Data security incidents reported to ICO increase by 75%

News by Mark Mayne

The number of incidents being reported to the Information Commissioner's Office (ICO) has increased by 75 percent over the last two years, ostensibly due to companies getting their house in order for GDPR.

Reports of data security incidents have increased significantly under GDPR.

The number of incidents being reported to the Information Commissioner's Office (ICO) has increased by 75 percent over the last two years, ostensibly due to companies getting their house in order for GDPR.

According to the figures, the vast majority of reported incidents (2,124 reports) could be attributed to human error, compared to just 292 that were deliberate cyber incidents.

Stephen Burke, Founder and CEO at Cyber Risk Aware told SC Media UK that the weighting of human error over hackers comes as no surprise: "People tend to think it is solely the role of IT Security to protect the network and that technical defences will protect them which is wrong on both counts. Everyone has a role to play when it comes to cyber-security, knowing that cyber-criminals are targeting people and that they’ll bypass tech defences is a critical piece of awareness that staff must know so they can be on their guard at all times."

The data, obtained by Kroll via Freedom of Information Act and analysis of publicly available ICO stats, found that the most common types of human error incident include data being emailed to the incorrect recipient (447 incidents), loss or theft of paperwork (438) and data left in an insecure location (164). The loss or theft of unencrypted devices (133) is another common reason for data breach reports.

Dan Pitman, senior solutions architect at Alert Logic told SC Media UK that he agreed with Burke: "There’s a common saying in IT - "There is no such thing as a computer error", meaning that even when you personally have not caused the error yourself, some human did, somewhere. So it’s no surprise that such a high proportion of security incidents are caused by human error. As with other very complex disciplines, the acquisition of computer expertise requires a high proportion of practical experience to avoid the pitfalls, yet most companies will not pay or invest in that expertise when building and designing systems. Security suffers from this lack of expertise and budget more than any other discipline."

Data breach reports arising from specific kinds of human error:

Breach type

Number of reports related to this type of breach 2017/18

Data sent by email to incorrect recipient

447

Data posted/faxed to incorrect recipient

441

Loss/theft of paperwork

438

Failure to redact data

256

Data left in insecure location

164

Failure to use bcc when sending email

147

Loss/theft of unencrypted device

133

Verbal disclosure

46

Insecure disposal of paperwork

35

Loss/theft of only copy of encrypted data

16

Insecure disposal of hardware

1

In the deliberate cyber-incidents camp, specific examples include unauthorised access (102), malware (53), phishing attacks (51) and ransomware (33):

Data breach reports arising from specific kinds of cyber incident:

Breach type

Number of reports related to this type of breach 2017/18

Unauthorised access (cyber)

102

Malware

53

Phishing

51

Ransomware

33

Other cyber incident

31

Brute force (password attack)

20

Denial of service

2

In terms of a sector breakdown, the runaway leader in reporting incidents was the healthcare sector, which reported a massive 1,214 incidents, a 41 per cent increase over two years. Next in line was general business (362), education and childcare (354) and local government (328).

Top 10 sectors for data breach reports, 2017/18 and percentage changes over two years

Sector

Number of incidents reported in 2017/18

Percentage change in two years

Health

1,214

41%

General business

362

215%

Education and childcare

354

142%

Local government

328

80%

Finance, insurance and credit

207

74%

Justice

164

128%

Legal

159

112%

Charitable and voluntary

148

100%

Land or property services

86

56%

Central government

53

56%

The analysis reveals that health or clinical data is the most common type of personal data compromised specified in 39 per cent of reports over a three-year period. This is likely to be due to the high percentage of reports originating from the health sector. Other kinds of personal data compromised include financial details (10%), social care data (7%), employment details (5%), criminal records or endorsements (4%) and education records (3%).

Type of personal data compromised in data security incidents reported

Type of personal data

Number of reports (where type of data is known) involving this type of personal data between April 2013 - March 2016

Percentage of all reports (where type of data is known) April 2013 - March 2016

Health/clinical data

2,013

39%

Basic personal identifiers

1,504

29%

Financial details

548

10%

Social care data

369

7%

Employment details

285

5%

Criminal records/endorsements

193

4%

Education records

142

3%

Other

140

3%

Sarah Armstrong-Smith, Head Continuity & Resilience at Fujitsu UK & Ireland said in a statement: "This latest report from Kroll makes one thing clear: data breaches can be caused by more than just a cyber-attack or criminal activity. After all, people are the first line of defence, and with breaches often the result of accidental or deliberate human error, which can often happen as a result of lack of understanding or enforced policies, it’s imperative that businesses help make users the strongest link, not the weakest. This needs to go beyond just providing users with security and privacy training and awareness, there also needs to be mechanisms in place to identify and prevent internal data leakages from occurring.

"To be truly effective when it comes to protecting personal data requires a mix of people, processes and technologies: all of which have to be carefully aligned so that everything fits together properly. At the end of the day, security alone cannot stop a breach, it requires a cultural shift to embed data governance throughout an organisation."

Steve Giguere, lead EMEA engineer at Synopsys, told SC Media UK that the underlying issue was the complexity of current deployments, which in many cases prove near-impossible to test before being put into production: "We’re reaching a critical alignment in technological movements where the resulting complexity is something not seen before. Developers are producing releasable code with high velocity and often incentivised more by features than security. They are doing so using new architectures, with new coding languages and frameworks that can prove difficult to test with automated methods. From Google to AWS, one misconfiguration can mean all the efforts on securing an application are for nothing if one forgets to simply lock the door.

The answers do start with education and cultural change. This culture change needs to be as agile as the technologies themselves, adapting and growing with the times. Awareness of why new technologies are helping us, how to use them to maximise their potential is key. Creating an education plan for developers who, only a decade ago didn’t care about security, is critical so that they are building security in from the ground up. Most importantly, have an incident response plan is a must-have requirement to ensure when it all breaks down, we don’t improvise ourselves into a worse situation."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews