Published: 22 March 2022
The Office of the Data Protection Authority has published its latest breach statistics with twenty-seven personal data breaches reported during January and February 2022.
Breach incidents during January-February included:
Examples like this show that data breaches are not a matter of random information being sent to the wrong person, but private, often sensitive, personal data being compromised. Breaches, how ever they are caused, can result in information about a living person being: accessed inappropriately; altered inappropriately; destroyed inappropriately; disclosed inappropriately; lost; or made unavailable.
These incidents have the potential to significantly impact the lives of the people whose data has been mishandled, and in extreme cases can lead to direct harm. It is challenging to measure data harms but statistics can assist us in seeing the types of issues that occur, and learn from them to assist organisations in preventing recurrence by raising awareness levels and providing practical guidance.
The Bailiwick’s Data Protection Commissioner, Emma Martins commented on the role of data breach reporting:
“Breach reporting is only one strand of our regulatory activities but it plays an important role in supporting better awareness and engagement of risks and how to mitigate them. As we get more experience dealing with the reports that come to us, we are constantly reviewing how we can improve and add value to the process, always mindful that behind each data breach there are one or more affected individuals. It is in all our interests to be open about, and learn from these incidents and I also want to acknowledge the positive manner in which our local community continues to engage with their duties in this respect.”
On 1 January 2022, the ODPA introduced an improvement to its breach reporting system so that any organisations reporting a breach can now specify both how it happened (i.e. the circumstances that led to the breach occurring) and what the outcome was (e.g. accidental disclosure of personal data).
This change addresses the complexity of circumstances surrounding incidents where personal data is compromised and allows the person reporting the breach to provide greater clarity into the reasons why a breach occurred and what impact it may have had (or has had).
The ODPA will continue publishing anonymised statistics of the breach reports it receives from the regulated community, every two months, so that everyone can apply any lessons learned. These are the first breach statistics published that reflect the changes described above and cover the period 1 January – 28 February. More information about the changes are covered in the ODPA’s latest podcast ‘Data Breaches - more than just a number’.
NOTES:
Number of personal data breaches reported to the ODPA (Oct 2018 – present): view statistics for every two-month period from October 2018 - present.
Number of breaches reported (1 January – 28 February 2022):
REASON BREACH OCCURRED |
|||||||||||||
Hacking |
Malware |
Phishing |
Physical access |
Smishing |
User access rights error |
Deletion |
Data sent to incorrect recipient via email |
Data sent to incorrect recipient via post |
Paper lost/stolen |
||||
OUTCOME OF BREACH |
Access |
2 |
1 |
1 |
2 |
1 |
1 |
0 |
0 |
0 |
0 |
||
Alteration |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
|||
Destruction |
0 |
0 |
0 |
0 |
0 |
0 |
1 |
0 |
0 |
0 |
|||
Disclosure |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
16 |
4 |
0 |
|||
Loss |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
2 |
|||
Unavailability |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
|||
TOTAL INCIDENTS REPORTED: 27* |
|||||||||||||
* There was a total of 27 separate breach incidents reported, but because we changed how we categorise breach incidents in January 2022 the above table points to a total of 31 underlying reasons. This discrepancy is because 1 reported breach resulting in access to personal data, happened due to 4 separate reasons (a sophisticated combination of hacking, malware, phishing, and smishing). Incidents like these are exactly why we changed the way breaches are categorised: to reveal the complex circumstances that can lead to a breach of someone’s data occurring. |