Back to school and we kick off with the cheery news that legal sector data security incidents as reported to the Information Commissioner’s Office have risen by a significantly above average 112% in two years, with the justice sector up 128%. Human error (as opposed to a cyber incident) accounted for the vast majority of incidents, led by data being emailed to the wrong recipient.
The stats, which were obtained by Kroll under a Freedom of Information request, show that across all sectors the number of security incidents has increased by 75%. However, the two sectors that have seen a far higher rise in the number of incidents reported include ‘general business’ (215%) and education and childcare (142%). ‘Justice’ saw a 128% increase in the number of reported incidents.
While we know that the legal sector is a growing target for hackers, the increase in numbers may in fact be attributable to firms gearing up for a new era of transparency under the General Data Protection Regulation, which came into force in May and under which reporting breaches is mandatory.
Andrew Beckett, managing director and EMEA leader for Kroll’s cyber risk practice, said: “Reporting data breaches wasn’t mandatory for most organisations before the GDPR came into force, so while the data is revealing, it only gives a snapshot into the true picture of breaches suffered by organisations in the UK. The recent rise in the number of reports is probably due to organisations’ gearing up for the GDPR as much as an increase in incidents. Now that the regulation is in force, we would expect to see a significant surge in the number of incidents reported as the GDPR imposes a duty on all organisations to report certain types of personal data breach.
“We would also expect to see an increase in the value of penalties issued as the maximum possible fine has risen from £500,000 to €20 million or 4 per cent of annual turnover, whichever is higher. The ultimate impact is that businesses face not only a much greater financial risk around personal data, but also a heightened reputational risk.”
Kroll’s analysis reveals that the data breach risks posed by human error are at least as great as those from cyber attacks. In the past year, of the incidents where the type of breach is specified, 2,124 reports could be attributed to human error, compared to just 292 that were deliberate cyber incidents.
The most common types of incidents due to human error include data being emailed to the wrong recipient (447 incidents), loss or theft of paperwork (438) and data left in an insecure location (164). The loss or theft of unencrypted devices (133) is another common reason for data breach reports.
Of the deliberate cyber incidents reported, specific circumstances logged include unauthorised access (102), malware (53), phishing attacks (51) and ransomware (33).
Sector
Number of incidents reported in 2017/18
Percentage change in two years
Health
1,214
41%
General business
362
215%
Education and childcare
354
142%
Local government
328
80%
Finance, insurance and credit
207
74%
Justice
164
128%
Legal
159
112%
Charitable and voluntary
148
100%
Land or property services
86
56%
Central government
53
56%
Data breach reports arising from specific kinds of cyber incident:
Breach type
Number of reports related to this type of breach 2017/18
Unauthorised access (cyber)
102
Malware
53
Phishing
51
Ransomware
33
Other cyber incident
31
Brute force (password attack)
20
Denial of service
2
Data breach reports arising from specific kinds of human error:
Breach type
Number of reports related to this type of breach 2017/18
Data sent by email to incorrect recipient
447
Data posted/faxed to incorrect recipient
441
Loss/theft of paperwork
438
Failure to redact data
256
Data left in insecure location
164
Failure to use bcc when sending email
147
Loss/theft of unencrypted device
133
Verbal disclosure
46
Insecure disposal of paperwork
35
Loss/theft of only copy of encrypted data
16
Insecure disposal of hardware
1
Top 10 sectors for data breach reports, 2017/18 and percentage changes over two years
Sector
Number of incidents reported in 2017/18
Percentage change in two years
Health
1,214
41%
General business
362
215%
Education and childcare
354
142%
Local government
328
80%
Finance, insurance and credit
207
74%
Justice
164
128%
Legal
159
112%
Charitable and voluntary
148
100%
Land or property services
86
56%
Central government
53
56%