UK data breaches decline despite sharp global rise

A processor with a red cloud broken in two with a word beneath: 'BREACH!'

Approximately 40% fewer data records were stolen or compromised in the UK in 2017 against the previous year, despite more than 2.6 billion records leaked worldwide, new findings show.

Ahead of GDPR legislation coming into force in May, the number of data breaches recorded in the UK declined from 108 in 2016 to 80 last year, according to Gemalto's Data Breach Index 2017, released today.

Approximately 33 million records were compromised in those breaches - a 39% decline on the previous year; the WannaCry attack that hit the NHS and other organisations accounting for 26 million, or 79%, of these records.

The relatively positive outlook for the UK stands in contrast with the US, which accounted for the overwhelming majority of data breaches across the world - 1,453 - followed by the UK in second place.

Joe Pindar, director of product strategy at Gemalto, said that while the outlook for UK businesses isn't wholly negative, they are running out of time to tighten up data protection practices ahead of GDPR implementation.

"On the face of it, UK organisations' security and data protection seem to be improving," he said. "However, with GDPR on the horizon, it's likely that the total amount of lost data will rise nearer in line with the US, who have had to publicly reveal breaches for a number of years."

In its latest Data Breach Index, a global database tracking data breaches and measuring their severity based on multiple dimensions, digital security specialist Gemalto outlined an 88% increase in compromised data records worldwide since 2016, while recording 1,765 reported data breaches - down by 11%. In other words, there were fewer breaches, but more data leaked in those breaches.

Human error was found to be a major risk management and security issue, with accidental loss, improper disposal, misconfigured databases and other security concerns accounting for 1.9 billion exposed records globally - a dramatic 580% increase on the previous year.

While just under half of data incidents in the UK involved a malicious outsider, 39% were attributable to accidental loss. Worldwide, accidental loss accounted for 18% of data breaches and 76% of compromised records.

One significant example of inadvertent data exposure in the UK occurred in 2016 when the personal data of hundreds of University of Greenwich of students, including names, addresses, phone numbers and dates of birth, was exposed when the university accidentally published them online.

Similar instances have also afflicted the NHS in recent years, for instance when the 56 Dean Street clinic in Soho disclosed the names and email addresses of HIV positive patients when it sent out a newsletter that was supposed to be blind carbon copy (BCC), but was instead sent out with details entered in the carbon copy (CC) field.

Pindar added: "Worryingly, for UK organisations, is the number of records being compromised due to accidental loss. Companies are clearly not controlling or even knowing where their sensitive customer data is, so when it comes to complying with key aspects of GDPR like the 'right to be forgotten', what hope is there that hey will be able to remove customer data from all their systems?

"Whilst human error is something that all organisations have to deal with, if it's not correctly encrypted, data can easily be compromised if it got into the wrong hands. With just over a month to go, UK businesses don't have a lot of time to get important points like this."

Globally, the healthcare sector experienced the largest proportion of data breach incidents, 27%, followed by financial services at 12%, and education and government at 11% of incidents each.

Jason Hart, vice president and CTO for data protection at Gemalto, urged companies to adopt a privacy-by-design approach.

He added: "This will be especially important, considering in 2018 new government regulations like Europe's General Data Protection Regulation (GDPR) and the Australian Privacy Act (APA) go into effect. These regulations require companies to adapt a new mindset towards security, protecting not only their sensitive data but the privacy of the customer data they store or manage."

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.