This page shows a summary of the recent data security incidents that have been reported or notified to the ICO, or that we have identified proactively.
Data security incidents (breaches of the seventh data protection principle and personal data breaches reported under the Privacy and Electronic Communications Regulations) are a major concern for those affected and a key area of action for the ICO. We have published this information to help organisations understand what we’re seeing and take appropriate action.
In Q4 2015/16 (January to March 2016) we:
- Issued two undertakings to
- The South Eastern Health & Social Care Trust
- Chief Constable Wiltshire Constabulary
- Followed up on undertakings signed by South West Yorkshire Partnership NHS Trust; Rochdale Borough Council; Kings College London; Community Transport Ltd; Western Health and Social Care Trust; General Dental Council; Cambridgeshire Community Services NHS Trust; Anxiety UK, to check those organisation had appropriately addressed the actions agreed; and
- Received 448 new cases – approximately a 10% decrease on the number of cases received in the previous quarter (497).
Other data security activity
- We hosted the global International Enforcement Cooperation Event, which sought to develop the tools available to privacy enforcement authorities to cooperate on cross-border cases, including where data security incidents span multiple jurisdictions. Workshops were held to capture the experiences and views of the global participants.
- We are making some changes to the way we categorize cyber incidents in our records, to allow us to more accurately identify key problem areas.
- We issued a blog outlining the importance of small businesses following our new IT security guide.
Data security incident statistics and trends
The graphs below show statistics and trends about the data security incidents under consideration. The data is for Q4 of 2015/16 (January-March 2016) unless otherwise stated. Information about security incidents comes to us from a variety of sources, including self-reports from data controllers, media reports, whistle-blowers and reports from data subjects.
Data security incidents by sector
Health sector data security incidents over time
Data security incidents by sector over time
- The health sector continued to account for the most data security incidents. This is due to the combination of the NHS making it mandatory to report incidents, the size of the health sector, and the sensitivity of the data processed.
There was a 10% decrease in the number of data security incidents in the health sector compared to the previous quarter (from 204 in Q3 to 184 in Q4). However, despite this reduction in frequency, the proportion of all data security incidents represented by the health sector remained the same as in Q3, at 41%.
The health sector handles some of the most sensitive personal data. Data security incidents can lead to extensive detriment and high levels of distress for the data subjects affected.
Our Good Practice department currently has a number of audits planned to address data protection issues within NHS Trusts during the 2016/17 financial year.
- In a change to the previous quarter, the second most prevalent sector in Q4 was local government. The number of data security incidents in this sector increased by 34% compared to the previous quarter (from 32 in Q3 to 43 in Q4). Coupled with the overall decrease in data security incidents during Q4, this means the percentage of total incidents represented by the local government sector has also increased, from 6% in Q3 to 10% in Q4.
Local governments handle a large volume of information, much of which is sensitive; if the security of this data is compromised, this could potentially be distressing for any affected individuals. In Q4, 21% of local government incidents (9 incidents) affected social care data and 16% (7 incidents) affected health or clinical data.
- The number of incidents involving the education sector fell by 25% since the previous quarter (from 48 in Q3 to 36 in Q4) and the proportion of all incidents represented by the education sector in Q4 was 8%.
Data security incidents in the education sector can affect the personal data of young children, which can be particularly distressing for the parents/guardians of affected pupils. Given the type of data often handled by nurseries/schools/colleges/universities, incidents can also involve sensitive data, for example medical information about pupils/students, disciplinary records, as well as financial information.
- The number of incidents in the general business sector fell by 16% since the previous quarter (from 43 in Q3 to 36 in Q4), following a sharp increase between Q2 and Q3, however this figure is still much higher than the number of incidents observed in the first half of 2015/16. Early indications suggest the increased number of incidents in the general business sector in the second half of 2015/16 was driven by an upswing in cyber-attacks. The proportion of total incidents represented by general business in Q4 was 8%, which is down slightly from 9% in Q3.
- The finance, insurance and credit sector saw a 36% decrease in incidents since Q3 (from 39 in Q3 to 25 in Q4). This represents the first reduction in incidents in this sector during 2015/16, with numbers previously showing a steady increase over the first 3 quarters of the financial year. Incidents within this sector account for 6% of all data security incidents considered by the ICO in Q4 – this is down slightly from 8% in Q3. Data security incidents within this sector could lead to loss of customers’ financial details, which in some cases could potentially lead to fraudulent activity and financial detriment. Ten of the incidents (40%) involving these sectors in Q4 are known to have affected more than 100 people. We continue to liaise closely with the Financial Conduct Authority, to discuss trends, as well as specific incidents.
- The legal sector saw a 32% increase in the number of incidents since the previous quarter (from 19 in Q3 to 25 in Q4) and 6% of all incidents in Q4 were represented by the legal sector. Information handled by legal professionals is often held in paper files rather than secured by encryption. Legal professionals will often carry around large quantities of information in folders or files when taking them to or from court and may store them at home. This can increase the risk of a data breach. The information held by legal professionals is often very sensitive (e.g. health data, social care data, criminal records); therefore the damage caused by data breaches is often substantial and could meet the statutory threshold for issuing a financial penalty.
