Data breaches reported to ICO drop 20% due to Covid-19

The Information Commissioners Office (ICO) has reported a 20% drop in personal data breach reports, from 11,854 in the 2019/20 financial year, down to 9,532 in the most recent financial year (FY 20/21).

These figures were published in the ICO’s annual report from last week and analysed by a Parliament Street think tank. The report cited the Covid-19 pandemic as the primary reason for this drop, and also mentioned that the introduction of mandatory breach reporting in sectors that handle large volumes of personal data has also contributed to the downward trend in personal data breaches reported to the ICO.

The industry which reported the highest instances of data breaches was Healthcare – which made up 16.8% of all personal data breaches reported to the ICO in FY 20/21. Education and Childcare came second, reporting 1,160 personal data breach incidents over the last year, which is 13.6% of the total quantity.

Retail and manufacturing was next at 10.9%, Finance insurance and credit was fourth with 10.5%, and ‘local government’ was fifth, having reported 8.8% of the total personal data breaches reported to the ICO.

Interestingly, 71.4% of all personal data breaches reported to the ICO led to no further action. However, more than one fifth (21.6%) were investigated further – the specific outcomes of these investigated cases were not clarified.

The report did reveal, however, that 3.9% of personal data breaches led to ‘informal’ action being taken, and just 0.1% of cases led to formal action being taken, which included administrative punishment or a lower tier fine.

Chris Ross, SVP Sales International for Barracuda Networks commented: “Whilst the ICO have reported a surprising decline in personal data breach incidents this year, business owners and workers must not get complacent. Despite what the figures suggest, cyber attacks targeting remote workers and businesses have increased in intensity over the last 18 months. This is particularly because more employees were working from home for the first time, and thus more sensitive data has been handled across email, cloud storage and personal devices than ever before, presenting a gold mine of opportunity for hackers.

“A general lack of security provisions and training throughout remote working also contributed to a number of bad and dangerous habits across some employees. Our recent research even revealed that malicious emails spend, on average, 83 hours in an employee’s inbox before it is detected or resolved, and perhaps most worryingly, nearly 1 in 30 will click on a link in a malicious email, potentially compromising important business data in doing so.

“Therefore, businesses must ensure that all employees are provided with regular and tailored security training, so that they can appreciate the seriousness of this threat and react accordingly.”