Compliance team analysing breach data
Research
4 min
Updated 08 05 25

Data Security: An Analysis of 2023 ICO Breach Reporting

Posted by Picture of Sabrina McClune Sabrina McClune

Data security threats are rising, and organisations must act fast to keep sensitive information safe.

As an independent UK authority, the Information Commissioner’s Office (ICO) exists to uphold information rights in the public interest, encouraging openness by public bodies and safeguarding data privacy for individuals.

The ICO regularly shares quarterly reports on data security incidents. Let’s explore the key insights from their 2023 trends.

Introduction

Throughout 2023, 11,074 incidents were reported.

This marks a significant increase from 2022, which saw 8,799 reported incidents.

Note

The ICO’s data is based on reports of data security incidents. While there are limitations, the data provides a clear view of common threats and breaches.

Malicious or Accidental?

Three-quarters of 2023’s incidents were classified as non-cyber.

These incidents typically involved human error - such as misdirected emails or lost paperwork - without a direct technological or malicious cause.

The remaining quarter were cyber incidents, including phishing and malware attacks, which involved clear malicious intent.

What Does This Tell Us?

The prevalence of non-cyber breaches highlights human error as the leading cause of data loss.

This supports research by IBM suggesting that over 95% of data breaches originate from human mistakes.

Pie chart showing 95% of data breaches caused by human error.

This suggests organisations should prioritise awareness training and cultural improvements around secure practices.

Most Common Incident Type

The most frequently reported incident in 2023 was data emailed to the wrong recipient, accounting for 16% of all cases.

Given the 361.6 billion daily emails sent worldwide, this isn’t surprising.

Top 5 incident types were:

  • Data emailed to the incorrect recipient (1,744)
  • Unauthorised access (1,267)
  • Ransomware (1,230)
  • Phishing (932)
  • Data posted or faxed to the incorrect recipient (690)

Bar chart of top ICO incident types 2023

What Does This Tell Us?

Ransomware attacks and email misdelivery saw a steep rise. While some categories like physical misdelivery declined slightly, digital errors and unauthorised access continue to grow.

Our consumer research found that 25% of UK adults have accidentally emailed personal data to the wrong person.

Most Common Data Types

When data breaches occurred, these were the most frequently compromised types of information:

  • Basic personal identifiers (84%)
  • Health data (27%)
  • Economic and financial data (20%)
  • Official documents (9%)
  • Identification data (8%)

Bar chart showing most compromised data types in 2023

What Does This Tell Us?

While personal identifiers may seem low risk, when combined with other data, they can pose a serious threat to digital identity.

ICO guidance reinforces this risk:

"You still need to protect information because of the risk that someone may, with greater or lesser certainty, be able to infer something about a particular individual. For example, if it was published and combined with information held by other organisations."

Information Commissioner’s Office

Health and financial information also present high risks in the wrong hands.

With over a quarter of cases involving health data and 20% involving financial information, organisations must do more to protect this sensitive material.

Who Was Affected?

In 2023, 31% of data subjects affected were customers or prospective customers.

Other highly affected groups included:

  • Employees (29%)
  • Patients (13%)
  • Children (13%)
  • Students (8%)

Pie chart showing affected data subjects

What Does This Tell Us?

Organisations must ask themselves whether customers can truly trust them with personal information. A failure to protect customer data can result in lost trust and business.

Similarly, the number of incidents involving patient data is troubling. Health organisations handle highly sensitive information, and breaches can have serious consequences for affected individuals.

Which Sectors Were Affected?

Sectors holding sensitive information remain top targets.

From Q1 to Q4 2023, the sectors with the largest percentage increases in reported incidents were:

  • Religious (250%)
  • Marketing (229%)

Overall, the top 5 most affected sectors in 2023 were:

  • Health (17%)
  • Education and childcare (14%)
  • Finance, insurance, and credit (11%)
  • Local government (10%)
  • Retail and manufacturing (10%)

Bar chart showing incident distribution by sector

What Does This Tell Us?

These sectors are high-value targets due to the volume and sensitivity of their data.

Despite strict regulations, many are still falling short on prevention - particularly when it comes to protecting vulnerable people such as children and patients.

Time Taken to Report

According to ICO guidance, data breaches must be reported within 72 hours of awareness. Delays can lead to penalties of up to £8.7 million or 2% of global turnover.

In 2023, organisations reported incidents as follows:

  • Less than 24 hours (19%)
  • 24-72 hours (38%)
  • 72 hours to 1 week (22%)
  • More than 1 week (20%)

Bar chart showing reporting timeframes

What Does This Tell Us?

Only 1 in 5 incidents were reported within 24 hours. Worse still, 42% were reported after the 72-hour deadline.

This may reflect a lack of incident detection capability or internal delays in escalation - both of which heighten the risk of data exposure.

A Glance Into 2024

Although only Q1 data for 2024 is available so far, the same patterns are emerging:

  • Most common incident type: Data emailed to the incorrect recipient (539)
  • Most affected data types: Basic personal identifiers (83%)
  • Most affected groups: Customers and employees (both 31%)
  • Most affected sector: Health (19%)
  • Most common reporting time: 24-72 hours (41%)

These numbers indicate little change in the key areas of risk. Email errors and compromised identifiers remain the most frequent - and preventable - issues.

Conclusion

The ICO’s findings highlight persistent issues across industries when it comes to protecting sensitive data.

Despite increased awareness, organisations continue to struggle with human error, reporting delays, and cyber risks.

To build trust and avoid regulatory consequences, it’s time to strengthen practices around secure communication, especially when using everyday tools like email.

Just email it (securely)! CTA

References

Data Security Incident Trends 2023, ICO, 2024

2023 Cost of a Data Breach Report, IBM, 2023

Daily Number of Emails Worldwide, Statista, 2023

What Are Identifiers and Related Factors?, ICO 2024

Reviewed by

Sam Kendall, 20.06.24

Sabrina McClune, 08.05.25

 

Originally posted on 01 09 23
Last updated on May 8, 2025

Posted by: Sabrina McClune

Sabrina McClune is a Women in Tech Excellence 2022 finalist who writes extensively on cybersecurity, digital transformation, data protection, and digital identity. With a postgraduate degree in Digital Marketing (Distinction) and a First-Class Honours degree in English, she combines a strong academic foundation with professional expertise. At Beyond Encryption, Sabrina develops research-led content that supports financial and technology sectors navigating the complexities of the digital age.

Follow on social
Next blog post Previous postThe 12 Most Famous Fraud Cases of the Century
Next PostMimecast vs. Mailock: Secure Email Solutions Compared Next blog post

Related posts

Return to listing