The latest report from the UK’s Information Commissioner’s Office (ICO), reveals a steady drop in data security incidents between January and March 2020. When comparing the first quarter of 2020 to the same period of 2019, the security incidents received by ICO have fell 19%, from 3,263 to 2,629.
“These figures are based on the number of reports of personal data breaches received by the ICO during Q4 2019-20,” the data regulator said. Additionally, “these figures are based on the number of reports submitted by the data controller, not necessarily the number of incidents.”
Does this call for celebration? Not necessarily. Under the General Data Protection Regulation (GDPR), organizations are required to notify ICO within 72 hours of learning of a data breach. But how many organizations know that their networks have been compromised? On average, it takes a company about 197 days to identify a data breach and an additional 69 days to contain it, according to a study from IBM.
In the first three months of 2020, 35% (419) of recorded data breaches came from the health sector, and 148 were flagged as “other non-cyber incidents.”
What action has ICO taken? In January and March 2020, UK’s data privacy regulator issued two hefty fines:
• DSG Retail Limited was fined £500,000 “after a ‘point of sale’ computer system was compromised,” affecting at least 14 million people.
• Cathay Pacific Airways was fined £500,000 for a 2014-2018 data breach that left the personal details of customers exposed.
While the downturn of reported data breaches is significant, the volume of some cybersecurity incidents has increased considerably.
For example, phishing incidents increased 27%, and were named the root cause of 280 incidents. Hardware and software misconfigurations increased by 85%, causing 33 reported incidents, and, ransomware attacks, responsible for 60 incidents, have seen a 28% spike.
However, the report also shows a steady decline in unauthorized access attempts, which plummeted from 369 incidents to just 175.