"Human error causes 88% of data breaches" is the security industry's favourite statistic — and one of its least reliable. This page grounds the claim in real data: the ICO's quarterly breach reports, the government's Cyber Security Breaches Survey and the Verizon DBIR, with every competing percentage traced back to its source.

Ask what percentage of data breaches are caused by human error and you will find answers ranging from 62% to 95%, all quoted with equal confidence. The reliable UK evidence comes from three places: the Information Commissioner's Office (ICO), which publishes a quarterly dataset of every personal data breach reported to it, split into cyber and non-cyber incident types; the government's annual Cyber Security Breaches Survey; and, for global context, Verizon's Data Breach Investigations Report (DBIR). This page brings those together — and explains where the famous 88%, 90% and 95% claims actually come from.

It is scoped to the causes of breaches: the human-error share, the mistake types behind it, and the training gap. For how many breaches are reported overall, sector volumes and costs, see our UK data breach statistics page.

Key facts and figures

  • 77% of personal data breaches reported to the ICO in Q4 2025 were non-cyber incidents — overwhelmingly human error — against 23% cyber.
  • 16% of all breaches reported to the ICO in 2023 — 1,744 incidents — were data emailed to the wrong recipient, the single most common breach type.
  • 88% of error-related breaches in the 2026 Verizon DBIR were misdelivery: information sent to the wrong person.
  • 62% of breaches worldwide involved the human element in the 2026 DBIR, up from 60% in the 2025 edition.
  • 90% of the cyber breaches reported to the ICO in 2019 were caused by end-user mistakes, per CybSafe's analysis; its 2021 follow-up put the share at 80%.
  • 19% of UK businesses ran cyber security awareness training in the year before the 2025/26 Cyber Security Breaches Survey — while 43% identified a breach or attack.
  • 11,074 personal data breach incidents were reported to the ICO across 2023, around 75% of them non-cyber.
  • £3.29 million — the average cost of a UK data breach in 2025.

Figures are the latest available as of July 2026, and this page is updated as new data is released — the ICO refreshes its incident dataset quarterly, the Cyber Security Breaches Survey is published each spring and the Verizon DBIR follows each May.

What percentage of data breaches are caused by human error?

In the UK, 77% of the personal data breaches reported to the ICO in Q4 2025 were non-cyber incidents — the regulator's category for breaches with no hacking or malware element, dominated by human-error types such as emailing data to the wrong recipient, failing to redact and losing paperwork or devices. That roughly three-quarters share has held for years: about 75% of the 11,074 incidents reported in full-year 2023 were also non-cyber.

Globally, the 2026 Verizon DBIR found the human element — a person making a mistake or being successfully socially engineered — present in 62% of the 22,000+ confirmed breaches it analysed, up from 60% in the 2025 edition.

So which is it — 62%, 77%, 88% or 95%? Every widely quoted figure measures something different, over a different dataset, with a different definition of "caused by". The table below traces each claim back to its source:

Claimed figureSource and yearWhat it actually measures
62%Verizon DBIR 2026Breaches worldwide involving the human element — error or social engineering — across 22,000+ confirmed breaches
68%Verizon DBIR 2024The same human-element measure on an earlier dataset; deliberately excludes malicious insider misuse
77%ICO dataset, Q4 2025Share of UK personal data breach reports classed as non-cyber — mostly human-error incident types
80%CybSafe, 2021 follow-upThe same end-user-mistake measure in CybSafe's follow-up analysis of the ICO dataset
88%Tessian, 2020Vendor survey report produced with a Stanford professor — widely mis-cited as "Stanford University research"
90%CybSafe, 2019 analysisEnd-user mistakes across the 2,376 cyber breaches reported to the ICO in 2019
95%IBM index / WEF 2022 / Mimecast 2025Breaches "involving" human error in some way — the loosest definition of all

The honest summary: on the strictest, best-evidenced measures, human error directly causes roughly six to eight in every ten breaches, and it plays some part in more still. Whichever figure you cite, name the source and the definition alongside it.

