Data Security: An Analysis of 2022 ICO Breach Reporting

Data security is a vital aspect of both our personal and professional lives, with the threat landscape changing each year that passes. Businesses need to stay up to date on the latest risks to ensure they have the appropriate protections in place.

As an independent UK authority, the Information Commissioners Office (ICO) was created to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. They publish their findings on data security incidents for each quarter.

Let’s take a look at their recently published insights from 2022.

Introduction

Throughout the entirety of 2022, 8,797 incidents were reported. When compared to their findings from last year, we see that there has been an overall decrease in reported events, with 2021 having a total of 9,743 reported incidents.

Note: The ICO has stated that their information is drawn from records of data security incidents that are reported to them. While there are limitations to the data contained within the release, it is a revealing representation of common threats and incidents that have occurred.

1. Malicious Or Accidental?

When classifying activity types, three-quarters of the incidents reported in 2022 were classed by the ICO as non-cyber.

Events that are declared to be non-cyber are defined as breaches that do not involve a third party with malicious intent (such as accidentally emailing information to the wrong recipient) and do not always have a clear technological link (for example, loss of paperwork).

This means that only a quarter of incidents reported in 2022 were cyber events, which are events that do have a clear technological link and malicious intent, including phishing or malware attacks.

What Does This Tell Us?

The high level of non-cyber incidents reported indicates that the majority of breaches experienced last year were due to elements of human error rather than purposeful or malicious attacks from cybercriminals. This supports research from other organisations, including IBM, which suggests that over 95% of data breaches are caused by human error.

This suggests that organisations should be focusing on the human element of their data protection, such as awareness training.

2. Most Common Incident Type

According to the ICO, the most commonly reported incident type was ‘data emailed to the wrong recipient’, comprising 18% of the total incidents reported in 2022. With an estimated 347 billion emails sent and received each day, and the majority of businesses continuing to use email for their customer communications, this is not a surprising statistic.

When looking at the data, we can see that the top 5 incident types overall were:

• Data emailed to incorrect recipient (18%)
• Unauthorised access (12%)
• Data posted or faxed to incorrect recipient (9%)
• Phishing (8%)
• Ransomware (8%)

What Does This Tell Us?

We can see that incidents of data being emailed to the incorrect recipient and unauthorised access have increased slightly since 2021, while phishing and ransomware attacks have decreased. This could suggest that organisations are becoming more adept at spotting and counteracting these types of incidents.

This aligns with our recent consumer research, which shows that nearly ¾ of UK adults (73%) feel that they are knowledgeable about the cybersecurity threats they may face online, such as phishing scams, malware, and password attacks.

Our research also revealed that 1/4 of surveyed adults have accidentally shared personal data via email with the wrong recipient, which aligns with the ICO's top incident type. One method to prevent this type of incident from occurring would be to implement a secure email solution with strong authentication and revoke functionality.

3. Most Common Data Type

When taking a look at the data that was compromised during these incidents, we find that the top 5 types were:

• Basic personal identifiers (79%)
• Health data (29%)
• Economic and financial data (17%)
• Official documents (9%)
• Identification data (8%)

What Does This Tell Us?

When determining the severity of a data breach or incident, the type of data that is compromised plays a key role.

With basic personal identifiers shown to be the most common type of information involved in data security incidents, many may consider this to pose minimal risk. However, it is important to remember that if enough leaked data is pieced together, even if it comes from different sources, it can place someone’s identity at risk.

The ICO confirms this, stating that: “You still need to protect information because of the risk that otherwise someone may, with greater or lesser certainty, be able to infer something about a particular individual. For example, if it was published and combined with information held by other organisations.”

Health and financial data are both types of personal data that can be incredibly harmful in the wrong hands. With over a quarter of incidents involving health information and 17% involving financial information, it is clear that some organisations are struggling to safeguard key data.

4. Who Was Affected?

In 2022, 31% of affected data subjects were customers or prospective customers – which could be attributed to the large sets of information that businesses now hold on their contacts.

Considering the other most affected groups in 2022, we see that:

• 26% of data subjects were employees
• 14% were patients
• 13% were children
• 9% were students

What Does This Tell Us?

With so many incidents involving customer data, it does call into question whether consumers can trust the businesses they shop with to protect their sensitive information. Reputation can play a large part in the success of an organisation, and those who fail to safeguard their customers’ data can end up losing them to businesses that make data security a priority.

The same can be said for patient data, with health information regarded as one of the most personal types of data. With health institutions seen as the custodians of some of our most vulnerable moments, the number of data incidents involving patients is concerning.

5. Which Sectors Were Affected?

Analysing the sectors that were most affected by data incidents, we see that the industries that hold the most amount of sensitive data are common. However, the ICO data shows that the largest percentage increases in reported incidents from 2021 to 2022 were found in the religious (83%) and justice (47%) sectors.

For 2022, the top 5 sectors associated with incidents were:

• Health (20%)
• Education and childcare (15%)
• Retail and manufacture (10%)
• Local government (10%)
• Finance, insurance, and credit (9%)

What Does This Tell Us?

The above industries are prime targets for both malicious attacks and are associated with high levels of human error. They hold large amounts of personal data that make them attractive to threat actors and have large workforces that may be prone to mistakes.

However, these are some of the most regulated spaces, with a high emphasis placed on information security. With a large number of incidents still occurring in each sector, it seems that significant prevention work needs to be done – especially when the data subjects include vulnerable individuals such as children or health patients.

6. Time Taken To Report

ICO ruling states that you must report a data breach no later than 72 hours after becoming aware of it. Failing to notify the ICO of a breach within the required time limit can result in fines of up to £8.7 million, or 2 percent of your global turnover. But how quickly were the cases in 2022 reported?

• Less than 24 hours (20%)
• 24-72 hours (38%)
• 72 hours to 1 week (22%)
• More than 1 week (20%)

What Does This Tell Us?

We can see a drop in the number of cases reported within 24 hours and increases within all the other categories. This is concerning – especially for time windows that fall outside of the ICO’s allotted 72 hours.

The increasing amounts of time taken to report may suggest that organisations are either struggling to identify breaches when they occur or are reluctant to report them when they have found them. Either way, the longer that incidents go undetected or unresolved, the more data is at risk from third parties.

Conclusion

While none of the ICO report's findings are shocking, they are important to emphasise the ongoing struggles with cyber risk in certain industries.

With a high level of incidents still taking place each year, whether through malicious means or human error, it is clear that organisations need to do more to protect the sensitive information under their care.