Staff or contractor negligence biggest single cause of UK data breaches last year, study says

A report (25-page / 488KB PDF) by security research company Symantec said 36 UK firms spanning 11 different industries had experienced data breaches during 2011 that resulted in them notifying the Information Commissioner and affected customers.

The data breaches were caused on 36% of occasions by "a negligent employee or contractor" whilst "system glitches" were responsible for 33% of the instances. The glitches account for "a combination of both IT and business process failures," the report said. Malicious or criminal attacks were the cause of the remaining 31% of cases.

Symantec said that the amount of information breached on average had fallen and that a higher percentage of customers were generally remaining loyal to organisations that had lost data.

"The average abnormal churn decreased from 3.3 percent in 2010 to 2.9 percent this year," the report said. "However, certain industries, such as financial services and pharmaceutical companies, are more susceptible to customer churn, which causes their data breach costs to be higher than the average. Taking steps to keep customers loyal and repair any damage to reputation and brand can help reduce the cost of a data breach."

Firms also experienced lower costs relating to lost business stemming from data breaches, the report said. Those costs – which account for factors such as losses to businesses' reputations as well as diminished goodwill – "sharply decreased from £913,910 in 2010 to £779,414 in 2011".

The study said breaches caused by malicious or criminal attacks were "the most costly". "Accordingly, organisations need to focus on processes, policies and technologies that address threats from the malicious insider or hacker," it said.

Currently, UK telecommunications companies and internet service providers are required to notify their customers and the Information Commissioner's Office (ICO) of personal data breaches immediately. That rule is set out in the Privacy and Electronic Communications Regulations.

Since April 2010 the ICO has had the power to issue monetary notice penalties of up to £500,000 for serious data breaches of the Data Protection Act (DPA).

In 2011 major global companies including Sony, Nokia and Acer all had personal data stored on their systems stolen by hackers.