Data Security: An Analysis of 2023 ICO Breach Reporting

Data security is essential in both our personal and professional lives, with threats evolving every year. Businesses must keep up with the latest risks to make sure they have the right protections in place.

As an independent UK authority, the Information Commissioner’s Office (ICO) was established to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The ICO regularly publishes their findings on data security incidents for each quarter. Let's explore their insights from 2023.

Introduction

Throughout 2023, 11,074 incidents were reported.

This is a significant increase from the previous year (2022), which saw 8,799 reported incidents.

Malicious Or Accidental?

Three-quarters of the incidents reported in 2023 were classified by the ICO as non-cyber.

Non-cyber incidents are breaches without malicious intent from a third party (e.g., accidentally emailing information to the wrong person) and do not necessarily have a technological link (e.g., loss of paperwork).

This means that only a quarter of incidents reported in 2023 were cyber events, which involve a clear technological link and malicious intent, such as phishing or malware attacks.

What Does This Tell Us?

The high number of non-cyber incidents indicates that most breaches last year resulted from human error rather than purposeful attacks.

This supports research from other organisations, including IBM, which suggests that over 95% of data breaches are caused by human error.

This suggests that organisations should focus on the human aspect of their data protection, such as awareness training.

Most Common Incident Type

According to the ICO, the most commonly reported incident type was ‘data emailed to the wrong recipient’, making up 16% of the total incidents reported in 2023. This was also the most reported type of incident in 2022.

Given that an estimated 361.6 billion emails are sent and received daily, and email’s continued use by businesses, this is unsurprising.

When examining the data, the top 5 incident types overall were:

• Data emailed to the incorrect recipient (1,744 reported incidents)
• Unauthorised access (1,267 reported incidents)
• Ransomware (1,230 reported incidents)
• Phishing (932 reported incidents)
• Data posted or faxed to the incorrect recipient (690 reported incidents)

What Does This Tell Us?

We observe a slight increase in incidents of data being emailed to the incorrect recipient, unauthorised access, and phishing since 2022, with a substantial increase in ransomware attacks and a slight decrease in data posted to the incorrect recipient. 

This increase in most incident types could indicate that organisations are struggling to implement proactive measures that prevent attacks and other digital risks—especially when it comes to human error.  

Our consumer research shows that 25% of adults surveyed have accidentally shared personal data via email with the wrong recipient.

Most Common Data Types

Examining the compromised data during these incidents reveals the top 5 types were:

• Basic personal identifiers (84%)
• Health data (27%)
• Economic and financial data (20%)
• Official documents (9%)
• Identification data (8%)

What Does This Tell Us?

When assessing the severity of a data breach, the type of data compromised is crucial.

With personal identifiers being the most common type of information involved in data security incidents, many might see this as low risk.

However, it’s essential to remember that if enough leaked data is pieced together from different sources, it can significantly risk someone's identity.

The ICO confirms this, noting that:

“You still need to protect information because of the risk that someone may, with greater or lesser certainty, be able to infer something about a particular individual. For example, if it was published and combined with information held by other organisations.”

Health and financial data can be incredibly harmful in the wrong hands.

With over a quarter of incidents involving health information and 20% involving financial information, it’s clear that organisations need to do more to safeguard critical data.

Who Was Affected?

In 2023, 31% of affected data subjects were customers or prospective customers—likely due to the vast amount of information businesses now hold on their contacts.

Other most affected groups in 2023 were:

• Employees (29%)
• Patients (13%)
• Children (13%)
• Students (8%)

What Does This Tell Us?

Given the high percentage of incidents involving customer data, it's crucial to question whether consumers can trust businesses to protect their sensitive information.

Reputation can significantly impact an organisation's success, and those who fail to safeguard their customers' data may lose them to competitors prioritising data security.

The same concern applies to patient data, with health information being among the most personal types of data.

The number of data incidents involving patients is troubling, given that health institutions are trusted with some of our most sensitive moments.

Which Sectors Were Affected?

Analysing the sectors most affected by data incidents reveals that those holding significant amounts of sensitive data are common.

The ICO data shows the largest percentage increases in reported incidents since Q1 2023 were in the religious (250%) and marketing (229%) sectors.

For 2023, the top 5 sectors associated with incidents were:

• Health (17%)
• Education and childcare (14%)
• Finance, insurance, and credit (11%)
• Local government (10%)
• Retail and manufacturing (10%)

What Does This Tell Us?

These industries are prime targets for malicious attacks and associated with high levels of human error.

They hold large amounts of personal data attractive to threat actors and have large workforces that may be prone to mistakes.

Despite these sectors being highly regulated, with a strong focus on information security, a significant number of incidents still occur.

This suggests that more preventative measures are needed, particularly when dealing with vulnerable individuals, such as children or patients.

Time Taken To Report

The ICO ruling states that you must report a data breach no later than 72 hours after becoming aware of it.

Failing to notify the ICO within this timeframe can result in fines of up to £8.7 million or 2% of your global turnover. So, how quickly were the cases in 2023 reported?

• Less than 24 hours (19%)
• 24-72 hours (38%)
• 72 hours to 1 week (22%)
• More than 1 week (20%)

What Does This Tell Us?

There has been a drop in the number of cases reported within 24 hours, while all other categories have remained consistently high.

This is concerning, as it means that 42% of recorded incidents were reported past the 72-hour window. 

The extended reporting times might suggest that organisations either struggle to identify breaches promptly or hesitate to report them.

Delays in detecting or resolving incidents increase the risk of data exposure to third parties.

A Glance Into 2024

While the ICO have only released data for Q1 of 2024, they can give us insight into the top incidents we face this year.

Key highlights include:

• Most common incident type - Data emailed to the incorrect recipient (539 reports).
• Most common data type - Basic personal identifiers (83%).
• Most affected data subjects - Customers and employees (both 31% each).
• Most affected sector - Health (19%).
• Time taken to report - 24 to 72 hours (41%).

The ICO data reveals a continuation of the key trends: emailing data to incorrect recipients is the most frequent issue, with basic personal identifiers often compromised.

Customers and employees are equally affected, and the health sector leads in incidents.

Conclusion

While the ICO report’s findings may not be surprising, they highlight the ongoing challenges with cyber risk across industries.

The persistence of high-level incidents, whether through malicious actions or human error, indicates that organisations need to intensify their efforts to protect sensitive information.

References:

Data Security Incident Trends 2023, ICO, 2024

2023 Cost of a Data Breach Report, IBM, 2023

Daily Number of Emails Worldwide, Statista, 2023

What Are Identifiers and Related Factors?, ICO 2024

Reviewed By:

Sam Kendall, 20.06.24

Sabrina McClune, 20.06.24