The Information Commissioner’s Office (ICO) recently published details of reported data security breaches during 2019 -2020. The breaches have been sorted into two main categories – Cyber Security Incidents and Non-Cyber Security incidents. In total, there are eight incident types listed under cyber security incidents and eleven incident types listed under non-cyber security incidents.
Non-cyber security incidents include data emailed to an incorrect recipient, data posted or faxed to an incorrect recipient, failure to use BCC, incorrect disposal of paperwork, loss and or theft of data and unauthorised access. Cyber security incidents include brute force, hardware or software misconfiguration, phishing, ransomware and unauthorised access to personal information.
Number of different sectors and industries have been affected by data breaches during this period, including central government, local government, charitable and voluntary, health, education, media and marketing, to name a few.
The information in the tables shows that many data security incidents are caused by human error and are easily avoided. For example forwarding an email to an incorrect recipient and clicking on a link in a phishing email. Whilst such breaches may seem trivial, if very sensitive personal information is involved, organisations may find themselves the subject of an ICO investigation. This may lead to regulatory action and a sizeable fine.
A quick snapshot of each quarter reveals some interesting facts. The sectors which have reported the most data security breaches across both cyber and non cyber incidents are Health, General Business, Education and Childcare, Finance Insurance and Credit. The top three offenders for each quarter are shown below:
Total incidents 3091
General Business 653. Health 493. Education and Childcare 359
Total incidents. 2984
Health 591. General business 492. Education and Childcare 322
Total incidents. 2795
Health 542. Education and Childcare 429. General business 301.
Total incidents 2629
Health 419 .Education and childcare 370. Finance Insurance and Credit 277.
The biggest category for incidents is “Other non-cyber incident.” Ignoring this category
(which seems to cover many different types of data breach ) the biggest number of incidents is “data posted or faxed to incorrect recipient” in non cyber (all quarters except Q4) and phishing in cyber incidents.
The incidents of data posted or faxed to incorrect recipients across all four quarters are as follows:
Data posted or faxed Q1 503 Q2 384 Q3 286 Q4 265
The incidents of phishing attacks leading to a data security breach across all quarters is as follows:
Phishing Q1 294 Q2 300 Q3 281 Q4 280
In Q4 data emailed to incorrect recipient was 337 – incidents in this category were also high in all quarters – Q1 351 , Q2 245 and Q3 269.
The total number of data breaches in all four quarters was 11,499. The total number of Incidents involving data posted faxed or emailed to the wrong recipient and failing to recognise phishing emails was 3458.
The health sector reported 438 breaches where personal information was posted faxed or emailed to the wrong recipient and 65 phishing incidents. The education and welfare sector reported 276 and 124 and general business which reported 263 and 226 respectively.
Data security breaches involving email, post and fax sent to the wrong recipient and phishing data breaches amounted to over a third of all breaches reported for the year.
When breaches of this kind are reported to the ICO a regulatory investigation is likely. If sensitive information is involved which may pose a risk to the rights and freedoms of individuals then there is a risk of a very substantial fine.
Organisations should review policies and procedures relative to forwarding personal information by fax, post and email. Email distribution lists are a risk area. Organisations should risk assess all data processing where sensitive information is involved. Risk assessments should be regularly reviewed.
Staff focused campaigns on the dangers associated with phishing emails should be a constant in any organisation.
The ICO website should be viewed regularly for guidance and advice in these areas.