What data breach trends tell us

Every organisation hopes to avoid a significant data breach. While a breach could lead to unwelcome regulatory scrutiny, and in extreme cases a monetary penalty, other repercussions are more pressing. Data breach investigations are time-consuming and expensive, as are any identified remedial actions. Breaches can cause operational disruption, negatively impact on individuals, erode trust, lead to reputational damage… the list goes on.

Preventative measures organisations should take include implementing robust cyber defences, bolstering information security controls and standards, along with internal security procedures, staff training and raising awareness to help prevent ‘human error’. Data incident plans need to be fine-tuned to make sure – should the worst happen – the response is rapid, effective and efficient.

Every organisation’s risk profile will differ, but general trends can offer some pointers on where to focus your efforts. The data security incident trends published by the Information Commissioner’s Office (ICO) reveal the frequency and nature of the most common incidents, and the regulatory action taken. These present useful headlines for senior leadership teams to consider. For example, here are the top-line statistics for the last three months (Q4) of 2025:

■ 3,600 incidents were reported to the ICO in the quarter – an increase of 16% year on year.
■ 77% were non-cyber– this means any type of incident which doesn’t have a clear online or technical element involving a third party with malicious intent. Human error is often a key factor in non-cyber breaches.
■ 23% were cyber incidents – this is any incident with a clear online or technical element involving a third party with malicious intent.

Cyber incidents

The devastation caused by a cyber breach is obvious when witnessing the fallout at M&S, Jaguar Land Rover, the Co-Op, Kensington & Westminster Council and many other organisations.

The National Cyber Security Centre’s 2025 annual review revealed the UK is experiencing four nationally significant cyber-attacks every week. And big organisations are not the only target; one in two small businesses identified a cyber-attack in the past year. The NCSC has plenty of useful free resources to help organisations combat cyber threats, and we’ve also written some tips for small-to-medium sized businesses – Combatting the cyber threat

Non-cyber incidents

While the cyber threat is likely to be high on any organisation’s risk register, possibly giving senior leadership sleepless nights, more than three-quarters of personal data breaches are classed as non-cyber incidents. The top four causes are:

1. Personal data emailed to incorrect recipient(s)
2. Unauthorised access to personal data
3. Phishing
4. Failure to redact personal data

Other non-cyber incidents include personal data posted to wrong recipient, loss/theft of paperwork or devices, unauthorised sharing of personal data in emails due to failure to use the BCC function, verbal disclosure and insecure disposal of paperwork.

It’s perhaps unsurprising that mistakes with email have remained firmly top of the list for years. We all know how easy email mistakes are to make. 10 tips to prevent email errors. Phishing attacks are becoming very sophisticated; with AI being used to make creatives more believable and more relevant to the recipient. The NCSC phishing guidance is worth reading.

Triggers for an ICO investigation

As said, regulatory scrutiny is only one of a range of potential impacts of a significant data breach. The figures reveal in 70% of reported incidents, no further action is taken by the ICO. This is not surprising, given organisations tend to err on the side of caution, meaning a significant percentage of reported breaches are relatively minor.

It’s worth noting just over 50% of reported breaches in 2025 affected just 1-9 individuals. Saying this, a breach affecting a small number of people won’t always be minor if the data breached is sensitive and could have serious consequences for those affected.

So, how does the ICO decide whether to take further action? Here are the key factors which influence whether a reported incident will result in an investigation:

■ Number of data subjects affected
■ Time taken to report
■ Data subject type (e.g. did it involve vulnerable people)
■ Type of data (e.g. did it involve special category or criminal conviction/offence data)

It’s interesting failing to meet the 72-hour deadline to report a breach is a key factor taken into consideration. The figures reveal 18% of organisations took up to a week, and 19% took more than a week to report breaches to the ICO.

Remember, even if you don’t have all of the facts to hand as the 72-hour deadline looms you can always provide an initial account and then provide updates as more information becomes clear. This might lead to the risk be downgraded or upgraded, but at least you won’t have missed the deadline.

Types of incidents most likely to trigger an investigation

The ICO figures reveal these are the types of incident which led to a formal investigation:

■ malware, ransomware, or other cyber incident
■ failure to redact
■ hardware/software misconfiguration
■ incorrect disposal of paperwork
■ loss/theft of paperwork or device containing personal data
■ unauthorised access
■ verbal disclosure of personal data

Alongside formal investigations, which might potentially result in a reprimand, or in particularly severe cases a monetary penalty, the ICO more often takes “informal action”. This is done across a range of different types of incidents, may not make the headlines and doesn’t lead to organisations being publicly ‘shamed’. These informal actions are seen as a non-punitive educational approach aimed at resolving minor issues.

It’s fair to say the likelihood of ICO scrutiny is low, with the chances of a monetary penalty even lower, unless it’s evident there’s been a substantial failure to implement appropriate technical and organisational measures. But the ICO isn’t all we should be worried about –other repercussions may do as much or more damage.

The ICO data security incident trends is worth keeping an eye on. Of course every organisation will face varying challenges and risks, but there are common themes which potentially affect us all. Awareness is the first step to successful prevention.