Sending errors cause more breaches than Cyber - again!

Stats on personal data breaches reported to the UK ICO paint the same picture as last year - 73% are not CyberSecurity Incidents

The UK ICO released its detailed report on the 2,425 personal data breaches reported to it in Q1 2021, which shows a startling fact:

As with last year, more breach reports result from mis-sending emails, faxes and mail than from ALL cyber-security incidents!

Helpfully, the UK ICO releases reports on personal data breaches reported each quarter.  The report for Q1 2021 (what the ICO calls Q4 2020-21) has some interesting revelations, particularly when compared to the same report for last year, which we reported on here.  Note: the UK ICO figures are the number of reports, not necessarily the number of incidents.


CyberSecurity Incidents: 27%

All cyber security incidents (CSIs) together amounted to over a quarter of all breach reports: 27.2% slightly up from 24.8% last year.

But it still means 72.8% were not CSIs which, as we said about last year’s results. can surprise some as it can feel at times as if all data is in digital format, so all breaches must be about cyber security.


Sending error: 29%

Simple human mistakes are happening more and more…

Sending emails, faxes and mail to the wrong recipient, or making personal data available to the wrong person, led to 28.9% of all breach reports, also up on 26.6% from last year – and still more than all CSIs together.


29% of all breach reports, and 40% of non-CSI breach reports, are down to mis-addressed data.


Top / Worst 5 Sectors?

Five sectors each reported 10% or more of the total personal data breaches reported to the UK ICO.   Those Top / Worst 5 Sectors are:

… take a guess before you look! …

Some really interesting points here (if you’re a geek or if you’re in one of these sectors):

  • See how the sectors compare across CSI and non-CSI… Education & Childcare is quite close in the % of CSI and non-CSI breaches whereas Health is quite the out-performer on non-CSIs.
  • Retail & Manufacturing has almost the same split as Health, but in reverse, with more CSI-led breaches.  (Health has more of the overall percentage because there are 2.7X more non-CSI breaches than CSI Breaches overall.)

And it would be even more interesting to dive into number of breaches normalised for number of businesses, number of employees, or aggregate turnover.  For a quick taster, the UK Government figures for March 2020 report:

  • Finance & Insurance had 62,040 businesses, and
  • Retail alone had 208,795.

They’re not the same sector definitions as the UK ICO uses, but it rings true that Finance has far fewer businesses than Retail & Manufacture, which gives an interesting angle on the above stats.  One would certainly think that Finance is a more regulated industry in terms of compliance, given the FCA regulations, the need for Compliance Officers, compliance training etc.  And we’d wager that your typical Finance house is a more valuable target to hackers than your average retailer (no offence).  Lots to dig into here!


Your Security Takeaways

Analysis is all well and good, but what are you to take away from all this?  The UK ICO gives 3 tips, all around redactions:

  1. Consider metadata when redacting information.
  2. Check all data has been redacted and is not reversible before releasing.
  3. Get someone to double check redactions.

Our recommendations have a different emphasis:

  • 19% of all reports to the UK ICO concern phishing, ransomware or other cyber unauthorised access, so implement backups, password managers and 2FA now.
  • 18% of all reports to the UK ICO concern emailing data to the wrong recipient, so either turn off auto-fill, use secure links to share (potentially with passwords – always sent separately), or do both.
  • 9.6% of all reports to the UK ICO concern posted or faxed (still using faxes?) to the wrong recipient, so put in place measures to combat that such as double-checking, four eyes etc.
  • And of course, watch our awesome Privacy Kitchen on Identity & Security, which covers the above.

Stay safe out there!

Related Articles

News & Awards
Don't miss Keepabl at The IAPP Data Protection Intensive: UK 2019

As an IAPP member, Keepabl is proud to sponsor the IAPP Data Protection Intensive: UK 2019 and to run a session on breach in the first morning (Wednesday 13th at 10:40).…

Read More
News & Awards
Change Gap Working Group dives into RegTech Adoption

Change Gap Working Groups Change Gap is a specialist at identifying and remediating gaps in all areas of practice for Financial Services firms.  Our Founder & CEO, Robert Baugh, has…

Read More