What does the ICO's non-cyber breach data show?

Around three-quarters of all personal data breaches reported to the UK's regulator are non-cyber — 77% in Q4 2025, and roughly 75% of the 11,074 incidents reported in 2023, which was itself up from 8,799 in 2022. Non-cyber is the ICO's label for incidents with no attacker involved at all: data emailed or posted to the wrong recipient, failure to redact, failure to use bcc, and loss or theft of paperwork and devices. In plain terms, nearly all of it is employee error — which is why this dataset, not any vendor survey, is the best UK evidence on human error.

The sector pattern is telling. Health was the top reporting sector with 17% of 2023 incidents, followed by education and childcare (14%), finance (11%) and local government (10%) — sectors that move large volumes of sensitive records between named individuals every day, which is exactly where misdirection mistakes happen.

Two caveats keep the numbers in proportion. Around 70% of incidents reported to the ICO in 2025 resulted in no further action, and over 50% of the breaches reported in 2025 affected just one to nine people — organisations err on the side of caution and report incidents that turn out to be low risk. UK GDPR requires breaches likely to pose a risk to individuals to be reported within 72 hours; our 72-hour breach response guide explains the test. For quarter-by-quarter volumes and costs see our data breach statistics page, and for what enforcement follows, our ICO fine and enforcement statistics.

What is the most common human error data breach?

Emailing personal data to the wrong recipient — 1,744 reported incidents in 2023, 16% of everything reported to the ICO that year, and the single most common breach type in the dataset. By Q4 2024 the wrong-recipient email had grown to 21% of all reported incidents. Add its close relatives — data posted or faxed to the wrong recipient, failure to use bcc and failure to redact — and misdirected information is comfortably the leading cause of reported UK breaches.

The global data agrees. In the 2026 Verizon DBIR, misdelivery accounted for 88% of all error-related breaches — the same everyday failure of sending information to the wrong person, seen across a worldwide dataset.

The ICO examined why these mistakes keep recurring in the Errors chapter of its May 2024 review, Learning from the mistakes of others. The pattern it describes is consistent: routine tasks, time pressure, autocomplete picking the wrong contact, and personal data attached where it did not need to be — failures that layered checks, technical controls and staff training are all designed to catch before the send button is pressed.

Where does the "88% human error" statistic come from?

The 88% figure comes from The Psychology of Human Error, a 2020 report by email-security vendor Tessian produced with Stanford University professor Jeff Hancock — not, as it is almost always cited, from a Stanford University study. It was a survey-based vendor report, and the "Stanford research says 88% of data breaches are caused by human error" framing that spread from security-awareness marketing is a mis-citation that has outlived the original context.

The 95% claim is older and looser still. It traces back to IBM's Cyber Security Intelligence Index in the mid-2010s, which found human error was a contributing factor in 95% of the incidents it studied; the World Economic Forum's Global Risks Report repeated a 95% figure in 2022, and Mimecast's State of Human Risk research revived it in 2025, reporting that human error was tied to 95% of data breaches in 2024. "Contributing to" almost every breach is defensible — someone, somewhere, usually made a mistake an attacker exploited — but it is a much weaker claim than "caused by", which is how the number is usually quoted.

The best-evidenced UK versions of the claim are CybSafe's analyses of the ICO's own dataset: 90% of the 2,376 cyber breaches reported to the ICO in 2019 were caused by end-user mistakes — chiefly falling for phishing — falling to 80% in its 2021 follow-up analysis. Note what that measures: human error within cyber breaches, a different slice again from the ICO's 77% non-cyber share. Both can be true at once, and together they are the strongest case that UK breach risk is mostly a people problem.

What does the Verizon DBIR say about the human element?

The human element was present in 62% of breaches in the 2026 Verizon DBIR, published in May 2026 and drawing on more than 31,000 incidents and 22,000 confirmed breaches worldwide — up from 60% in the 2025 edition. The DBIR's metric deliberately excludes malicious insider misuse, so it captures what security awareness can actually influence: genuine mistakes and successful social engineering. On the same measure, the 2024 edition reported 68%; year-to-year movement partly reflects changes in the contributing dataset — notably the growth of third-party and vulnerability-driven breaches — rather than a step change in staff behaviour.

