kebox - Fotolia

Financial sector data protection breaches up 183% in past two years

The UK’s major banks and lenders are among firms responsible for 183% increase in ICO investigations into reported data breaches in the financial services sector since 2013

The number of breaches of the Data Protection Act (DPA) reported to the Information Commissioner’s Office (ICO) by the financial services sector has increased by 183% in the past two years, figures show.

Since 2013, the ICO has investigated 791 breaches of the DPA by banks, building societies and insurance firms, according to data obtained under freedom of information (FOI) requests by encryption firm Egress Software Technologies.

The reported breaches of the DPA by financial services firms included 158 disclosures of personal information.

The increase in reported breaches by the sector saw 585 incidents reported to the ICO in 2014 alone – more than three times the number of incidents reported by the legal sector for the same period, which reported 187.

The research shows that all of the UK’s major banks and lenders – including Barclays, HSBC, Lloyds Banking Group, Natwest, Nationwide and Santander – have reported multiple incidents to the ICO in the past two years.

These figures come at a time of increased scrutiny of how the financial services industry handles confidential personal and corporate data. Most recently, the Bank of England was revealed to have inadvertently sent highly sensitive financial information regarding the UK’s EU membership to the wrong email address.

Human error continues to drive up the number of breaches in all sectors, with a FOI request submitted by Egress in November 2014 revealing it was responsible for 93%.

Read more about the EU General Data Protection Regulation

This echoes the findings of the government’s newly released 2015 data breaches survey conducted by PwC, which found that 75% of large organisations suffering a staff-related breach, up from 58% a year ago, and nearly a third of small organisations, up from 22% in 2014.

When asked about the single worst breach, half of the organisations polled attributed the cause to inadvertent human error, up from 31% a year ago.

Across all industries, the ICO has issued civil monetary penalties in excess of £7.5m, £455,000 of which were levied against financial services organisations.

This figure could potentially be set to rise when proposed reforms to the EU General Data Protection Regulation comes into force in the next few years. It is expected that the new legislation will introduce fines of up to 2% of annual turnover for a serious breach.

Egress CEO Tony Pepper said the FOI data raises concerns over the mistakes being made by financial services firms in protecting personal information entrusted to them.

Read more about data protection reform

“It is staggering to see financial services firms reporting more than three times the number of incidents reported by the legal sector, which has recently come under fire from the ICO. These latest findings suggest that similar, if not harsher, criticism ought to be levied at the banks, building societies and insurance firms too,” he said.

With the planned reforms to EU General Data Protection Regulation, Pepper said the financial services industry must take action now or risk falling foul of laws that could see much tougher penalties handed out for a data breach.

“It is interesting to note that the monetary penalties issued by the ICO to this sector have historically been low – perhaps one of the reasons we’re seeing such apparent complacency when it comes to encrypting and controlling the sensitive information financial firms hold,” he said.

According to Pepper, the technology exists for organisations in the financial services industry to secure their confidential information. “Now, more than ever, is the time for them to implement it,” he said.

Read more on Privacy and data protection