A deep dive into the ICO’s numbers
We often hear the terms ‘accidental breach’ and ‘internal threat’, but how common are these phenomena?
To find out, we looked at the ICO’s (Information Commissioner’s Office) public data set, specifically looking into four data breach types caused by human error:
- Data emailed to incorrect recipient.
- Data posted or faxed to incorrect recipient.
- Failure to redact.
- Failure to use Bcc.
Note that this data set only accounts for personal data breaches reported to the ICO, so it only reflects breaches affecting UK residents that were not just discovered, but also reported.
Also note that this blog only accounts for the data from 2020–2022, because these are the only years the ICO has released its full data set on. At the time of writing, the data set starts in Q2 2019 and goes up to Q2 2023.
When more data is released, we’ll publish a new analysis.
Number of reportable breaches by incident type and year
2020 | 2021 | 2022 | ||||
Data emailed to incorrect recipient | 1,519 | 16% | 1,693 | 17% | 1,570 | 18% |
Data posted or faxed to incorrect recipient | 998 | 10% | 831 | 9% | 760 | 9% |
Failure to redact | 380 | 4% | 412 | 4% | 427 | 5% |
Failure to use Bcc | 362 | 4% | 279 | 3% | 246 | 3% |
Total | 3,259 | 34% | 3,215 | 33% | 3,003 | 34% |
Across all three years, sending personal data to the incorrect recipient (whether by email, post or fax) is a significantly more common cause of a breach than failing to redact data or use Bcc (blind carbon copy).
It’s also interesting to note that the data has been very consistent over the years, particularly in terms of percentages.
As we go deeper into the numbers – looking at specific sectors, the number of data subjects affected and the reporting time – we won’t distinguish between the different years, given the annual data’s consistency.
We’ll also look at how the ICO numbers compare to our own research, and what organisations can do to prevent these types of breaches.
What sectors are breached accidentally the most?
Note: For the purposes of this blog, an accidental breach is one of four types: data emailed to incorrect recipient, data posted or faxed to incorrect recipient, failure to redact, and failure to use Bcc.
Top 3 sectors by number of accidental breaches
Sector | Number of accidental breaches | |
1 | Health | 1,690 |
2 | Education | 1,440 |
3 | Local government | 1,348 |
The table above shows the three sectors breached accidentally most often, in terms of absolute numbers.
However, this information is of limited use where we don’t have a denominator. Bigger sectors are likely to have more breaches; it doesn’t automatically follow that they’re less secure, or that staff working within those sectors are more careless.
With that in mind, let’s look at the most-breached sectors in percentages, by dividing the number of accidental breaches of a given sector by the total number of breaches suffered by the same sector.
Top 3 sectors by largest percentage of accidental breaches
Sector | Percentage of accidental breaches | Absolute number of accidental breaches | |
1 | Local government | 52% | 1,348 |
2 | Legal | 51% | 1,062 |
3 | Regulators | 45% | 43 |
Note: We’ve excluded the ‘unassigned’ sector, which would otherwise be the highest-ranking sector here, at 67%.
Shockingly, the top two sectors – local government and legal – have more reportable data breaches attributable to human error than not, and the third sector – regulators – isn’t far behind.
Which sectors perform worse than average?
But how does this compare to the UK benchmark? On average, what percentage of breaches are caused accidentally in the UK?
According to the ICO’s data from 2020–2022, the answer is 34% – or 33.6%, to be more exact.
Including the 3 sectors listed above, 8 UK sectors (out of 21) perform worse than this benchmark. In other words, they suffer more clearly preventable breaches – caused by human error – than your average UK organisation.
The 8 sectors are:
- Local government (52%)
- Legal (51%)
- Central government (46%)
- Regulators (45%)
- Political (44%)
- Education and childcare (36%)
- Membership association (35%)
- Land or property services (34.3%)
How many data subjects were affected?
Accidental breaches | All breaches | |||
1 – 9 | 6,386 | 67% | 13,157 | 47% |
10 – 99 | 1,124 | 12% | 3,690 | 13% |
100 – 1,000 | 820 | 9% | 3,173 | 11% |
1,000 – 10,000 | 179 | 2% | 1,548 | 5% |
10,000 – 100,000 | 28 | 0% | 499 | 2% |
>100,000 | 8 | 0% | 234 | 1% |
Unknown | 932 | 10% | 5,941 | 21% |
Unlike our own research, the ICO only specifies the number of affected data subjects in ranges. Nevertheless, we can see a clear pattern here: accidental breaches are more likely to affect a lower number of data subjects than personal data breaches in general.
