Employee data breaches up 41%

Reports of employee data breaches increased by 41% in 2023, reaching a five-year high.

According to the Information Commissioner’s Office there were 3,208 reports involving the security of employee data last year, up from 2,279 in 2022 and the highest number of incidents reported since the ICO began publishing this data in 2019.

Data breaches of this type represented 28% of all incidents reported to the information security watchdog in 2023.

Several high-profile employers experienced employee data leaks in 2023, including Capita, the Police Service of Northern Ireland and Greater Manchester Police.

Stephen Bonner, the ICO’s deputy commissioner for regulatory supervision, said that cyber attacks were becoming more sophisticated, and many organisations were still neglecting the fundamentals of cyber security.

“People need to feel confident that organisations are doing as much as they possibly can to keep their personal information secure,” he said.

“As the data protection regulator, we want to support and empower organisations to get this right. While there is no single solution to prevent cyber attacks, there is absolutely no excuse for not having the foundational controls in place. These are essential to protecting people’s personal information and we will take action, including fines, against organisations that are still not taking simple steps to secure their systems.

“If you do experience a cyber attack, we always encourage transparency as your mistakes could help another organisation to avoid a similar breach.”

The ICO says there are five main causes of cyber security breaches: phishing, misconfigured security settings, the use of trial and error by criminals to guess username and password combinations, criminals overloading a system to stop the normal functioning of a website or computer network, and supply chain attacks where products or technology used by an organisation are compromised and used to infiltrate systems.

Ransomware attacks targeting employee data increased by 57% in the past year. Such attacks involve the use of malware to unlawfully encrypt files on a host computer system to make them unavailable, with criminals then requesting payment in return for restoring the data.

Joanna Sutton, principal associate at law firm Nockolds, said employers may face legal claims from employees if their data is breached.

“These numbers show that despite increased investment in cyber security, determined hackers are finding ways to gain access to employee data. While cyber security is an IT domain, breaches involving employee data inevitably fall within the jurisdiction of HR and create risks that need to be effectively managed,” she said.

“Employers hold a significant amount of private information about their employees, which they have a legal duty to protect. Even if data is leaked accidentally, employers could be liable for damages.

Sign up to our weekly round-up of HR news and guidance

Receive the Personnel Today Direct e-newsletter every Wednesday

Email(Required)

OptOut

From time to time, we will send you emails about selected products, events and services from Personnel Today and OHW+ - but you can choose to opt-out at any time. If you do not wish to receive these emails, please tick this box.

Email

This field is for validation purposes and should be left unchanged.

Δ

“Good cybersecurity starts with employees. It doesn’t matter how robust defences are if employees are not being regularly trained on cybersecurity protocols. The rise in employee data breaches suggests that there would be value in enhanced training for staff in response to rising threat levels. This would also help demonstrate to the ICO that an employer is taking their data protection responsibilities seriously”.

Latest HR job opportunities on Personnel Today

Browse more human resources jobs