ICO data shows more incidents from misaddressed emails than phishing

The ICO (Information Commissioner’s Office) has released a dashboard on breach data they’ve received from Q2 of 2019 up to Q2 in 2022. They’ve categorized incidents where organizations have failed to put ‘appropriate technical or organizational measures’ in place to protect sensitive data.

There’s plenty of interesting data available via the dashboard, but the standout finding is the volume of incidents and breaches arising from human activated risk over email, with 28% of ICO notifications being email related. 

Misaddressed emails top of incident list

ICO data found that 18% of incidents/breach reports came from misaddressed emails over the three year period – the most of any incident type. Even phishing was responsible for fewer incidents, making up 10% of the breaches reported to the ICO. Without intelligent outbound data loss prevention (DLP) measures in place, sending data to the wrong person is easily done. A simple typo or nudge in the wrong direction from autocorrect can lead to serious data breach incidents.

Failure to use Bcc makes up the full breakdown of email incidents in the list:

• Data emailed to incorrect recipient – 18%
• Phishing – 7%
• Failure to use Bcc – 3%

The ICO dashboard also details the action they have taken regarding each type of incident, ranging from no action taken to pursuing an investigation. There are a number of factors that influence whether the ICO pursues an investigation, such as the number of data subjects affected (54% of incidents affecting >100K people were investigated, versus 6% of incidents for less than 10 people affected). They also consider the time organizations take to report breaches, the source of the incident, and whether it’s a first offence.

The ICO are taking action more frequently  

In 2019, only 1% of breaches from misaddressed emails resulted in further action from the ICO. In 2022, 87% of cases either ended with an investigation or informal action being taken. It’s a similar story for phishing breaches. In 2022, 85% of phishing breaches resulted in further action from the ICO compared to just 14% in 2019.

Even if an organization does not end up with a fine, every security incident comes with costs. Incidents take time to triage and remediate, data subjects have to be informed, and customers will take note of any reputational damage. Data breach litigation by affected data subjects is also on the rise. Finally, the ICO will also expect to see that an organization has reasonable measures in place to reduce their future risk, with investments made to security programs, including technical solutions, to support this.

Human activated risk is still a major problem for organizations, year on year. Security awareness and training (SA&T) courses are widespread but failing to stem the tide of inbound and outbound breaches. Traditional solutions such as secure email gateways (SEGs) aren’t equipped to deal with the most advanced phishing attacks – and given the rise in misaddressed emails, outbound risk is still a massively overlooked problem. 

Protect against advanced phishing and email data loss

28% of ICO notifications are email related, including incidents such as misaddressed emails, incorrect attachment, failure to use Bcc, and falling for phishing attacks. Keeping sensitive data safe requires a solution that can reduce the human activated risk introduced into organizations every day through advanced phishing, human error, and malicious insiders.

To plug this widening security gap, organizations need to augment their existing email security with integrated cloud email solutions (ICES) that can solve for these use cases highlighted by the ICO. Learn how ICES can protect against both inbound and outbound email risk without the need to rip and replace existing technology.