Kroll, the spy firm, has ascertained that the number of data security incidents received by the Information Commission in London has increased by 75% over the past two years.

Kroll's research, based on its analysis of publicly available data from the commission's annual reports, along with information it has obtained under the Freedom of Information Act, reveal the details of many 'data breaches' (a statutory term relating to failures of security that lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed) to do with information about people's health, clinical arrangements, financial details, employment, criminal records, endorsements and other things. It shows, in Kroll's strange parlance, that "data breach risks" that spring from human error are at least as great as those from cyber-attacks. In the past year, of the incidents whose type Kroll could discern, 2,124 reports could be attributed to human error. Only 292 were "deliberate cyber incidents."

Kroll says that reports have probably increased because firms have been gearing up for the new era of disclosures heralded by the European Union's General Data Protection Regulation, which came into force in May. Kroll expects both the number of reports and the values of fines levied by the Information Commissioner to increase significantly now that this is in place.

The most common types of incident due to human error included data being emailed to the incorrect recipient (447 incidents), loss or theft of paperwork (438), failure to redact data (256), data left in an insecure location (164) and failure to use bcc when sending email (147). The loss or theft of unencrypted devices (133) is another common reason. Of the "deliberate cyber incidents" that people had reported to the commission, 102 concerned unauthorised access, 53 concerned malware, 51 concerned phishing attacks, 33 concerned ransomware, 20 concerned password attacks and two concerned the denial of service.

The health sector is responsible for the highest number of reported data security incidents over the past financial year (1,214), a 41 per cent increase over two years. This is followed by general business (362), education and childcare (354) and local government (328).

Clinical and health-related data is compromised more commonly than any other type of personal data and is specified in 39% of reports over a three-year period. Financial details account for 10%, employment details for 5%, criminal records or endorsements for 4% and educational records for 3%.

The business case for investing in cyber-defence seems never stronger. Kroll's analysis shows that people are still the crucial factor, so investment in the training of staff (either to follow correct procedures or to spot phishing attacks before they click on the link/email) seems to be a good idea. Nobody knows yet how the GDPR is going to alter these trends and results.