The number of security incidents reported to UK data privacy watchdogs nearly doubled in the past year, with organisations increasingly becoming overwhelmed with security problems.
Data disclosed in error and security breaches were the two primary reasons for an 88 per cent rise in self-reported data protection breaches between 2014-15 and 2015-16, according to a Freedom of Information request by security tools firm Huntsman Security.
The number of security breaches reported to the Information Commissioner’s Office (ICO) rose from 1,089 between April 2014 and March 2015 to 2,048 over the 12 months ending March 2016. This was driven primarily by those disclosing data in error (i.e. accidentally emailing a customer database to the wrong recipient, as in the extreme case of WHSmith) and incidents where hackers broke through organisational defences.
Healthcare and local government organisations reported the highest volume of incidents to the ICO, with 941 and 202 recorded breaches respectively. Despite a reputation in previous years for poor performance, local government shows some signs of improvement compared to many other sectors, with the number of security breaches rising by only 14 per cent.
Financial firms are most at risk of costly fines, attracting over a third of all penalties levied by the ICO, despite only being accountable for 6 per cent of all reported breaches.
The ICO took no action over 1,544 of the 2,048 cases reported to it in 2015-16. Data Controller action was required in 381 of the remaining cases while an improvement action plan was put in place in response to 50 incidents. Undertakings to improve security practices were extracted in 26 cases.
UK utilities firms reported just two breaches to the ICO over the past 12 months, but given the high value of these firms as targets, it seems unlikely this is the full picture. Huntsman Security warns that many breaches go unreported, or worse still, undetected.
“Unfortunately, this is not the full story. The average organisation is subject to multiple breaches, of which only some will be detected, so the figures reported to the IOC are likely to be understated,” said Peter Woollacott, chief exec of Huntsman Security. “The root of the problem is that organisations are under such an intense barrage of cyber activity that threat alerts; many of which turn out to be benign are overwhelming cyber security teams. There is simply too much data to analyse and verify manually.” ®