60% of ICO-reported breaches this year are caused by human error, with healthcare the most-affected sector

London, UK, 20th August 2019: Figures released today by Egress, the leading provider of people-centric data security solutions, obtained via a Freedom of Information (FOI) request, highlight concerning statistics on human error remaining the main cause of personal data breaches (PDBs).

The figures show that of the 4856 PDBs reported to the Information Commissioner’s Office (ICO) between 1st January and 20th June 2019, 60% were the result of human error.

Of those incidents, nearly half (43%) were the result of incorrect disclosure, with 20% posting or faxing data to the incorrect recipient. Nearly a fifth (18%) were attributed to emailing information to incorrect recipients or failing to use Bcc, and 5% were caused by providing data in a response to a phishing attack.

Tony Pepper, CEO, Egress comments: “These statistics are alarming. All too often, organisations fixate on external threats, while the biggest cause of breaches remains the fallibility of people and an inherent inability of employees to send emails to the right person. Not every insider breach is the result of reckless or negligent employees, but regardless, the presence of human error in breaches means organisations must invest in technology that works alongside the user in mitigating the insider threat.”

The statistics further compound findings from the Insider Data Breach survey 2019, research commissioned by Egress and conducted by independent research company Opinion Matters. The research, which gathered responses from over 500 IT leaders and 4,000 employees to assess the root causes of internal data breaches, as well as their frequency and impact, showed that 95% of IT leaders are concerned about insider threat. The research also showed that 79% of IT leaders believed that employees have put company data at risk accidentally in the last 12 months, whilst 61% believe they have done so maliciously.

Healthcare continues to top the list
Analysing the ICO’s personal data breaches in this period, by sector, reveals the following industries top the list:

  1. 18% were reported within Healthcare
  2. 16% were reported within Central and Local Government
  3. 12% were reported within Education
  4. 11% were reported within Justice and Legal
  5. 9% were reported within Financial Services

In Verizon’s 2019 Data Breach Investigations Report, healthcare was the only industry where the insider threat created more data breaches than external attacks (59% of data breaches are associated with internal actors). According to Verizon, mis-delivery was the most common type of human error that led to data breaches, making up 15% of all data breaches affecting healthcare organisations.

Pepper continues: “The healthcare sector persistently tops the list when analysing the sectors affected by data breaches. This is very concerning, especially given the nature of the data. Why this particular industry continues to suffer from internal breaches is worrying and the sector must quickly take action to identify how it can work towards mitigating the insider threat.”

“What’s equally worrying is that the statistics obtained from our FOI request leave us in a ‘Groundhog Day’ scenario. When the ICO released its Q1 statistics last year it showed that between April and June 2018 3416 data security incidents were reported, most of which were again down to human error, failed processes and inadequate policies. The data revealed that of those 3146 ‘security incidents’ incorrect disclosure of data accounted for 65%, as opposed to external ‘cyber threats’ caused by malware, ransomware, brute force attacks and phishing, which accounted for around 13%,” he adds.