Site navigation

Almost All 2019 UK Data Breaches Were Caused By Human Error

Duncan MacRae


Digital Skills Survey: How Can the Government Help the digital skills shortage?

Phishing was the most common cause of breaches in 2019, accounting for 45% of all breaches reported to the ICO.

Human error was responsible for 90% of the UK’s cyber data breaches in 2019, according to research from the UK Information Commissioner’s Office (ICO).

According to data analysis firm CybSafe, which has studied the ICO’s stats, nine out of 10 of the 2,376 data breaches reported to the organisation last year were due to mistakes made by end-users.

This was an increase from the previous two years, when 61% and 87% of cyber breaches respectively were put down to user mistakes.

CybSafe researchers noted that phishing was the most common cause of breaches in 2019, accounting for 45% of all breaches reported to the ICO. Unauthorised access was the second most common cause of breaches in 2019, with malware, ransomware, hardware/software misconfiguration and brute force password attacks also leading to breaches.

With GDPR causing a massive surge in reporting during 2018, it could have been expected that reports to the ICO would taper off in 2019. “But this wasn’t the case,” CEO of CybSafe, Oz Alashe, explained. “2019 surpassed the numbers achieved in the previous year quite dramatically. In terms of human error data breaches, it was a particularly significant year.

“As this analysis shows, it’s almost always human error that enables attackers to access encrypted channels and sensitive information. Staff can make a variety of mistakes that put their company’s data or systems at risk, often because they lack the knowledge or motivation to act securely, or simply because they accidentally slip up.

“As for lessons learned, there’s a lot to take away from these figures. As a nation, we can’t begin to address cyber risk if we only concentrate on technical threats. The human side of the equation is so important. Simple attacks, especially social engineering attacks, continue to dominate the threat landscape. And it’s hard to see that situation changing significantly in the next few years.


“With end-user mistakes often being either a cause or catalyst in the majority of breaches, British businesses and public sector organisations need to be asking whether they’re doing enough to minimise that risk. Are they doing anything at all, and if they are, is it really making a difference?”

Although employees have been responsible for most data breaches, Alashe believes that they are also key to keeping a businesses secure.

He added: “Employees, of course, pose a certain level of cyber-risk to their employers, as seen in our findings thus far. Nevertheless, people also have an important role to play in helping to protect the companies they work for, and human cyber-risk can almost always be significantly reduced by encouraging changes in staff cyber-awareness, behaviour and culture.”

Duncan MacRae


Latest News

%d bloggers like this: