Back to school and we kick off with the cheery news that legal sector data security incidents as reported to the Information Commissioner’s Office have risen by a significantly above average 112% in two years, with the justice sector up 128%. Human error (as opposed to a cyber incident) accounted for the vast majority of incidents, led by data being emailed to the wrong recipient.

The stats, which were obtained by Kroll under a Freedom of Information request, show that across all sectors the number of security incidents has increased by 75%. However, the two sectors that have seen a far higher rise in the number of incidents reported include ‘general business’ (215%) and education and childcare (142%). ‘Justice’ saw a 128% increase in the number of reported incidents.

While we know that the legal sector is a growing target for hackers, the increase in numbers may in fact be attributable to firms gearing up for a new era of transparency under the General Data Protection Regulation, which came into force in May and under which reporting breaches is mandatory.

Andrew Beckett, managing director and EMEA leader for Kroll’s cyber risk practice, said: “Reporting data breaches wasn’t mandatory for most organisations before the GDPR came into force, so while the data is revealing, it only gives a snapshot into the true picture of breaches suffered by organisations in the UK. The recent rise in the number of reports is probably due to organisations’ gearing up for the GDPR as much as an increase in incidents. Now that the regulation is in force, we would expect to see a significant surge in the number of incidents reported as the GDPR imposes a duty on all organisations to report certain types of personal data breach.

“We would also expect to see an increase in the value of penalties issued as the maximum possible fine has risen from £500,000 to €20 million or 4 per cent of annual turnover, whichever is higher. The ultimate impact is that businesses face not only a much greater financial risk around personal data, but also a heightened reputational risk.”

Kroll’s analysis reveals that the data breach risks posed by human error are at least as great as those from cyber attacks. In the past year, of the incidents where the type of breach is specified, 2,124 reports could be attributed to human error, compared to just 292 that were deliberate cyber incidents.

The most common types of incidents due to human error include data being emailed to the wrong recipient (447 incidents), loss or theft of paperwork (438) and data left in an insecure location (164). The loss or theft of unencrypted devices (133) is another common reason for data breach reports.

Of the deliberate cyber incidents reported, specific circumstances logged include unauthorised access (102), malware (53), phishing attacks (51) and ransomware (33).

 

Sector Number of incidents reported in 2017/18 Percentage change in two years
Health 1,214 41%
General business 362 215%
Education and childcare 354 142%
Local government 328 80%
Finance, insurance and credit 207 74%
Justice 164 128%
Legal 159 112%
Charitable and voluntary 148 100%
Land or property services 86 56%
Central government 53 56%

 

Data breach reports arising from specific kinds of cyber incident:

Breach type Number of reports related to this type of breach 2017/18
Unauthorised access (cyber) 102
Malware 53
Phishing 51
Ransomware 33
Other cyber incident 31
Brute force (password attack) 20
Denial of service 2

 

Data breach reports arising from specific kinds of human error:

Breach type Number of reports related to this type of breach 2017/18
Data sent by email to incorrect recipient 447
Data posted/faxed to incorrect recipient 441
Loss/theft of paperwork 438
Failure to redact data 256
Data left in insecure location 164
Failure to use bcc when sending email 147
Loss/theft of unencrypted device 133
Verbal disclosure 46
Insecure disposal of paperwork 35
Loss/theft of only copy of encrypted data 16
Insecure disposal of hardware 1

 

Top 10 sectors for data breach reports, 2017/18 and percentage changes over two years

Sector Number of incidents reported in 2017/18 Percentage change in two years
Health 1,214 41%
General business 362 215%
Education and childcare 354 142%
Local government 328 80%
Finance, insurance and credit 207 74%
Justice 164 128%
Legal 159 112%
Charitable and voluntary 148 100%
Land or property services 86 56%
Central government 53 56%