This isn’t too surprising.
Out of the four incident types we’re looking at, consider the two most common: sending data to the wrong person by email, and by post or fax. That might be in the context of responding to a DSAR (data subject access request), responding to a FOI (freedom of information) request or simply emailing someone as part of your usual business activities.
Either way, you’re often sending a limited amount of data. This limits the amount of data subjects likely to be affected, should you send that data to one or more unintended recipients.
Number of subjects affected by accidental breach type
Looking at the more granular data confirms this theory:
Data emailed to incorrect recipient | Data posted or faxed to incorrect recipient | |||
1 – 9 | 3,373 | 71% | 2,059 | 80% |
10 – 99 | 520 | 11% | 180 | 7% |
100 – 1,000 | 303 | 6% | 80 | 3% |
1,000 – 10,000 | 94 | 2% | 26 | 1% |
10,000 – 100,000 | 19 | 0% | 4 | 0% |
>100,000 | 8 | 0% | 0 | 0% |
Unknown | 465 | 10% | 240 | 9% |
Failure to redact | Failure to use Bcc | |||
1 – 9 | 882 | 72% | 72 | 8% |
10 – 99 | 117 | 10% | 307 | 35% |
100 – 1,000 | 44 | 4% | 393 | 44% |
1,000 – 10,000 | 22 | 2% | 37 | 4% |
10,000 – 100,000 | 4 | 0% | 1 | 0% |
>100,000 | 0 | 0% | 0 | 0% |
Unknown | 150 | 12% | 77 | 9% |
The typical number of data subjects impacted by accidental breaches is very low, unless the breach in question is a matter of failing to use Bcc. Again, that isn’t too surprising – this type of breach tends to affect a larger number of people.
How long did it take to report accidental breaches?
Accidental breaches | All breaches | |||
Less than 24 hours | 2,659 | 28% | 7,082 | 25% |
24 hours to 72 hours | 3,567 | 38% | 10,386 | 37% |
72 hours to 1 week | 1,756 | 19% | 5,719 | 20% |
More than 1 week | 1,495 | 16% | 5,055 | 18% |
Note: The percentages under ‘Accidental breaches’ add up to 101% due to rounding.
As a reminder, the GDPR (General Data Protection Regulation) requires notifiable incidents to be reported to the relevant supervisory authority within 72 hours.
So, to see just 62% of all breaches reported within that window is worrying. And for accidental breaches, the numbers aren’t much better at 66%.
Basically, more than one in three incidents does not get reported on time. This is especially concerning for accidental breaches, considering that it shouldn’t take very long to become aware of the breach or to investigate it.
Comparing the ICO numbers against IT Governance’s research
Considering that there are thousands of accidental breaches every year in the UK alone, it may appear surprising that our own research uncovers considerably fewer than this.
This, however, is a product of our methodology. We get our data by analysing the news, and accidental breaches – especially small ones – are far less likely to make the headlines.
To illustrate the point, consider some of the recent UK breaches caused by human error that featured in the media:
- University Hospital Southampton – up to 42,000 people affected.
- Addenbrooke’s Hospital – 22,446 people affected.
- True Potential – 6,336 people affected.
Bearing in mind our earlier analysis of the ICO data, such incidents – affecting thousands of people – are the exception, not the norm.
Nevertheless, we know that such breaches are extremely common – the ICO data tells us that.
Furthermore, just because they feature less in the news doesn’t make them any less damaging to clients’ (and other stakeholders’) trust. If you suffer this type of breach – the type that is clearly preventable – this will obviously hurt your reputation.
With that in mind, organisations should take steps to prevent them.
How can you prevent breaches caused by human error?
Staff training and awareness is by far the most effective way to prevent accidental breaches.
It can also be an extremely cost-effective and time-efficient way of implementing security, particularly if you take the elearning route.
GDPR: Email Misuse Staff Awareness E-Learning Course
This non-technical, ten-minute elearning course is suitable for everyone who needs to be aware of the risks and consequences that come with misusing email.
It will help staff better understand how to communicate securely and lawfully via email.
Ideal for initial and repeat engagement, the course covers:
- What Cc and Bcc are;
- Examples of Cc and Bcc in use;
- What autocomplete is, and why it’s important;
- The legal and business risks of misusing email; and
- Much more!