twobee - Fotolia

Volume of self-reported breaches to ICO jumps 30%

The number of self-reported breaches to the UK’s Information Commissioner’s Office soared by nearly 30% in the 12 months to 30 June 2022

The volume of self-reported breaches to the Information Commissioner’s Office (ICO) rose by 29% year on year from 9,535 to 12,314 in the 12 months to 30 June 2022, according to data sourced via a Freedom of Information (FoI) request by enterprise data management specialist Veritas.

The ICO provided information on breach reports received from 2019 to 2022 and, broadly speaking, the data shows an upward trend throughout the period. Veritas said the statistics showed that the “skyrocketing volume of data” – the amount of personally identifiable information (PII) that organisations have to deal with has supposedly doubled since 2019 – was nothing short of overwhelming, and that many were struggling to keep up, and finding it difficult, if not impossible, to manage sensitive information.

“The amount of data that companies now hold creates both an advantage and a risk,” said Ian Wood, Veritas’s UK chief technology officer (CTO). “The average UK company told us in 2021 that they would need to hire 22 additional members of IT staff to work for a year in order to put security in place on their unprotected data.

“In that time, the volume of PII has grown again and skills and budget shortages mean that few employers have been able to expand their teams anywhere near fast enough.”

Wood added: “It’s not fair to suggest that employees are to blame for the breaches that the ICO is being notified of. The only way to keep people’s personal information safe is to implement technological solutions to monitor data and lock it away from anyone who shouldn’t access it – whether that’s an employee who might accidentally email it to the wrong person, or a hacker trying to steal it.”

The most common data breaches tended to be the result of emails being sent to the wrong recipients, with more than 1,900 such incidents reported during the wider three-year period. In the same timeframe, there were also 1,387 instances of unauthorised access and 1,081 instances of phishing.

The data also highlighted a substantial, fivefold increase in reports of ransomware-related breaches, which jumped from 129 in 2019/20 to 818 in 2021/22.

The ICO’s busiest period for reporting during the 12 months to 30 June was the final calendar quarter of 2021, when it received 2,193 reports, with a peak of 794 incidents in November 2021.

In the first six months of 2022, the ICO received 3,637 breach reports, of which 629 related to emails being sent to the incorrect recipient, 452 related to unauthorised access, 279 related to phishing attacks, and 247 to ransomware. The busiest month for ransomware was May 2022, when 60 attacks were notified to the ICO.

Wood warned that cyber criminals had been quick to exploit both the rapid pace of digital transformation since 2020 – which has left the data management practices of many organisations woefully outdated – as well as the impact of the Covid-19 pandemic on working practices.

Acknowledging that the combination of an aggressive threat landscape, data volumes, challenging macroeconomic conditions and fluid working practices was leaving staff stretched, Wood made the case for autonomous data management systems to relieve some of the pressure.

Read more about the ICO’s work

  • ICO warning highlights risk of ‘systemic bias’ and discrimination associated with organisations using biometric data and technologies for emotion analysis.
  • Information commissioner John Edwards warns against complacency as his office issues a multimillion-pound fine to a building company that failed to prevent a ransomware attack.
  • Data protection experts question ICO’s selective approach to publishing formal reprimands for contravening the law, after FoI request reveals the Cabinet Office was among the organisations reprimanded.

Read more on Data breach incident management and recovery