Data Security: An Analysis of 2023 ICO Breach Reporting

ICO breach reports rose in 2023, and misdirected email remains one of the most common incident types UK organisations disclose.

As an independent UK authority, the Information Commissioner’s Office (ICO) exists to uphold information rights in the public interest, encouraging openness by public bodies and safeguarding data privacy for individuals.

The ICO publishes quarterly summaries of reported data security incidents. This article draws on the ICO’s published 2023 trends, with a short note on Q1 2024 where those figures were available when the piece was first written.

Throughout 2023, 11,074 incidents were reported to the ICO.

That was up from 8,799 reported incidents in 2022.

The sections below summarise how those reports break down by cause, data type, affected people, sector, and reporting time.

Malicious or Accidental?

Three-quarters of 2023’s incidents were classified as non-cyber.

These incidents typically involved human error - such as misdirected emails or lost paperwork - without a direct technological or malicious cause.

The remaining quarter were cyber incidents, including phishing and malware attacks, which involved clear malicious intent.

Human Error Dominates Non-Cyber Incidents

The prevalence of non-cyber breaches points to human error as a leading cause of data loss in the figures organisations report.

IBM’s Cost of a Data Breach research also points to people, process, and human factors as major contributors to breach cost and impact, alongside technical controls.

Organisations should pair awareness training with practical controls at the point of send, especially for high-volume email workflows.

Most Common Incident Type

The most frequently reported incident in 2023 was data emailed to the wrong recipient, accounting for 16% of all cases.

Given that The Radicati Group estimates around 392.5 billion emails will be sent and received worldwide each day in 2026, high email volume makes misdelivery easy to understand, but not easy to excuse.

Top 5 incident types were:

• Data emailed to the incorrect recipient: 1,744
• Unauthorised access: 1,267
• Ransomware: 1,230
• Phishing: 932
• Data posted or faxed to the incorrect recipient: 690

The chart reflects ICO-reported categories for the full 2023 period.

Misdelivery and Cyber Attacks Both Climbed

Ransomware attacks and email misdelivery saw a steep rise. While some categories like physical misdelivery declined slightly, digital errors and unauthorised access continue to grow.

Our 2023 consumer research found that 25% of UK adults have accidentally emailed personal data to the wrong person.

"When the regulator's own incident data keeps showing misdirected email near the top of the list, the conversation has to move beyond awareness slides. Firms need controls at the point of send - recipient checks, protected delivery, and evidence that the right person opened the message."

Paul Holland, Founder and CEO, Beyond Encryption (Mailock)

The same ICO data places misdelivery alongside ransomware and unauthorised access in the reported incident mix.

Most Common Data Types

When data breaches occurred, these were the most frequently compromised types of information:

• Basic personal identifiers: 84%
• Health data: 27%
• Economic and financial data: 20%
• Official documents: 9%
• Identification data: 8%

Percentages can exceed 100% in total because a single incident may involve more than one data category.

The breakdown shows how often each data type appeared across reported incidents.

Identifiers Often Combine With Other Data

While personal identifiers may seem low risk on their own, when combined with other data they can pose a serious threat to digital identity.

ICO guidance reinforces this risk:

"You still need to protect information because of the risk that someone may, with greater or lesser certainty, be able to infer something about a particular individual. For example, if it was published and combined with information held by other organisations."

Information Commissioner’s Office

Health and financial information also present high risks in the wrong hands.

With over a quarter of cases involving health data and 20% involving financial information, organisations need stronger controls around how that material is sent and shared.

Who Was Affected?

In 2023, 31% of data subjects affected were customers or prospective customers.

Other highly affected groups included:

• Employees: 29%
• Patients: 13%
• Children: 13%
• Students: 8%

Customer and employee records dominate the affected groups in the ICO’s 2023 breakdown.

Customers and Employees Bear the Brunt

Organisations need clear answers on whether customers can trust them with personal information. A failure to protect customer data can result in lost trust and business.

Similarly, the number of incidents involving patient data is troubling. Health organisations handle highly sensitive information, and breaches can have serious consequences for affected individuals.

Which Sectors Were Affected?

Sectors holding sensitive information remain heavily represented in the reported figures.

From Q1 to Q4 2023, the sectors with the largest percentage increases in reported incidents were:

• Religious: 250%
• Marketing: 229%

Overall, the top 5 most affected sectors in 2023 were:

• Health: 17%
• Education and childcare: 14%
• Finance, insurance, and credit: 11%
• Local government: 10%
• Retail and manufacturing: 10%

Health and education feature prominently across the year’s sector split.

Health and Education Lead Sector Exposure

These sectors hold large volumes of sensitive data, which makes them frequent entries in breach reporting.

Despite strict regulations, many are still falling short on prevention - particularly when it comes to protecting vulnerable people such as children and patients.

Time Taken to Report

According to ICO guidance, notifiable personal data breaches must be reported within 72 hours of becoming aware of them. Delays can lead to UK GDPR penalties of up to £8.7 million or 2% of global turnover, depending on the infringement.

In 2023, organisations reported incidents as follows:

• Less than 24 hours: 19%
• 24-72 hours: 38%
• 72 hours to 1 week: 22%
• More than 1 week: 20%

Most reports fell inside the 24-72 hour window, but a sizeable share arrived later.

Late Reporting Stays Common

Only 1 in 5 incidents were reported within 24 hours. A further 42% were reported after the 72-hour deadline (combining the 22% reported between 72 hours and one week with the 20% reported after one week).

That pattern may reflect slow incident detection, unclear escalation paths, or delays in confirming scope - all of which increase exposure after a breach.

Q1 2024: Early Signs the Patterns Held

When Q1 2024 figures were published, they pointed in the same direction as 2023:

• Most common incident type: data emailed to the incorrect recipient (539)
• Most affected data types: basic personal identifiers (83%)
• Most affected groups: customers and employees (both 31%)
• Most affected sector: health (19%)
• Most common reporting time: 24-72 hours (41%)

Those early 2024 numbers suggested little change in the main risk areas. Email errors and compromised identifiers remained the most frequent - and preventable - issues. Check the ICO’s current incident trends page for more recent releases.

What the ICO Data Means for Email Security

The ICO’s findings point to persistent issues across industries when it comes to protecting sensitive data.

Despite increased awareness, organisations continue to struggle with human error, reporting delays, and cyber risks.

Firms that treat human error and email security as operational design problems, with training supporting those controls, are better placed to reduce misdelivery and improve evidence when something goes wrong.

Strengthening secure communication practices, especially for everyday email, remains one of the most practical responses to the patterns in the data.

FAQs

What Does the ICO Breach Data Show About Human Error?

Non-cyber incidents often involve people and process failures, including information sent to the wrong recipient.

Why Is Misdirected Email a Recurring Issue?

High email volume and manual addressing make mistakes easy, especially when sensitive identifiers and documents are involved.

What Should Organisations Take from the ICO Patterns?

Review where personal data leaves the business, strengthen checks before sending, and make sure incidents can be evidenced and contained.

References

Data Security Incident Trends 2023, ICO, 2024

Personal Data Breaches: A Guide, ICO, 2024

2023 Cost of a Data Breach Report, IBM, 2023

Email Statistics Report, 2024-2028 - Executive Summary, The Radicati Group, 2024

What Are Identifiers and Related Factors?, ICO, 2024

Are UK Consumers Not Taking Email Security Seriously? (2023 Research), Beyond Encryption, 2023

Reviewed by

Sam Kendall, 30.05.26

This content is for general information only and is not legal advice.