Data security threats are rising, and organisations must act fast to keep sensitive information safe.
As an independent UK authority, the Information Commissioner’s Office (ICO) exists to uphold information rights in the public interest, encouraging openness by public bodies and safeguarding data privacy for individuals.
The ICO regularly shares quarterly reports on data security incidents. Let’s explore the key insights from their 2023 trends.
Throughout 2023, 11,074 incidents were reported.
This marks a significant increase from 2022, which saw 8,799 reported incidents.
|
Note The ICO’s data is based on reports of data security incidents. While there are limitations, the data provides a clear view of common threats and breaches. |
Three-quarters of 2023’s incidents were classified as non-cyber.
These incidents typically involved human error - such as misdirected emails or lost paperwork - without a direct technological or malicious cause.
The remaining quarter were cyber incidents, including phishing and malware attacks, which involved clear malicious intent.
The prevalence of non-cyber breaches highlights human error as the leading cause of data loss.
This supports research by IBM suggesting that over 95% of data breaches originate from human mistakes.
This suggests organisations should prioritise awareness training and cultural improvements around secure practices.
The most frequently reported incident in 2023 was data emailed to the wrong recipient, accounting for 16% of all cases.
Given the 361.6 billion daily emails sent worldwide, this isn’t surprising.
Top 5 incident types were:
Ransomware attacks and email misdelivery saw a steep rise. While some categories like physical misdelivery declined slightly, digital errors and unauthorised access continue to grow.
Our consumer research found that 25% of UK adults have accidentally emailed personal data to the wrong person.
When data breaches occurred, these were the most frequently compromised types of information:
While personal identifiers may seem low risk, when combined with other data, they can pose a serious threat to digital identity.
ICO guidance reinforces this risk:
"You still need to protect information because of the risk that someone may, with greater or lesser certainty, be able to infer something about a particular individual. For example, if it was published and combined with information held by other organisations."
Health and financial information also present high risks in the wrong hands.
With over a quarter of cases involving health data and 20% involving financial information, organisations must do more to protect this sensitive material.
In 2023, 31% of data subjects affected were customers or prospective customers.
Other highly affected groups included:
Organisations must ask themselves whether customers can truly trust them with personal information. A failure to protect customer data can result in lost trust and business.
Similarly, the number of incidents involving patient data is troubling. Health organisations handle highly sensitive information, and breaches can have serious consequences for affected individuals.
Sectors holding sensitive information remain top targets.
From Q1 to Q4 2023, the sectors with the largest percentage increases in reported incidents were:
Overall, the top 5 most affected sectors in 2023 were:
These sectors are high-value targets due to the volume and sensitivity of their data.
Despite strict regulations, many are still falling short on prevention - particularly when it comes to protecting vulnerable people such as children and patients.
According to ICO guidance, data breaches must be reported within 72 hours of awareness. Delays can lead to penalties of up to £8.7 million or 2% of global turnover.
In 2023, organisations reported incidents as follows:
Only 1 in 5 incidents were reported within 24 hours. Worse still, 42% were reported after the 72-hour deadline.
This may reflect a lack of incident detection capability or internal delays in escalation - both of which heighten the risk of data exposure.
Although only Q1 data for 2024 is available so far, the same patterns are emerging:
These numbers indicate little change in the key areas of risk. Email errors and compromised identifiers remain the most frequent - and preventable - issues.
The ICO’s findings highlight persistent issues across industries when it comes to protecting sensitive data.
Despite increased awareness, organisations continue to struggle with human error, reporting delays, and cyber risks.
To build trust and avoid regulatory consequences, it’s time to strengthen practices around secure communication, especially when using everyday tools like email.
Data Security Incident Trends 2023, ICO, 2024
2023 Cost of a Data Breach Report, IBM, 2023
Daily Number of Emails Worldwide, Statista, 2023
What Are Identifiers and Related Factors?, ICO 2024
Sam Kendall, 20.06.24
Sabrina McClune, 08.05.25