Within the error category the findings mirror the UK picture. Misdelivery made up 88% of error-related breaches in the 2026 DBIR, and the Miscellaneous Errors pattern accounted for around 9% of breaches overall but 31% in the public sector — echoing the over-representation of health, education and local government in the ICO's own reporting data.

How big is the security awareness training gap?

Only 19% of UK businesses ran cyber security training or awareness-raising sessions in the 12 months before the 2025/26 Cyber Security Breaches Survey, published on 30 April 2026 with fieldwork between August and December 2025. Set that against the same survey's headline exposure figures — 43% of businesses (around 612,000 firms) and 28% of charities identified a breach or attack in the same period, with phishing the most prevalent attack type at 38% of businesses — and the mismatch is stark: the attack that succeeds through employee error is the most common one, yet four in five businesses gave staff no training to resist it.

The stakes are not trivial. The average cost of a UK data breach was £3.29 million in 2025, rising to £5.74 million in financial services, according to IBM's Cost of a Data Breach Report. Most human-error incidents are small — a misdirected email affecting a handful of people — but the same behaviours, unchecked, produce the expensive tail, and the ICO's error review repeatedly identifies staff training as a core preventative measure alongside technical controls.

Training is also a compliance expectation, not just good practice: UK GDPR's security and accountability principles require appropriate organisational measures, and the ICO expects staff who routinely handle personal data to be trained to do so. That is precisely the gap a short, accredited course closes.

Frequently asked questions

What percentage of data breaches are caused by human error?

It depends on the measure. In the UK, 77% of breaches reported to the ICO in Q4 2025 were non-cyber — almost all human-error types. Globally, the 2026 Verizon DBIR puts the human element at 62% of breaches. CybSafe's analyses of ICO data found end-user mistakes behind 90% of cyber breaches in 2019, and 80% in its 2021 follow-up. There is no single true number — cite the source and definition together.

What is a non-cyber data breach?

It is the ICO's category for reported breaches with no hacking or malware element: data emailed or posted to the wrong recipient, failure to redact, failure to use bcc, and lost or stolen paperwork and devices. Non-cyber incidents made up 77% of all breaches reported to the ICO in Q4 2025.

How many data breaches are caused by misdirected email?

Data emailed to the wrong recipient was the ICO's most common reported breach type, with 1,744 incidents in 2023 — 16% of all reports — rising to 21% of incidents in Q4 2024. In the 2026 Verizon DBIR, misdelivery accounted for 88% of all error-related breaches worldwide.

Is the "95% of breaches are human error" statistic true?

Only on the loosest definition. The figure traces to IBM's Cyber Security Intelligence Index, was repeated by the World Economic Forum in 2022 and revived by Mimecast in 2025, and it measures breaches that human error contributed to in some way — not breaches it directly caused. The best-evidenced direct-cause figures run from 62% to 90% depending on the dataset.

Does an employee mistake count as a personal data breach under UK GDPR?

Yes. A breach is defined by what happened to the data, not by intent — an email sent to the wrong person is as much a breach as a hack. If it is likely to pose a risk to individuals it must be reported to the ICO within 72 hours; our breach response guide explains the reporting test.

Do most human error breaches lead to ICO fines?

No. Around 70% of incidents reported to the ICO in 2025 resulted in no further action, and over half of reported breaches affected fewer than ten people. Fines are reserved for serious failings — our ICO fine statistics page tracks them in full.

Sources & references

Most reported breaches start with an everyday mistake — a misdirected email, an unredacted file. Train your team to handle personal data safely and meet UK GDPR duties.

Explore the GDPR & Data Protection Course →
Mark McShane
Mark McShane
Health & Safety Training Specialist, Online CPD Academy

Mark writes about data protection, workplace compliance and accredited online training for GDPR & Data Protection Course, part of Online CPD Academy.