One Year After GDPR: Significant rise on Data Breach reporting from European Businesses


It’s been one year since the European Union (EU) enforced the General Data Protection Regulation (GDPR)¹, a legislation designed to protect the personal data of EU citizens and lay specific rules and guidelines on how their data is collected, stored, processed and deleted by various entities. GDPR requires that organizations must disclose to national Data Protection Agencies (DPAs) any breaches of security leading to “the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed to local data protection authorities not later than 72 hours after having become aware of it”.

Penalties for organizations failing to comply with the new notification requirements of the regulation include fines of up to €10 million, or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. A lot of studies at the time showed that companies would not be ready for the 25th of May 2018 which led a lot of privacy professionals to assume the worst when they tried to hypothesize about what could happen when the new European legislation would come into effect.

Rise in the number of data breaches

The European Data Protection Board (EDPB)², the EU body in charge of the application of GDPR still hasn’t developed any official standards to clarify how independent EU DPAs will publicly report specific statistics/numbers about GDPR, and this currently makes collecting and analyzing data on GDPR compliance somewhat challenging. A number of European DPAs have voluntarily confirmed in recent months that the new regulation has led to a significant rise in reported data breaches, clearly demonstrating the impact GDPR has had on raising awareness with the general public as well as organizations regarding their rights and obligations under EU data protection law.

So far, the most reliable data regarding the number of data breaches currently available seems to be from some of the DPAs as well as the overview reports³ published by the EU’s Commission on the implementation of the GDPR. From the data we can deduct that EU DPAs received more than 95,000 complaints from EU citizens since May 2018 and from these complaints nearly 65,000 were data breach notifications.

The law firm DLA Piper analyzed data breach reports⁴ that have been filed by 23 of the 28 EU member states since GDPR came into full force and at the end of January 2019 also the European Commission reported that EU data protection regulators had collectively received 41,502 data breach notifications⁵.

“The Netherlands, Germany and the United Kingdom came top of the table with the largest number of data breaches notified to supervisory authorities with approximately 15,400, 12,600 and 10,600 breaches notified respectively.” DLA Piper says in its report and that the Netherlands recorded the most data breach reports per capita, followed by Ireland and Denmark. “The United Kingdom, Germany and France rank tenth, eleventh and twenty-first respectively, while Greece, Italy and Romania have reported the fewest breaches per capita,” the report says.

Under GDPR, non-EU organizations that have headquarters established in Europe can take advantage of the “one-stop shop” mechanism and with numerous U.S. high-profile technology leaders like Facebook, Microsoft, Twitter and Google choosing to have their European headquarters in Ireland, it will be very interesting to study the yearly data breaches report from Ireland’s DPA when it comes out.

With the EU elections approaching in a few weeks it will be very thought-provoking to analyze how imposed safeguards from EU DPAs and GDPR on the use of political data during elections will affect political parties and how this will influence the collection of personal data related to political opinions and communicating political views to target audiences during the election period.

Anyhow we must be prudent with current data because we are still in a transitional year and with most EU DPAs having a median time for investigating a data breach from 12 to 15 months (or even more), a lot of cases that currently are under investigation are incidents that happened under older Data Protection laws.

GDPR Penalties

Germany is the leading country currently in the number of fines with German organizations receiving 64 of the GDPR fines that have been imposed so far. This includes the two largest fines to date, an organization that published health data on the internet (€80,000) and the second a chat platform (€20,000 for failing to hash stored passwords). “So far 91 reported fines have been imposed under the new GDPR regime,” DLA Piper reports, “But, not all of the fines imposed relate to personal data breaches.”

The largest fine to date is €50 million against Google by France’s Data Protection Authority, but the fine did not relate to a data breach, but to the processing of personal data from Google without authorization from its users. The remaining fines from countries like Austria and Cyprus were comparatively low in value.

Looking into the future

The objective of GDPR was to bring uniformity to data protection laws across EU member states and control how organizations should store personal data and how they must respond in the event of a data breach, emphasizing the importance of creating trust that allows the digital economy to grow inside the European community.

As GDPR reaches its first birthday in a few days, it is clear that the regulation is still young and both regulators and companies are still figuring out its impact and importance. Data Protection Authorities across the EU will soon be publishing annual reports, which should give us a wider and better picture of the level of compliance.

