GDPR fines just 6% of the total cost of data breaches

A red warning sign on a backgroud of code, denoting malware and cyber attacks
(Image credit: Getty Images)

Over a third (37%) of breaches were caused by human error, and 40% of breaches took more than 72 hours to report, research has found.

An analysis of nearly 100,000 data breaches (99,460) reported to the UK Information Commissioner’s Office (ICO) from April 2019 to December 2022 has found a lengthy gap between the breach and the report, despite the ICO taking a more robust line.

The length of the gap demonstrates the challenges faced in identifying a threat. For 18% of breaches, more than a week passed until the ICO was notified. 

The costs of breaches can be high, dwarfing fines, with research finding the 33 most notable breaches cost organizations more than £13.5 billion, of which only 6% were made up by global regulatory fines.

In this instance, ‘notable’ refers to actual data breaches rather than organizations maliciously abusing data themselves or were reported by white-hat hackers with no damage occurring.

The most common causes of the breaches in the research weren’t cyber attacks. Only a third (33%) of breaches reported were due to malware or phishing, with all breaches caused by threats from outside an organization accounting for 35% of reports. Insider threats, however, came to 40%. 


ITIC 2022 Global Server Hardware, Server OS Security Report

(Image credit: Shutterstock)

ITIC 2022 Global Server Hardware, Server OS Security Report

Learn more about how you can combat ever-growing security threats.


Human error accounted for more – 23% were caused by data being shared with the wrong person, while 11% was due to lost or stolen data. This includes, for example, stolen devices or paperwork being left in an unsecured location.

Terry Ray, SVP, data security GTM and field CTO of Imperva, noted the ICO’s tougher stance but worries organizations are prioritizing measures that demonstrated compliance on paper, over genuine data security. 

“In many cases, initiatives that meet the letter of compliance will not in fact prevent organizations from suffering the financial impact of a data breach, such as from customer churn and reputational damage, which can dwarf any potential fines,” he said.

Data breaches are rising by more than a third (34%) annually, according to Ray, and he expressed concern that – due to a lack of clear metrics – businesses were unsure their data security investments are paying off.

The ICO has averaged £14.7 million per year in fines issued since it began issuing fines under GDPR rules, compared to £1.5 million levied in the 12 months before GDPR rules came into effect. This increase doesn’t compare favorably with the average cost of the 33 most notable breaches, which was approximately £410 million. “At present,” said Ray, “it would take the ICO 28 years to fine organizations the equivalent of just one of the ‘most notable’ data breaches.”

Richard Speed
Staff Writer

Richard Speed is an expert in databases, DevOps and IT regulations and governance. He was previously a Staff Writer for ITProCloudPro and ChannelPro, before going freelance. He first joined Future in 2023 having worked as a reporter for The Register. He has also attended numerous domestic and international events, including Microsoft's Build and Ignite conferences and both US and EU KubeCons.

Prior to joining The Register, he spent a number of years working in IT in the pharmaceutical and financial sectors.