UK organizations lost billions in data breaches between 2019 and 2022, with hundreds of millions of their customers suffering compromise of their personal information, according to a new analysis from Imperva.
The security vendor studied 99,490 breaches reported to the Information Commissioner’s Office (ICO) between April 2019 and December 2022, as well as the “most notable breaches” identified by Chartered Institute of Information Security (CIISec) members in its annual report.
It found that data on over 200 million Brits was compromised during the period; the equivalent of every citizen’s data being stolen at least three times.
Interestingly, the analysis also revealed that malicious attacks such as malware, phishing and ransomware accounted for just a third (33%) of breaches reported to the ICO, versus 40% of incidents caused by insider threats.
Read more on ICO activities: UK Privacy Regulator Names and Shames Breached Firms
Additionally, 10% were related to unauthorized access to data and 12% to data emailed to the wrong person. A similar share (11%) could be explained by data being lost or stolen, for example through device theft.
Nearly two-fifths (37%) of all breaches studied in the report can be explained by human error, Imperva said.
This all comes at a cost. Taking just those breaches deemed “most notable” by CIISec members, the cost to impacted organizations was £13.5bn. Regulatory fines accounted for just 6% of this cost, around the same share as legal costs, Imperva said.
Imperva field CTO, Terry Ray, argued that the UK regulator has taken a stronger line on data breaches.
“ICO penalties have increased almost tenfold since GDPR fines came into effect. However, there is still a risk organizations are prioritizing measures that demonstrate compliance on paper over those that provide genuine data security,” he added.
“In many cases, initiatives that meet the letter of compliance will not in fact prevent organizations from suffering the financial impact of a data breach, such as from customer churn and reputational damage, which can dwarf any potential fines. To put this in perspective, at present it would take the ICO 28 years to fine organizations the equivalent of just one of the ‘most notable’ data breaches.”