9 subjects compared to just 1% that affected 100k and above.
According to ICO research, there are several factors that impact whether a data breach incident will result in an investigation. One of these factors is the number of people affected.
ICO data showed that, ‘54% of incidents affecting more than 100k data subjects result in an investigation being potentially pursued vs. 6% of those affecting less than 10 data subjects.’
While these numbers seem small scale, the significance of the issue should not be ignored. Even small data breaches can have hugely negative consequences for both individuals and companies. Individuals whose data has been compromised risk privacy invasion, and potentially identify theft, while businesses risk financial trouble and legal issues.
Average data breach reporting time frames 2019-2023
What is the average breach of security reporting time frame?
According to the UK GDPR, all organisations are obligated to report personal data breaches within 72 hours of becoming aware of the breach.
What the data breach trends show
The introduction of these rules is reflected in recent data breach trends. For instance, since the GDPR, an average of 38% of data breaches were reported in between 24 and 72 hours, compared to just 18% of data breaches that took over 1 week to report.
Data breach statistics by sector 2019-2023
Looking at the ICO trends in greater detail, we can see how each sector performed over the last five years when it came to data breaches.
Industry comparisons for data breach reporting timeframes 2019-2023
Across industries, there were some significant differences in the time it took to report a data breach.
In the health sector, 2,361 data breach cases were reported in under 24 hours, which was 27% of the time. In the education sector, 1,868 cases were reported in under 24 hours, representing 28% of the time. These were in the top five highest scoring sectors for reporting breaches in under 24 hours, alongside the social care sector at 27.5%.
The number one highest scoring sector in this regard was the political sector, with over 28% of breaches reported within this short timeframe.
Industries like marketing and media were far less likely to report data breach cases in under 24 hours, scoring just 18% and 16% respectively.
Where the marketing sector experienced data breaches, reporting times were between 24 to 72 hours 49% of the time (a higher score than all other sectors for this reporting timeframe, apart from the Utilities sector).
Industry comparisons for number of subjects affected by data breach 2019-2023
The health care sector experienced the highest percentage of small-scale data breaches; 66% of cases affected between 1 to 9 subjects. Other sectors that experienced a significant amount of small-scale breaches were central governments (65%) and the legal sector (63%).
The marketing industry held the lowest score again, at 19%. However, 29% of data breaches in the marketing sector affected an ‘unknown’ number of subjects, making it difficult to accurately assess data breach scale across all incidents.
Industry comparisons for data breach incident category 2019-2023
The highest number of cyber related data breaches occurred in the retail and manufacturing industry, at 54%. Online technology and telecoms, as well as marketing and media, followed suit at between 51% and 44%.
Cyber related breaches were lowest occurring in the central government, political and justice sectors, accounting for just 6%, 4% and 3% of breaches, respectively. A huge 95% of data breaches in central government were non cyber related.
Interestingly, the majority of industries had high scores for non cyber related breaches, for instance, 75% in the legal sector, 97% in the justice sector, and 92% in the health sector.
The full list of sectors, and the percentage of incidents that were cyber related, is as follows:
- Retail and manufacture 54%
- Online Technology and Telecoms 85%
- Marketing 70%
- Media 72%
- General business 01%
- Transport and leisure 38%
- Finance, insurance and credit 82%
- Grand Total 19%
- Religious 43%
- Land or property services 04%
- Membership association 20%
- Charitable and voluntary 13%
- Legal 05%
- Unassigned 00%
- Utilities 77%
- Education and childcare 51%
- Social care 03%
- Regulators 30%
- Health 91%
- Local government 60%
- Central Government 57%
- Political 42%
- Justice 21%
Industry comparisons for data breach incident type 2019-2023
As previously discussed, the majority of non-cyber related incidents were caused by emails sent to the wrong recipient. These incidences have been a particularly prevalent issue in the legal sector, where nearly 29% of cases were caused this way.
Other high scoring sectors for this incident type, included:
- Nearly 1 in 4 cases in the political sector
- 1 in 5 cases in the education, childcare and social care sectors
- Nearly 17% in the finance and insurance sector
In contrast, the sector which has experienced the lowest occurrence of incorrect email incidents is the online technology and telecoms sector, with just 7% of such cases. In this industry, phishing and unauthorised access were at the top, at around 14% each.
In central governments, emails sent to the wrong recipient accounted for around 9% of cases. However, events where data was posted or faxed to the wrong person made up a significant 34%.
Industry comparisons for data breach data type 2019-2023
The data security trends show that data breaches involving basic personal identifiers are commonplace across the majority of sectors. Since the GDPR introduction, the sectors with the highest incidents involving personal identifiers have included:
- Marketing 87%
- Media 85%
- Political 85%
- Central government 85%
Basic personal identifier related breaches were the least prevalent in the regulators sector, though still a substantial figure at 73%.
Health data breaches were particularly common in the social care sector (42%), as well as the local government sector (32%) and charitable and voluntary sector (30%). This is because these sectors are more likely to collect and store personal health information compared to the more commercial based industries.
How can Hayes Connor help?
If your personal data has been compromised as a result of security failings by an organisation, you may be entitled to claim GDPR compensation.
At Hayes Connor Solicitors, we have significant expertise supporting clients who’ve had their data exposed due to data protection negligence. We can support to claim for privacy loss, distress, and financial losses.
Equally, if you are a business leader looking for support and guidance with the GDPR, we can support you.
To discuss your claim today get in touch with our data protection solicitors at Hayes Connor. You can call us on 0330 041 5132 or fill in our data breach claim form and we will get back to you.