Statistics:

Complexity of personal data breaches revealed

Published: 22 March 2022

The Office of the Data Protection Authority has published its latest breach statistics with twenty-seven personal data breaches reported during January and February 2022.

Breach incidents during January-February included:

  • detailed data about a client’s financial status being sent to another client (breach reported from within the legal sector);
  • a form including a named patient’s medical history and clinical data posted to the wrong patient (breach reported from within the health sector); and
  • documents relating to the identity of individuals in a business transaction sent to the incorrect recipient – including: passport details, utility bills, bank details, photo IDs, and signatures (breach reported from within the finance sector).

Examples like this show that data breaches are not a matter of random information being sent to the wrong person, but private, often sensitive, personal data being compromised. Breaches, how ever they are caused, can result in information about a living person being: accessed inappropriately; altered inappropriately; destroyed inappropriately; disclosed inappropriately; lost; or made unavailable.

These incidents have the potential to significantly impact the lives of the people whose data has been mishandled, and in extreme cases can lead to direct harm. It is challenging to measure data harms but statistics can assist us in seeing the types of issues that occur, and learn from them to assist organisations in preventing recurrence by raising awareness levels and providing practical guidance.

The Bailiwick’s Data Protection Commissioner, Emma Martins commented on the role of data breach reporting:

“Breach reporting is only one strand of our regulatory activities but it plays an important role in supporting better awareness and engagement of risks and how to mitigate them. As we get more experience dealing with the reports that come to us, we are constantly reviewing how we can improve and add value to the process, always mindful that behind each data breach there are one or more affected individuals. It is in all our interests to be open about, and learn from these incidents and I also want to acknowledge the positive manner in which our local community continues to engage with their duties in this respect.”

On 1 January 2022, the ODPA introduced an improvement to its breach reporting system so that any organisations reporting a breach can now specify both how it happened (i.e. the circumstances that led to the breach occurring) and what the outcome was (e.g. accidental disclosure of personal data).

This change addresses the complexity of circumstances surrounding incidents where personal data is compromised and allows the person reporting the breach to provide greater clarity into the reasons why a breach occurred and what impact it may have had (or has had).

The ODPA will continue publishing anonymised statistics of the breach reports it receives from the regulated community, every two months, so that everyone can apply any lessons learned. These are the first breach statistics published that reflect the changes described above and cover the period 1 January – 28 February. More information about the changes are covered in the ODPA’s latest podcast ‘Data Breaches - more than just a number’.

NOTES

Number of personal data breaches reported to the ODPA (Oct 2018 – present): view statistics for every two-month period from October 2018 - present.


























 

Number of breaches reported (1 January – 28 February 2022):

REASON BREACH OCCURRED

Hacking

Malware

Phishing

Physical access

Smishing

User access rights error

 Deletion

Data sent to incorrect recipient via email

Data sent to incorrect recipient via post

 Paper lost/stolen

OUTCOME OF BREACH

Access

2

1

1

2

1

1

0

0

0

0

Alteration

0

0

0

0

0

0

0

0

0

0

Destruction

0

0

0

0

0

0

1

0

0

0

Disclosure

0

0

0

0

0

0

0

16

4

0

Loss

0

0

0

0

0

0

0

0

0

2

Unavailability

0

0

0

0

0

0

0

0

0

0

TOTAL INCIDENTS REPORTED: 27*

* There was a total of 27 separate breach incidents reported, but because we changed how we categorise breach incidents in January 2022 the above table points to a total of 31 underlying reasons. This discrepancy is because 1 reported breach resulting in access to personal data, happened due to 4 separate reasons (a sophisticated combination of hacking, malware, phishing, and smishing). Incidents like these are exactly why we changed the way breaches are categorised: to reveal the complex circumstances that can lead to a breach of someone’s data occurring.



More information about how to handle personal data breaches.  

This release is part of the bi-monthly breach report statistics the ODPA has been issuing since June 2018. Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it. 

Breach criteria
A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.

‘Significant interests’ explained
A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.