Retail is among the industries that have been hit hard by data breaches since GDPR regulations came into force, new analysis suggests.
Specialist data breach law firm Hayes Connor analysed figures from the Information Commissioners’ Office (ICO) ongoing data security report, monitoring breaches of GDPR regulation that came into force in 2018. It found that retail and manufacture was the sector with the third highest rate of data breaches recorded between 2019, when the ICO first started collecting data, and the second quarter of 2022. Overall, 32,541 breaches were reported over that period, of which 9% – or about 2,929 – were from the retail and manufacture sector. Health, with 19% of breaches, and education and childcare, with 14%, led the ranking. Retail and manufacture came in joint third place with local government and finance, insurance and credit – which also both accounted for 9% of breaches.
Retail, says Hayes Connor, is more likely to suffer from cyber security incidents rather than data breaches caused by human error. The leading cause of data breaches in retail was phishing, with 458 breaches. Ransomware breaches accounted for 387 cases and unauthorised access for 376. Some 46% of cyber related data breaches were in the marketing industry.
The type of information most likely to be compromised in retail were basic personal identifiers such as names, location data, identification numbers or online information such as IP addresses (64% of cases), followed by economic and financial information (20%).
Christine Sabino, legal director at Hayes Connor, says the breaches are concerning because of the trust the public puts in these sectors, with the expectation that data will be handled securely.
Sabino says: “With so many of these data breaches being caused by human error, it’s very clear that these industries are in dire need of data handling training, at the very least. With Computer Security Day arising on November 30, now is the ideal time for businesses to rethink their data handling practices.”
The 2018 GDPR regulations require businesses to report a data breach within 72 hours. Failure to notify a breach can result in a fine of up to £8.7m or 2% of global turnover. In the retail sector, 38% of data breaches were not reported within 72 hours. Hayes Connor says that leaves the sector vulnerable to large fines.
Some 80% of incidents over the period were not cyber incidents, but rather involved information being emailed to the wrong person by mistake (15%), or errors with paper filing systems, the Hayes Connor analysis suggests. In 2021 alone the proportion of cases involving personal identifiers fell to 57% of incidents, and so far this year they account for 29%.