Data security incidents by type
'Other principle 7 failures' are security incidents that cannot be categorised as one of the other types. Examples include failure to password protect emails containing personal information and processing personal data relating to work on a non-business computer.
Data security incidents by type over time
The two most prevalent incident types between January and March were paper-based and involved data being posted or faxed to an incorrect recipient and loss of theft of paperwork, both of which had 74 incidents. Each of these incident types represented 17% of all incidents considered during Q4. Incidents involving loss or theft of paperwork increased by 6% since Q3 (from 70 in Q3 to 74 in Q4), while incidents where data was posted or faxed to an incorrect recipient decreased by 11% since Q3 (from 83 in Q3 to 74% in Q4).
The number of incidents involving data being sent by email to an incorrect recipient fell by 52% since Q3 (from 88 in Q3 to 42 in Q4). This incident type was the third most common in Q4, having previously been the most common single incident type in Q3. This incident type experienced the largest decrease for a single incident type between Q3 and Q4. The proportion of all incidents involving data being sent by email to an incorrect recipient type was 9% in Q4.
There was a 34% decrease in the number of incidents involving insecure webpages (including hacking incidents) since the previous quarter (from 59 in Q3 to 39 in Q4). Nine percent of all incidents in Q4 involved this breach type. Cyber incidents have the potential to affect large numbers of data subjects and there have been a number of high profile incidents of this nature in the media in recent months. Given the high level of public interest in data leaks as a result of hacking, incidents of this type can have a major impact in terms of the reputation of the affected data controller. The decrease in incidents of this type in Q4 may indicate that businesses are becoming increasingly aware of the importance of protecting themselves against key risk factors.
We have a Memorandum of Understanding in place with the UK’s Computer Emergency Response Team (CERT-UK) and have regular contact with them to discuss trends and threats in relation to cyber-attack incidents.
The fifth most prevalent incident type in Q4 was failure to redact data, which saw a 115% increase since Q3 (from 13 in Q3 to 28 in Q4).
It is important that when providing information to customers, organisations ensure that they do not include personal information about other individuals. In some cases this can be detrimental.
Health sector data security incident types
Breakdown of data security incident types by sector
Key data security issues for each sector in Q3 2015/16
The main data security issues within the health sector were:
- Data being posted or faxed to an incorrect recipient – 22% of incidents.
- Loss or theft of paperwork – 20% of incidents.
The main issues for local government were:
- Data being posted or faxed to an incorrect recipient – 23% of incidents.
- Failure to redact data – 16% of incidents.
- Loss of theft of paperwork – 14% of incidents.
The main issues for education were:
- Loss or theft of unencrypted devices - 25% of incidents.
- Insecure webpages (including hacking incidents) – 19% of incidents.
- Data being sent by email to an incorrect recipient – 14% of incidents.
The main issues for general business were:
- Insecure webpages (including hacking incidents) – 42% of incidents.
- Data being sent by email to an incorrect recipient – 14% of incidents.
- Loss or theft of paperwork – 11% of incidents.
The main issues for finance, insurance and credit were:
- Data being posted or faxed to an incorrect recipient – 20% of incidents.
- Insecure webpages (including hacking incidents) – 16% of incidents.
- Data being sent by email to an incorrect recipient – 12% of incidents.
- Loss of theft of paperwork – 12% of incidents.
The main issues for the legal sector were:
- Loss or theft of paperwork – 28% of incidents.
- Data being sent by email to an incorrect recipient – 16% of incidents.
Privacy and Electronic Communication Regulations (PECR) – mandatory breach reporting
Under the Privacy and Electronic Communications Regulations, communications service providers have a specific obligation to notify the Information Commissioner – and in some cases their own customers – about a ‘personal data breach’.
Between January and March 2016, service providers notified the ICO of 176 separate breaches. The number of incidents reported to the ICO has increased steadily throughout the past four financial quarters.
In Q2 2015/16, the ICO wrote to a large number of service providers to remind them of their obligations to report information security issues to the ICO within the required timeframe. This is likely to be the cause of the steady increase in the number of incidents reported. The ICO continues to write to additional service providers that we become aware of.
Examples of incidents reported frequently in Q4 include:
• Unauthorised divert of calls by fraudsters (due to diverts being implemented without proper validation)
• Unauthorised/accidental data disclosure
• Customers being able to view the details of other customers on their online portal
Preventing data security incidents
Across all sectors, loss and theft of paperwork or data being posted, faxed or emailed in error were the most common causes of incidents. There are some simple steps organisations can take to prevent these. Guidance and advice for organisations can be found at the below links:
We published the above information on 29 April 2016. We plan to update it each quarter.