Transparency is a necessity that will help the EU further increase awareness of GDPR and let’s not forget that the rest of the world, especially countries that are very close partners with the EU like the United States, are closely observing in order to better understand the effects and the strengths and weaknesses of the regulation.

References

1. General Data Protection Regulation (GDPR)
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

2. European Data Protection Board (EDPB)
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/enforcement-and-sanctions/enforcement/what-european-data-protection-board-edpb_en

3. First overview on the implementation of the GDPR and the roles and means of the national supervisory authorities.
http://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/LIBE/DV/2019/02-25/9_EDPB_report_EN.pdf

4. DLA Piper GDPR Data Breach Survey
https://www.dlapiper.com/~/media/files/insights/publications/2019/02/dla-piper-gdpr-data-breach-survey-february-2019.pdf

5. GDPR in numbers Infographic
https://ec.europa.eu/commission/sites/beta-political/files/190125_gdpr_infographics_v4.pdf

 

This post first appeared on the Gemalto blog here. 

Infosecurity – Encryption is Often Poorly Deployed, if Deployed at All

 infosecurityEncryption continues to be a challenge for companies, as only a quarter of organizations admit to using it for at-rest data, and for emails and data centers.

According to research by Thales and IDC, encryption for email is only adopted by around 27% of the European respondents, while the numbers decline for data at rest, data centers, Big Data environments and full disk encryption. The only instance of European respondents ranking higher than a global number was in the instance of using cloud-native provider encryption.

Jason Hart, security evangelist at Thales, said that there is a wider problem of nothing changing in the last 25 years, except that we are creating more and more data. That has become a commodity, and “because of the acceleration of cloud I say to a company ‘what are you trying to protect?’ and after an hour we may get to a conversation about data and two hours later we may get to the type of data that they deem to be valuable.”

However, Hart argued that companies do not understand the risks that they are trying to mitigate, “and information security is really simple, it is about people, data and process.”

Speaking to Infosecurity, Hart said that if you look at every major breach that has occurred, there are too many instances of companies not deploying encryption properly, and also people do not look at the risk.

“You encrypted the data in the database, but what talks to the database? The application, so the data now transverses into the application’s code text and then from the application it goes into the cloud,” he said. “So they do it in silos and elements, but when people do it wrong, there is a false sense of security.”

To read the full article click here.

 

HelpNet Security – Consumers believe social media sites pose greatest risk to data

helpnetA majority of consumers are willing to walk away from businesses entirely if they suffer a data breach, with retailers most at risk, according to Gemalto. Two-thirds (66%) are unlikely to shop or do business with an organisation that experiences a breach where their financial and sensitive information is stolen. Retailers (62%), banks (59%), and social media sites (58%) are the most at risk of suffering consequences with consumers prepared to use their feet.

“Businesses have no choice but to improve their security if they want to address frustrated consumers that don’t believe the onus is on them to change their security habits,” says Jason Hart, CTO, Data Protection at Gemalto. “Social media sites in particular have a battle on their hands to restore faith in their security and show consumers they’re listening – failing to do so will spell disaster for the most flagrant offenders, as consumers take their business elsewhere.”

To read the full article click here.

Computer Weekly – UK consumers threaten data breach backlash

cw_logoMost UK and global consumers are willing to walk away from businesses that fail to look after personal data, with retailers most at risk, research shows

Seven out of 10 UK consumers and two-thirds, on average, around the world would stop doing business with a brand that suffers a breach of users’ financial or personal data. Retailers are most at risk globally, with 62% of respondents willing to walk away after a data breach, followed by banks (59%) and social media sites (58%), according to a survey of 10,500 consumers by digital security firm Gemalto.

“Businesses have no choice but to improve their security if they want to address frustrated consumers that don’t believe the onus is on them to change their security habits,” said Jason Hart, CTO, data protection at Gemalto.

“Social media sites, in particular, have a battle on their hands to restore faith in their security and show consumers they are listening. Failing to do so will spell disaster for the most flagrant offenders, as consumers take their business elsewhere.”

To view the full article click here.

techradar – The true cost of a data breach

techradarFalling victim to a data breach hurts your business’ bottom line as well as its reputation

From the implementation of the General Data Protection Regulation (GDPR) back in May, which fundamentally changed the rulebook for storing data of EU citizens at least to the Butlin’s hack, 2018 has been a very significant year for cybersecurity.

