The volume of data breach incidents reported to the Information Commissioner’s Office (ICO) has almost doubled in the space of a year, according to a new Freedom of Information (FoI) request.
The figure rose from 1,089 in the period April 2014-March 2015 to 2,048 in virtually the same period a year later, according to Huntsman Security.
Health, local government and education were the worst performing sectors in terms of the volume of breaches disclosed, accounting for 64% of the total in 2015-16.
However, financial organizations were the worst hit by ICO fines. Despite accounting for fewer than 6% of incidents they were on the receiving end of 33% of the watchdog’s financial penalties during the period, which hints at the severity of these breaches.
In three-quarters of the total number of cases, no action was taken by the ICO, either suggesting that the incidents themselves were fairly innocuous or that the watchdog needs to grow some sharper teeth.
It’s believed that incoming commissioner Elizabeth Denham may be less forgiving of organizations in this regard than her predecessor.
Data disclosed in error accounted for the vast majority of reported breaches (67%), followed by security incidents (30%).
However, there are signs that some organizations are still failing to report all of the breaches that occur on their watch – whether that’s deliberate or a result of poor technology and processes combined with an overwhelming volume of security incidents to deal with.
UK utilities firms reported just two breaches over an entire year, for example, despite representing a high risk target.
“The most likely reason for the ICO not being notified of breaches is that organizations simply aren’t aware of them; after all, it’s still very easy for an issue to remain unknown for weeks or even months before it’s noticed,” Huntsman Security head of product management, Piers Wilson, told Infosecurity.
“At the same time, any organization purposefully keeping breaches secret would have to balance any short-term benefit against the ultimate cost, in terms of reputation, share price and loyalty, of being found out. Of course, the ultimate proof will be when the GDPR, or similar legislation, comes into effect. A consistent, sharp increase in reported breaches could tell its own story.”