Cock-ups, rather than conspiracies, top self-reported data breaches

Data breaches at organisations that 'fess up to the UK's data protection watchdog are about seven times more likely to be caused by human error than hackers.

According to data released under the Freedom of Information Act, 2,124 incidents reported by organisations in 2017-18 could be pinned on mistakes or incompetence. Only 292 were classed as having a cyber element.

The figures, obtained by security biz Kroll, are on self-reported incidents from organisations to the Information Commissioner's Office, combined with data from annual reports.

Overall, the ICO has said (PDF) there were 3,156 self-reported data breaches in 2017-18 – up 29 per cent on the previous year and up 19.3 per cent on 2015-16.

The increase is due to a mix of greater awareness of what constitutes a data breach, and the fact that, since May this year, organisations are required to report serious data leaks under the General Data Protection Regulation.

The largest number of reports came from the healthcare sector, where breach reporting was already mandatory, with Kroll revealing there were some 1,214 reports made during 2017-18.

This was followed by general business (362), education and childcare (354) and local government (328).

In addition to self-reported incidents, the ICO also has to probe complaints from elsewhere. In 2017-18, it received 21,019 data protection concerns.

After investigating, the ICO can fine to organisations, and an analysis by The Register earlier this year found that the mode and median values were £70,000 and £85,000 respectively for breaches of the Data Protection Act.

The highest penalty awarded for a DPA breach to date is £400,000, however the ICO has threatened to fine Facebook £500,000 for its part in the Cambridge Analytica saga, although the charge has yet to transpire.

According to the Kroll analysis, the most common cock-ups were people sending data to the wrong recipient by email (447 reports) or snail mail (441 reports), followed by the loss or theft of paperwork, which accounted for 438 incidents.

Failing to redact data resulted in 256 mea culpas, while leaving data in an insecure location was reported 164 times.

Everyone's favourite technical hitch – staffers' inability to use the bcc function in emails – was responsible for 147 breaches, closely followed by the 133 equally facepalm-inducing incidents where an unencrypted device was lost or stolen.

Cyber break-ins were smaller than all of these, with unauthorised access resulting in 102 breach reports. Malware and phishing accounted for 53 and 51 breaches respectively, while 33 reports were attributed to ransomware, 20 to brute-forcing and two denial-of-service attacks. ®