Font Size: A A A


Breach study

Breaches of the Data Protection Act reported to the Information Commissioner’s Office (ICO) are only a tiny fraction of the true number of such incidents happening across the UK. That is suggested after a series of Freedom of Information requests from security and communications product company ViaSat UK.

While 1,089 breaches were reported to the ICO between March 2014 and March 2015 (1), police forces across the UK reported at least 13,000 thefts (2) of devices that could hold sensitive data from businesses; meaning there are thousands of potential incidents going unreported. Since the current Data Protection Act contains no legal obligation to report breaches and has no specific security requirements included, there is no way of knowing whether any of these thefts put the population’s sensitive data at risk.

Chris McIntosh, CEO, ViaSat UK, said: “We must remember that 13,000 thefts is the bare minimum: considering that not all police forces could share this information, the real figure is likely to be many times greater. As a result, thousands of individuals’ private data could well be on borrowed time. It’s clear that this discrepancy isn’t due to the ICO but the framework it has to operate in. As it stands, the ICO simply doesn’t have the tools and powers it needs to ensure that either all threats are reported, or that risk is minimised. For instance, encrypting sensitive data is now a trivial matter in terms of both cost and complexity. If encryption of personal data was made mandatory, and enforced with spot checks and suitable punishments, then the public and the ICO could have much greater confidence that none of the 13,000-plus stolen devices represent a threat.”

The vast majority of breaches reported to the ICO came from the healthcare sector, which was responsible for 431 in total; the next highest was local government, with 129. Indeed, between them these two sectors, which mostly represent public sector organisations, accounted for 51% of all reported breaches (3) and the greatest number of undertakings enforced by the ICO (4). With other mainly public sector organisations, such as education and law enforcement, accounting for a significant number of reported breaches, the statistics suggest that the private sector is still greatly under-reporting the number of potential breaches it encounters.

Chris McIntosh added: “The ICO’s role is to encourage best practice in data protection. While it is clear that its financial penalties are aimed at this goal, it still needs more legal and financial muscle to drive its goals. While compulsory reporting of every single potential breach could be difficult to enforce, inevitably it would give the ICO a clearer view of the problem and allow it to better mandate best practice. However, in the meantime compulsory encryption, and the power to police it, is the absolute minimum that the ICO should be granted.” Visit


(1) The total of self-reported data breaches to the ICO between:
a. 12th March 2014 and 12th March 2015: 1,089
b. 1st March 2013 and 28th February 2014: 1,274
c. 8th March 2012 and 8th March 2013: 1,150
The total value of monetary penalties issued by the ICO for self-reported data breaches between:
a. 12th March 2014 and 12th March 2015: £1,142,500
b. 1st March 2013 and 28th February 2014: £1,230,000
c. 8th March 2012 and 8th March 2013: £2,610,000

(2) Number of thefts reported from businesses to 18 UK police forces between March 1st 2014 and February 28th 2015 (inclusive): 67,677

Number of thefts of devices capable of holding sensitive information: 13,079
(3) Top five sectors for self-reported data breaches 2015 – 2015:
i) Health (431)
ii) Local Government (129)
iii) Education (86)
iv) General business (72)
v) Solicitors/ Barristers (55)

(4) ICO undertakings 2014 – 2015 by sector:
i) Local Government (24)
ii) Health (14)
iii) Policing and criminal records (6)
iv) General business (4)
v) Media (3)
vi) Estate Agents (2)
vii) Leisure (2)
viii) Lenders (2)
ix) Solicitors/ Barristers (2)
x) Education (1)
xi) Financial Services (1)
xii) Housing (1)
xiii) Recruitment agencies (1)

(5) Number of self-reported data breaches 2014 – 2015 by type:
i) Disclosure of data (689)
ii) Security (375)
iii) Inaccurate data (6)
iv) Use of data (5)
v) Breach of Section 55, Data Protection Act by an individual (4)
vi) Subject access (3)
vii) Obtaining data (3)
viii) Retention of data (3)
ix) Excessive/ Irrelevant data (1)

(6) Number and value of monetary penalties 2014 – 2015, by breach type:
i) Security (5 penalties totalling £812,500)
ii) Use of data (2 penalties totalling £150,000)
iii) Disclosure of data (1 penalty totalling £180,000)

ViaSat contacted the ICO requesting statistics on self-reported data incidents between 12th March 2014 and 12th March 2015, broken down by type and sector. ViaSat also contacted each of the 46 police forces in the UK to request statistics on thefts between March 1, 2014 and February 28, 2015 (inclusive). It requested the number of thefts where computing and communications equipment capable of holding sensitive data had been stolen, and whether thefts had been reported from individuals or organisations. Of the 34 forces that responded, not every force was able to provide the full information needed. As a result, statistics are based only on the 31 forces that could give precise, verified information.


Related News