Where did data security go wrong in 2016?

The latest figures from the ICO vividly illustrate the challenge facing those involved with data security, and the many possible ways that data can be lost or compromised.

The Information Commissioner’s Office (ICO) has released its latest data on data security breaches in 2016, along with information on actions they have taken – and it makes sobering reading for anyone involved with data security.

There were a total of 2168 reported data breaches over the year, with a 19% increase against the same period in 2015.

Looking at individual sectors, healthcare suffered by far the highest volume of breaches in 2016, accounting for a huge 40% of the total (876 of 2168). The next highest sectors were local government and general business, with 10% (216) and 9% (197) respectively. The best sectors for data security were media, marketing, utilities, religious and political organisations, all of which accounted for so few incidents that their shares of the total rounded down to 0%.

The pie chart below shows the full breakdown.

pie chart to show sector comparisons of ICO breaches in 2016

Clearly, healthcare is the sector that is by far the most vulnerable to data breaches. There are several reasons for this, many related to paper records. For example, the sector recorded 36 instances of loss or theft of paperwork and 45 cases where data was posted or faxed to the incorrect recipient. For more on the specific problems facing the health sector, please see our article on Data security incidents in the health sector.

The many types of security breach highlighted by the ICO underscore how many threats there are to information security.

With the advent of the ‘paperless office’, you might assume that the security of paper records had become less important. In fact, improper handling or disposal of paperwork accounted for 986 incidents in 2016, or 45% of the total. That includes 75 instances of insecure disposal and 337 of loss or theft. There were 367 cases of data being faxed or posted to the wrong person and 63 where it was left in an insecure location.

On the digital side, there were 195 cases of data being sent via email to the wrong recipient, and 95 instances of an unencrypted device being lost. Data was left in an unsecure location 63 times, and on 18 occasions organisations fell prey to phishing, where fraudsters obtain confidential information online through deception.

Data hardware is another key area that is often neglected, and there were seven cases where hardware was not disposed of in a secure manner. Failing to dispose of computers, hard drives, removable media and other equipment securely leaves them open to being discovered and mined for personal information by data thieves.

Finally, there were 40 cases where ‘careless talk cost data’ – that is, confidential information was revealed simply through verbal disclosure, highlighting that data protection isn’t always to do with technology.

When it comes to securely disposing of paper records and computer hardware, one of the most effective options is to work with a professional shredding company. We can carry out secure, confidential shredding either on site or at our own premises, ensuring that written and digital records never fall into the wrong hands. To learn more, visit our services pages.