The Information Commissioners Office (ICO) has reported a 20 per cent drop in personal data breach reports, from 11,854 in the 2019/20 financial year, down to 9,532 in the most recent financial year (FY 20/21).
These figures were published in the ICO’s annual report from last week and analysed by a Parliament Street think tank. The report cited the Covid-19 pandemic as the primary reason for this drop, and also mentioned that the introduction of mandatory breach reporting in sectors that handle large volumes of personal data has also contributed to the downward trend in personal data breaches reported to the ICO.
The industry which reported the highest instances of data breaches was Healthcare – which made up 16.8 per cent of all personal data breaches reported to the ICO in FY 20/21. Education and Childcare came second, reporting 1,160 personal data breach incidents over the last year, which is 13.6 per cent of the total quantity.
Retail and manufacturing was next at 10.9 per cent, Finance insurance and credit was fourth with 10.5 per cent, and ‘local government’ was fifth, having reported 8.8 per cent of the total personal data breaches reported to the ICO.
Interestingly, 71.4 per cent of all personal data breaches reported to the ICO led to no further action. However, more than one fifth (21.6 per cent) were investigated further – the specific outcomes of these investigated cases were not clarified.
The report did reveal, however, that 3.9 per cent of personal data breaches led to ‘informal’ action being taken, and just 0.1 per cent of cases led to formal action being taken, which included administrative punishment or a lower tier fine.
Chris Ross, SVP Sales International for Barracuda Networks commented:
“Whilst the ICO have reported a surprising decline in personal data breach incidents this year, business owners and workers must not get complacent. Despite what the figures suggest, cyber attacks targeting remote workers and businesses have increased in intensity over the last 18 months. This is particularly because more employees were working from home for the first time, and thus more sensitive data has been handled across email, cloud storage and personal devices than ever before, presenting a gold mine of opportunity for hackers.
“A general lack of security provisions and training throughout remote working also contributed to a number of bad and dangerous habits across some employees. Our recent research even revealed that malicious emails spend, on average, 83 hours in an employee’s inbox before it is detected or resolved, and perhaps most worryingly, nearly 1 in 30 will click on a link in a malicious email, potentially compromising important business data in doing so.
“Therefore, businesses must ensure that all employees are provided with regular and tailored security training, so that they can appreciate the seriousness of this threat and react accordingly.”