Number Of Breaches Impacting Over 100,000 Data Subjects More Than Doubles In 2022
UK cyber security breaches reduced by 20% in 2022, however according to analysis of the latest Information Commissioner’s Office (ICO) data by Irwin Mitchell, the number of large-scale attacks which impacted the privacy of over 100,000 individuals grew significantly.
The ICO’s ‘Data Security Incidents Dashboard’ reveals that cyber incidents accounted for 25% of data breaches in 2022. The independent regulator says 2,069 incidents were reported to it last year, which is 20% lower than 2021 and 5% less than 2020.
Although the number of cyber related breaches has fallen, ICO’s data reveal there were 77 incidents which affected 100,000 or more data subjects - amounting to a 133% increase in large scale attacks compared to 2021.
The number of cyber-related data breach incidents which affected between 10,000 and 100,000 data subjects increased by 49% in 2022 compared to 2021.
The data reveal that out of the 77 data breaches in 2022 that impacted over a hundred thousand individuals, 10 (13%) took more than one week to be reported to the ICO.
Other key findings include:
- The ICO’s dashboard reveals that incidents of malware in the final quarter of 2022 doubled to 46 compared to the number reported in 2021.
- The number of data breach incidents in 2022 that have so far resulted in either an investigation or informal action being taken reached 1,088.
- 20% of all data breaches (cyber and non-cyber related) occurred in the Health sector. Education & childcare and retail & manufacturing sectors also scored highly.
Expert Opinion
"The ICO’s data reveals that the number of large-scale cyber security breaches is growing significantly. This suggests that the perpetrators are getting more sophisticated and more ambitious with their targets. Businesses need to take urgent action to protect themselves and we urge organisations to review their security protocols and ensure they are up to date and can protect against the latest cyber threats.
“The reduction in overall reporting of breaches may be an unintended symptom that the ICO can now and do publicly name organisations who report a beach, even if there is no or minimal impact to the business or their customers.” Graham Thomson, chief information security officer at Irwin Mitchell
The ICO is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
The ICO’s Data Security Incidents Dashboard presents data on the number of reports of personal data breaches received by the ICO.
Data security incidents occur when organisations do not have “appropriate technical or organisational measures” to protect the personal data they hold. This is a requirement of the UK General Data Protection Regulation (GDPR) under Principle (f): Integrity and confidentiality (security).
Last month the government published its annual Cyber Security Breaches Survey. Among the findings were that just three in 10 businesses have undertaken cyber security risk assessments in the last year – rising to 51% of medium businesses and 63% of large businesses. It also found that only 30% of businesses have board members or trustees taking explicit responsibility for cyber security as part of their job.
How we can help
Our multi-disciplinary team of trusted cyber security experts provide a cyber security audit service to small and medium businesses of any type and are supported by a team of lawyers who can advise on the related regulations and requirements, such as GDPR.
Our cyber security audit is an accessible and cost-effective way of understanding your key cyber-risks and mitigating them with straightforward, hard-hitting controls. Our specialists offer a comprehensive audit of the key hygiene factors within an organisation which aims to reduce up to 98% of cyber security risk.