Press Releases

Data Breach Reports to Information Commissioner Increase by 75%

September 4, 2018

  • New analysis reveals greater data breach risk from human errors than malicious cyber incidents, compromising personal data ranging from financial details to clinical and criminal records
  • Health sector responsible for greatest number of data breach reports
  • Rise in reported incidents indicates that organisations have been gearing up for a new era of transparency around data breaches under GDPR

The number of reports of data security incidents received by the Information Commissioner (“ICO”) has increased by 75 per cent over the past two years, according to new analysis1 by Kroll, a global leader in risk mitigation and investigative services.

The findings, obtained from a request made under the Freedom of Information Act and analysis of publicly available ICO data, reveal details of data breaches which have compromised a broad range of individuals’ personal data, including health or clinical information, financial details, employment details and criminal records or endorsements.

Kroll says the increase in reports indicates that organisations have been gearing up for a new era of transparency around data breaches under the General Data Protection Regulation (“GDPR”), which came into force in May. Kroll expects both the number of reports and value of fines issued to increase significantly under the new regulation, creating much greater regulatory and reputational risks for businesses.

Andrew Beckett, Managing Director and EMEA Leader for Kroll’s Cyber Risk Practice, explained: “Reporting data breaches wasn’t mandatory for most organisations before the GDPR came into force, so while the data is revealing, it only gives a snapshot into the true picture of breaches suffered by organisations in the UK. The recent rise in the number of reports is probably due to organisations’ gearing up for the GDPR as much as an increase in incidents. Now that the regulation is in force, we would expect to see a significant surge in the number of incidents reported as the GDPR imposes a duty on all organisations to report certain types of personal data breach.

“We would also expect to see an increase in the value of penalties issued as the maximum possible fine has risen from £500,000 to €20 million or 4 per cent of annual turnover, whichever is higher. The ultimate impact is that businesses face not only a much greater financial risk around personal data, but also a heightened reputational risk.”

Human error risk versus hacker risk

Kroll’s analysis reveals that the data breach risks posed by human error are at least as great as those from cyber attacks. In the past year, of the incidents where the type of breach is specified, 2,124 reports could be attributed to human error, compared to just 292 that were deliberate cyber incidents2.

The most common types of incidents due to human error include data being emailed to the incorrect recipient (447 incidents), loss or theft of paperwork (438) and data left in an insecure location (164). The loss or theft of unencrypted devices (133) is another common reason for data breach reports.

Of the deliberate cyber incidents reported, specific circumstances logged include unauthorised access (102), malware (53), phishing attacks (51) and ransomware (33).

Andrew Beckett noted: “Effective cyber security is not just about technology. Often, companies buy the latest software to protect themselves from hackers, but fail to instigate the data management processes and education of employees required to mitigate the risks. The majority of data breaches, and even many cyber attacks, could be prevented by human vigilance or the implementation of relatively simple security procedures.”

Sectors submitting the most data breach reports3

The health sector is responsible for the highest number of reported data security incidents over the past financial year (1,214), a 41 per cent increase over two years. This is followed by general business (362), education and childcare (354) and local government (328).

Kroll says the health sector is top of the list partially due to mandatory reporting requirements that only applied to certain sectors pre-GDPR, but under the new regulation the firm expects to see a much broader spread of business sectors reporting incidents.

The analysis4 reveals that health or clinical data is the most common type of personal data compromised, specified in 39 per cent of reports over a three-year period. This is likely to be due to the high percentage of reports originating from the health sector. Other kinds of personal data compromised include financial details (10%), social care data (7%), employment details (5%), criminal records or endorsements (4%) and education records (3%).

Andrew Beckett said:  “Following the introduction of the GDPR, the business case for investing in cyber defence has never been stronger.  Our analysis of incidents reported to the ICO in the UK shows that people are still the critical factor, and investment in training staff, either to follow correct procedures or to spot phishing attacks before they click on the link/email, offers the best return for helping to prevent data losses.  The increased scope for mandatory reporting of breaches under the GDPR may significantly alter these trends and results, and Kroll will continue to monitor and analyse breach data.  What won’t change is the increasing number of breaches/data loss events and the need for companies to have an effective, tested plan for how they deal with these situations, including the need for having specialist partners identified for forensic incident response, specialist legal counsel, crisis communications and breach notification.

Earlier this year, Kroll launched its Data Protection Officer (“DPO”) Advisory Services in partnership with leading data privacy law firms. The service is an expansion of Kroll’s existing cyber security and incident response offering and supports privacy and security departments in becoming and staying compliant with GDPR requirements, in particular Article 37 of the GDPR, which calls for certain organisations to appoint a DPO.

Learn more about Andrew Beckett.
Andrew_Beckett-bw.jpg





 

For further information please contact:

Meredith Foster, Kroll
+44 (0)20 7029 5168
[email protected]

1 Kroll analysis of data obtained from the Information Commissioner through a combination of its annual reports and questions asked under the Freedom of Information Act.

2 The following breach types were grouped into ‘cyber incidents’ and ‘human error’ incidents as follows:

Data breach reports arising from specific kinds of cyber incident:

Breach type

Number of reports related to this type of breach 2017/18

Unauthorised access (cyber)

102

Malware

53

Phishing

51

Ransomware

33

Other cyber incident

31

Brute force (password attack)

20

Denial of service

2

Data breach reports arising from specific kinds of human error:

Breach type

Number of reports related to this type of breach 2017/18

Data sent by email to incorrect recipient

447

Data posted/faxed to incorrect recipient

441

Loss/theft of paperwork

438

Failure to redact data

256

Data left in insecure location

164

Failure to use bcc when sending email

147

Loss/theft of unencrypted device

133

Verbal disclosure

46

Insecure disposal of paperwork

35

Loss/theft of only copy of encrypted data

16

Insecure disposal of hardware

1

3 Top 10 sectors for data breach reports, 2017/18 and percentage changes over two years

Sector

Number of incidents reported in 2017/18

Percentage change in two years

Health

1,214

41%

General business

362

215%

Education and childcare

354

142%

Local government

328

80%

Finance, insurance and credit

207

74%

Justice

164

128%

Legal

159

112%

Charitable and voluntary

148

100%

Land or property services

86

56%

Central government

53

56%

4 Kroll analysis of data breach reports in the three financial years between April 2013 and March 2016, obtained from a request under the Freedom of Information Act. Full details as follows:

Type of personal data compromised in data security incidents reported

Type of personal data

Number of reports (where type of data is known) involving this type of personal data between April 2013 - March 2016

Percentage of all reports (where type of data is known) April 2013 - March 2016

Health/clinical data

2,013

39%

Basic personal identifiers

1,504

29%

Financial details

548

10%

Social care data

369

7%

Employment details

285

5%

Criminal records/endorsements

193

4%

Education records

142

3%

Other

140

3%

Religion or ethnicity

18

0%

Sexual orientation

12

0%

Trade union membership

3

0%

 

 

About Kroll

Kroll is the leading global provider of risk solutions. For more than 45 years, Kroll has helped clients make confident risk management decisions about people, assets, operations and security through a wide range of investigations, cyber security, due diligence and compliance, physical and operational security, and data and information management services. For more information, visit www.kroll.com.

Duff & Phelps is the global advisor that protects, restores and maximizes value for clients in the areas of valuation, corporate finance, investigations, disputes, cyber security, compliance and regulatory matters, and other governance-related issues. We work with clients across diverse sectors, mitigating risk to assets, operations and people. With Kroll, a division of Duff & Phelps since 2018, our firm has nearly 3,500 professionals in 28 countries around the world. For more information, visit www.duffandphelps.com.