ICO blog

The Information Commissioner’s Office (ICO) recently published details of reported data security breaches during 2019 -2020. The breaches have been sorted into two main categories – Cyber Security Incidents and Non-Cyber Security incidents. In total, there are eight incident types listed under cyber security incidents and eleven incident types listed under non-cyber security incidents.

Non-cyber security incidents include data emailed to an incorrect recipient, data posted or faxed to an incorrect recipient, failure to use BCC, incorrect disposal of paperwork, loss and or theft of data and unauthorised access. Cyber security incidents include brute force, hardware or software misconfiguration, phishing, ransomware and unauthorised access to personal information.

 Number of different sectors and industries have been affected by data breaches during this period, including central government, local government, charitable and voluntary, health, education, media and marketing, to name a few.

The information in the tables shows that many data security incidents are caused by human error and are easily avoided. For example forwarding an email to an incorrect recipient and clicking on a link in a phishing email. Whilst such breaches may seem trivial, if very sensitive personal information is involved, organisations may find themselves the subject of an ICO investigation. This may lead to regulatory action and a sizeable fine.

A quick snapshot of each quarter reveals some interesting facts. The sectors which have reported  the most data security breaches across both cyber and non cyber incidents are Health, General Business, Education and Childcare, Finance Insurance and Credit. The top three offenders for each quarter are shown below:

Quarter 1.

Total incidents 3091

General Business 653.   Health 493.     Education and Childcare 359

Quarter 2

Total incidents.  2984

Health 591.   General business 492.      Education and Childcare 322

Quarter 3

Total incidents. 2795

Health 542.    Education and Childcare 429.   General business 301.   

Quarter 4

Total incidents 2629

Health 419 .Education and childcare 370. Finance Insurance and Credit 277.

The biggest category for incidents is “Other non-cyber incident.” Ignoring this category

(which seems to cover many different types of data breach ) the biggest number of incidents is “data posted or faxed to incorrect recipient” in non cyber (all quarters except Q4) and phishing in cyber incidents.

The incidents of data posted or faxed to incorrect recipients across all four quarters are as follows:

Data posted or faxed       Q1  503             Q2  384                  Q3 286            Q4  265

The incidents of phishing attacks leading to a data security breach across all quarters is as follows:

Phishing                               Q1 294              Q2  300                 Q3 281            Q4 280

In Q4 data emailed to incorrect recipient was 337 – incidents in this category were also high in all quarters  – Q1 351 , Q2 245 and Q3 269.

The total number of data breaches in all four quarters was 11,499. The total number of Incidents involving data posted faxed or emailed to the wrong recipient and failing to recognise phishing emails was 3458.

The health sector reported 438 breaches where personal information was posted faxed or emailed to the wrong recipient and 65 phishing incidents. The education and welfare sector  reported 276 and 124 and general business which reported 263 and 226 respectively.


Data security breaches involving email, post and fax sent to the wrong recipient and phishing data breaches amounted to over a third of all breaches reported for the year.

When breaches of this kind are reported to the ICO a regulatory investigation is likely. If sensitive information is involved which may pose a risk to the rights and freedoms of individuals then there is a risk of a very substantial fine.

Organisations should review policies and procedures relative to forwarding personal information by fax, post and email. Email distribution lists are a risk area. Organisations should risk assess all data processing where sensitive information is involved. Risk assessments should be regularly reviewed.

Staff focused campaigns on the dangers associated with phishing emails should be a constant in any organisation.

The ICO website should be viewed regularly for guidance and advice in these areas.

Struggling to recruit a DPO? Don't need someone full-time?

If you have any questions please get in touch on contact@prodpo.com or 020 3697 7206