A deep dive into the ICO’s numbers
We often hear the terms ‘accidental breach’ and ‘internal threat’, but how common are these phenomena?
To find out, we analysed the ICO’s (Information Commissioner’s Office) public data set. Specifically, we looked into four data breach types caused by human error:
Data posted or faxed to incorrect recipient
Data emailed to incorrect recipient
Failure to use Bcc
Failure to redact
Note that this data set only accounts for personal data breaches reported to the ICO, so it only reflects breaches affecting UK residents. The number of data breaches that actually occurred was likely higher.
Also note that this blog only accounts for the data from 2019–2023, because these are the only years the ICO has released its full data set on. At the time of writing, the data set starts in Q1 2019 and goes up to Q1 2024.
When more data is released, we’ll publish a new analysis.
In this blog
Number of reportable breaches by incident type and year
What sectors are breached accidentally the most?
How many data subjects were affected?
How long did it take to report accidental breaches?
How can you prevent breaches caused by human error?
Number of reportable breaches by incident type and year
From 2019–2022, a similar number of breaches was attributable to human error – roughly one in three.
However, 2023 saw a noticeable percentage drop despite the higher absolute number of data breaches caused by human error.
When we asked our head of GRC (governance, risk and compliance) consultancy, Damian Garcia, what he made of the data, he said:
Looking at the individual types of incident, this drop seems to primarily come from fewer breaches caused by data posted or faxed to the incorrect recipient. [See graph below.]
This is hardly surprising, as more communications to data subjects occur electronically, often via email and/or online portals.
That said, it’s worrying to see the number of breaches caused by careless email behaviour – data emailed to the incorrect recipient, and failure to use Bcc – to have risen in 2023.
What sectors are breached accidentally the most?
Note: For the purposes of this blog, an accidental breach is one of four types: data posted or faxed to incorrect recipient, data emailed to incorrect recipient, failure to use Bcc, and failure to redact.
Top 3 sectors by number of accidental breaches
The table above shows the three sectors breached accidentally most often, in terms of absolute numbers. The ranking is the same for both 2023, the most recent full year we have data for, and across 2019–2023.
However, this information is of limited use where we don’t have a denominator. Bigger sectors are likely to have more breaches; it doesn’t automatically follow that they’re less secure, or that staff working within those sectors are more careless.
With that in mind, let’s look at the most breached sectors in percentages, by dividing the number of accidental breaches of a given sector by the total number of breaches suffered by the same sector.
Top 3 sectors by largest percentage of accidental breaches in 2023
Top 3 sectors by largest percentage of accidental breaches in 2019–2023
Though both the top three of 2019–2023 and just 2023 contain the same sectors, regulators and local government are in different orders for each.
More interestingly, all three sectors are related to politics and the public sector. Might there be any reason for that? Damian suggested:
These sectors may be more likely to report data breaches by virtue of being in the public sector.
Similar patterns of incidents are probably happening within private-sector firms, but they’re less likely to be transparent about them – especially smaller data breaches, which is often the case with accidental breaches. [Our analysis below supports this.]
My Master’s dissertation looked into the insider threat. At the time [2018], there were virtually no case studies on insider threat attacks within the private sector, so most of my research had to focus on public-sector organisations. They were simply more likely to report, particularly in the US.
I believe the GDPR [General Data Protection Regulation] helps encourage companies to report, but fear that their desire to avoid negative press makes them more likely to only report the more serious breaches.
Which sectors perform worse than average?
But how does this compare to the UK benchmark? On average, what percentage of breaches are caused accidentally in the UK?
According to the ICO’s data from 2019–2023, the answer is 23.2%. In just 2023, this was slightly higher at 24.5%.
12 UK sectors (out of 21) performed worse than its 2023 benchmark. In other words, they suffered more clearly preventable breaches – caused by human error – than your average UK organisation in 2023.
The 12 sectors are:
Political (57.1%)
Regulators (40.4%)
Local government (36.4%)
Legal (32.6%)
Education and childcare (31.8%)
Land or property services (28.9%)
Membership association (27.8%)
Social care (27.3%)
Religious (26.7%)
Charitable and voluntary (25.9%)
Central government (24.6%)
Health (24.6%)
During 2019–2023, just 9 UK sectors (out of 21) performed worse than its benchmark (23.2%). They are:
Political (38.1%)
Local government (34.1%)
Regulators (34.0%)
Legal (33.5%)
Membership association (32.1%)
Education and childcare (29.9%)
Land or property services (28.0%)
Social care (25.3%)
Charitable and voluntary (23.7%)
Note: This analysis excluded the ‘unassigned’ sector.
How many data subjects were affected?
For 2023
Note: The percentages for both categories add up to 99% due to rounding.
For 2019–2023
Note: The percentages under ‘All breaches’ add up to 101% due to rounding.
For both periods, we can see a clear pattern: accidental breaches are more likely to affect a lower number of data subjects than personal data breaches in general.
As Damian points out, this isn’t too surprising:
Out of the four incident types we’re looking at, consider the two most common: sending data to the wrong person by email, and by post or fax.
That might be in the context of responding to a DSAR [data subject access request], responding to a FOI [freedom of information] request, or simply emailing someone as part of your usual business activities.
Either way, you’re often sending a limited amount of data. This limits how many individuals are likely to be affected, should you send that data to one or more unintended recipients.
Number of subjects affected by accidental breach type in 2019–2023
Looking at the more granular data – by data breach type – confirms Damian’s theory:
Note: The percentages under ‘Failure to redact’ add up to 101% due to rounding.
The typical number of data subjects impacted by accidental breaches is very low, unless the breach in question is a matter of failing to use Bcc. Again, that isn’t too surprising – this type of breach tends to affect a larger number of people.
How long did it take to report accidental breaches?
For 2023
Note: The percentages under ‘All breaches’ add up to 99% due to rounding.
For 2019–2023
Note: The percentages under ‘All breaches’ add up to 101% due to rounding.
As a reminder, the GDPR requires notifiable incidents to be reported to the relevant supervisory authority – such as the ICO – within 72 hours.
So, to see just 62% of all breaches in 2019–2023 reported within that window is worrying, particularly given that this has dropped further in 2023 to 57%. And for accidental breaches, the numbers aren’t much better at 66% and 61% respectively.
Basically, more than one in three incidents does not get reported on time. This is especially concerning for accidental breaches, considering that it shouldn’t take very long to become aware of the breach or to investigate it.
How can you prevent breaches caused by human error?
Staff training and awareness is by far the most effective way to prevent accidental breaches.
It can also be an extremely cost-effective and time-efficient way of implementing security, particularly if you take the elearning route.
GDPR: Email Misuse Staff Awareness E-Learning Course
This non-technical, ten-minute elearning course is suitable for everyone who needs to be aware of the risks and consequences that come with misusing email.
It’ll help staff better understand how to communicate securely and lawfully via email.
Ideal for initial and repeat engagement, the course covers:
What Cc and Bcc are;
Examples of Cc and Bcc in use;
What autocomplete is, and why it’s important;
The legal and business risks of misusing email; and
Much more!
We first published a version of this blog in December 2023.
The post Analysing Data Breaches Caused by Human Error appeared first on IT Governance UK Blog.