GDPR fines just 6% of the total cost of data breaches

Over a third (37%) of breaches were caused by human error, and 40% of breaches took more than 72 hours to report, research has found.

An analysis of nearly 100,000 data breaches (99,460) reported to the UK Information Commissioner’s Office (ICO) from April 2019 to December 2022 has found a lengthy gap between the breach and the report, despite the ICO taking a more robust line.

The length of the gap demonstrates the challenges faced in identifying a threat. For 18% of breaches, more than a week passed until the ICO was notified. 

The costs of breaches can be high, dwarfing fines, with research finding the 33 most notable breaches cost organizations more than £13.5 billion, of which only 6% were made up by global regulatory fines.

In this instance, ‘notable’ refers to actual data breaches rather than organizations maliciously abusing data themselves or were reported by white-hat hackers with no damage occurring.

The most common causes of the breaches in the research weren’t cyber attacks. Only a third (33%) of breaches reported were due to malware or phishing, with all breaches caused by threats from outside an organization accounting for 35% of reports. Insider threats, however, came to 40%. 

Human error accounted for more – 23% were caused by data being shared with the wrong person, while 11% was due to lost or stolen data. This includes, for example, stolen devices or paperwork being left in an unsecured location.

Terry Ray, SVP, data security GTM and field CTO of Imperva, noted the ICO’s tougher stance but worries organizations are prioritizing measures that demonstrated compliance on paper, over genuine data security. 

“In many cases, initiatives that meet the letter of compliance will not in fact prevent organizations from suffering the financial impact of a data breach, such as from customer churn and reputational damage, which can dwarf any potential fines,” he said.

Data breaches are rising by more than a third (34%) annually, according to Ray, and he expressed concern that – due to a lack of clear metrics – businesses were unsure their data security investments are paying off.

The ICO has averaged £14.7 million per year in fines issued since it began issuing fines under GDPR rules, compared to £1.5 million levied in the 12 months before GDPR rules came into effect. This increase doesn’t compare favorably with the average cost of the 33 most notable breaches, which was approximately £410 million. “At present,” said Ray, “it would take the ICO 28 years to fine organizations the equivalent of just one of the ‘most notable’ data breaches.”