ICO figures obtained in a FoI reveal that humans not machines are responsible for 93 percent of data breaches
Human error is being blamed for an increase in data breaches reported to the Information Commissioner’s Office (ICO) despite an ongoing awareness of the need for appropriate education and processes to prevent such incidents.
According to a Freedom of Information (FoI) request submitted by encryption specialists Egress Software Technologies, one quarter of all data breaches between April and June 2014 involved the accidental loss or destruction of personal data and around 43 percent of these were caused by sending data to the incorrect email fax or postal addresses.
Only seven percent of breaches were caused by technical failings, with the remainder caused by human error, poor processes and systems in place, or a lack of care when handling data. Indeed, no fines have been issued due a technical error exposing confidential data, whereas £5.1 million worth of penalties have been handed out due to the poor management of sensitive information.
Public sector organisations were deemed the most culpable, with healthcare breaches doubling from 91 to 183 during the period and educational organisations suffering from a 56 percent rise. Central government alone is responsible for 38 percent of all incidents, but the private sector is not immune, with increases in the financial industry, housing sector, telecoms and recruitment.
Egress suggests this implies that convenience rather than security is a bigger priority for businesses and organisations when they share data with third parties, especially given the current emphasis on data protection following a number of high profile breaches.
“It is concerning that such a high number of data breaches occur as a result of human error and poor processes, let alone the fact that this figure is actually rising,” says Tony Pepper, CEO of Egress. “Of course, we will never be able to completely rule out people making mistakes but clearly safeguards are urgently needed. Confusion can often put confidential data at risk, with users unsure of when and how to encrypt. Similarly, a continued reliance on fax and post demonstrates a disturbing lack of care and control taken to sensitive information.”
In total, the ICO has served up £6.7 million in fines since 2010, £4.5 million of which were issued to the public sector and therefore paid using taxpayer cash. The biggest fine to date was given to Brighton and Sussex University Hospitals NHS Trust in 2012 after hard drives containing a massive amount of sensitive data were sold on eBay in 2010.
The ICO itself is also not immune. Earlier this year the watchdog admitted it had breached data privacy regulations over the past month but was criticised for its lack of transparency over the incident which it described as “non-trivial”.
What do you know about ICO and its counterparts? Take our quiz!