One of the biggest changes centred around transparency, specifically businesses being forced to reveal within 72 hours if they have suffered a breach. While the US has had this type of policy for a while, businesses in the EU were not required to publicly state when a breach occurred, leaving them free to keep significant news like this from their customers. But now that things have changed, and it’s starting to heat up in the EU.

To read the full article click here.

Computer Business Review – The True Cost of a Data Breach

cbr-logo“Encrypting data at rest and in motion, securely managing the encryption keys and storing them securely, while also managing and controlling user access, are vital steps for businesses to take to protect themselves”

From the implementation of the General Data Protection Regulation (GDPR) back in May, which fundamentally changed the rulebook for storing data of EU citizens at least to the Butlin’s hack, 2018 has been a very significant year for cybersecurity.

One of the biggest changes centred around transparency, specifically businesses being forced to reveal within 72 hours if they have suffered a breach. While the US has had this type of policy for a while, businesses in the EU were not required to publicly state when a breach occured, leaving them free to keep significant news like this from their customers. But now that things have changed, and it’s starting to heat up in the EU.

To read the full article click here.

GDPR: Report – Reddit hack: data held in 2007 exposed

gdprreport-logogReddit, the website supporting discussion and content ratings, has confirmed it was subject to a data breach, affecting all data held in 2007 and before and email digests sent in June of this year.

“Although it was a serious attack,” said Reddit in a statement, “the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs.”

Jason Hart, CTO, Data Protection at Gemalto said: “Network intrusions like this are inevitable. The Reddit issue reinforces again that being breached is not a question of ‘if’ but ‘when’ and a multi-layered approach to security is needed. Even with multi-factor authentication deployed, the Reddit breach still occurred. Given today’s security climate, all online companies should use the forms of multi-factor authentication that are appropriate for the data assets being accessed as well as using encryption and key management to secure sensitive data.”

To read the full article click here.

Silicon: Reddit Confirms ‘Serious’ Hack Of User Data

siliconReddit knew of ‘security incident’ since 19 June but only alerted users more than a month later

More than a month since it happened, Reddit has this week confirmed that it has suffered what it is calling a ‘security incident’.

“Network intrusions like this are inevitable,” explained Jason Hart, CTO of data protection at Gemalto. “The Reddit issue reinforces again that being breached is not a question of ‘if’ but ‘when’ and a multi-layered approach to security is needed.”

“Even with multi-factor authentication deployed, the Reddit breach still occurred,” said Hart. “Two years ago NIST made recommendations for companies to consider stronger forms of MFA like token-based authentication. Given today’s security climate, all online companies should use the forms of multi-factor authentication that are appropriate for the data assets being accessed as well as using encryption and key management to secure sensitive data.”

To read the full article click here.

Computer Business Review – MyHeritage Hack: “Future Hackers Could Amend Stolen DNA”

cbr-logoNo DNA data has been lost as a result of a hack at genealogy and DNA testing website MyHeritage that resulted in the leak of 92,283,889 email addresses and hashed user passwords the company has claimed.

“Sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised,” the Israel-based company said.

Gemalto CTO of Data Protection Jason Hart said: “This reinforces again that being breached is not a question of ‘if’ but ‘when’. Perimeter defences are just what they are, first lines of defence. When those fail, the only way data can be protected is to encrypt it. It is especially important that sensitive personal data is always be encrypted. That way, if the data is stolen it is useless to the thieves.”

He added: “MyHeritage noted that it plans to add additional protective measures in the future. While it appears that MyHeritage hashed its passwords, this is a weak form of protection. Given today’s security climate, all online companies should have multi-factor authentication activated by default for all online accounts as well as using encryption and key management to secure sensitive data.”

To read the full article click here.

Business Today – Data theft increased by 783% in India in 2017, says study

business-todaySome 3.24 million records were stolen, lost or exposed in India in 2017, according to Breach Level Index study by digital security firm Gemalto. This number has increased by a whopping 783% over the previous year. The study tracks and analyses data breaches, the type of data compromised and how it was accessed, lost or stolen in the last five years.

“The manipulation of data or data integrity attacks pose an arguably more unknown threat for organizations to combat than simple data theft, as it can allow hackers to alter anything from sales numbers to intellectual property. By nature, data integrity breaches are often difficult to identify and in many cases, where this type of attack has occurred, we have yet to see the real impact,” said Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto.
To read the full article click here.