European Data Breaches & the GDPR

  • by


Since the GDPR (General Data Protection Regulation) was introduced in 2018, countless organizations have made headlines for violations. (…British Airways, Marriot International Hotels, Austrian Post.)

  • Google received the biggest fine so far in 2020 – €50 million ($56.6 million)
  • Over 220 fines have been handed out for GDPR violations in the first ten months of 2020
  • The total amount of fines issued so far in 2020 exceeds €175 million
  • Only 20% of US, UK, and EU companies are fully GDPR compliant
  • Misdirected emails have been the primary cause of data loss reported to the Information Commissioner’s Office (ICO)

What is a data breach?

A data breach is a security incident in which information is accessed without authorization. Data breaches can hurt businesses and consumers in a variety of ways. They are a costly expense that can damage lives and reputations and take time to repair. As technology progresses, more and more of our information has been moving to the digital world. As a result, cyberattacks have become increasingly common and costly. Globally, the average total cost to a company of a data breach is $3.86 million, according to a study by the Ponemon Institute. This means that at $148 on average per stolen record, online crime is a real threat to anyone on the internet. Corporations and businesses are extremely attractive targets to cybercriminals, simply due to the large amount of data that can be nabbed in one fell swoop.

Why do data breaches occur?

Cybercrime is a profitable industry for attackers and continues to grow. Hackers seek personally identifiable information to steal money, compromise identities, or sell over the dark web. Data breaches can occur for a number of reasons, including accidentally, but targeted attacks are typically carried out in these four ways:

  • Exploiting system vulnerabilities. Out-of-date software can create a hole that allows an attacker to sneak malware onto a computer and steal data.
  • Weak passwords. Weak and insecure user passwords are easier for hackers to guess, especially if a password contains whole words or phrases. That’s why experts advise against simple passwords, and in favor of unique, complex passwords.
  • Drive-by downloads. You could unintentionally download a virus or malware by simply visiting a compromised web page. A drive-by download will typically take advantage of a browser, application, or operating system that is out of date or has a security flaw.
  • Targeted malware attacks. Attackers use spam and phishing email tactics to try to trick the user into revealing user credentials, downloading malware attachments, or directing users to vulnerable websites. Email is a common way for malware to end up on your computer. Avoid opening any links or attachments in an email from an unfamiliar source. Doing so can infect your computer with malware. And keep in mind that an email can be made to look like it comes from a trusted source, even when it’s not.

GDPR: Europe Counts 65,000 Data Breach Notifications So Far

Over the last years, an increasing number of personal data breaches has been reported, especially relating to online systems and services. Such breaches can lead (and have led) to serious impact on the affected individuals’ private lives, including humiliation, discrimination, financial loss, physical or psychological damage or even threat to life.

It is, thus, of critical importance that the data controllers and processors have all the necessary mechanisms in place both for preventing data breaches, as well as for encountering them on time and in an appropriate way.

The General Data Protection Regulation (“GDPR”) is a legal framework that requires businesses to protect the personal data and privacy of European Union (EU) citizens for transactions that occur within EU member states. It covers all companies that deal with the data of EU citizens, specifically banks, insurance companies, and other financial companies.

With the aim to increase the level of data security in Europe, Directive 2002/58/EC (ePrivacy Directive) introduced the GDPR as an obligation for the notification of personal data breaches by the providers of publicly available electronic communication services to competent authorities and affected individuals. The General Data Protection Regulation (GDPR) extends this obligation to all data controllers and processors in all sectors.
Protecting personal information in the event of a data breach?

  • Asset Inventory
  • Vulnerability and Compliance Management
  • Regular Audits on Security Posture
  • Train & Educate Your Staff

For more reach out to Tsaaro!