View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 20, 2020

Fat Fingers, Insider Threats Continue to Far Outweigh Cybersecurity Incidents

Cybersecurity incidents account for just 3.5 percent of breaches

By CBR Staff Writer

The Irish Data Protection Commission (DPC) dealt with thousands of data breach notifications in 2019, its first full year operating under GDPR.

But a puny 3.5 percent of the data breaches were the result of cybersecurity incidents, its annual report, published today, has revealed.

The vast majority blamed on “unauthorised disclosures” including “emails/letters to incorrect recipient”; “administrative processing errors”; “verbal disclosures”; “papers lost or stolen”; and “unauthorised access to personal data in the workplace”.

Here are the top five takeaways from the report.

1: Complaints on the Rise

The DPC received 7,215 complaints in 2019, out of these complaints 6,904 were related to GDPR. The remaining 311 were related to issues reported prior to GDPR and were handled by the commissioner under the previous Irish Data Protection Acts 1988 to 2003.

The majority of complaints that the DPC received pertained to access request issues which account for 29 percent of GDPR issues. Disclosure and data processing complaints made up 35 percent of the issues that people were reporting to the DPC.

Commissioner Helen Dixon commented that: “Disputes between employees and employers or former employers remain a significant theme of the complaints lodged with the DPC, with the battle often staged around a disputed access request.”

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business
Irish Data Protection Commission 2019 Report

Credit: DPC

2: Breaches on the Rise

The DPC recorded 6,257 data-breach notifications in 2019, of these 6,069 were deemed to be valid data breaches.

These credible data breaches represent an increase of 71 percent when compared to the previous year. The top three sectors reporting breaches were the financial sector, insurance sector and the telecommunications industry.

The 71 percent rise in reports is understandable when you take into account the fact that under GDPR data controllers are legally obligated to notify the DPC about any personal data breaches.

As the commissioner notes that: “The default position for controllers is that all data breaches should be notified to the DPC, except for those where the controller has assessed the breach as being unlikely to present any risk to individuals and the controller can show why they reached this conclusion.”

3: Cyberattacks not the Problem

Interestingly out of the 6,257 data breach notifications dealt with by the DPC only 223 of them related to cybersecurity incidents. The majority (5,188) pertained to unauthorised disclosures, while only 108 were the result of a hack and 161 were due to phishing.

The report notes that: “The DPC has observed an increase in the number of repeat breaches of a similar nature by a large number of companies. This is most apparent in the financial sector, where the majority of breaches appear to be related to unauthorised disclosures.”

Irish Data Protection Commission 2019 Report

How DPC Received Complaints

The DPC has identified five trends and issues that it encounters when it deals with breaches;

  • Late notifications
  • Difficulty in assessing risk ratings
  • Failure to communicate the breach to individuals
  • Repeat breach notifications
  • Inadequate reporting.

4: Facebook Tops Statutory Inquiries Charts

In 2019 the DPC opened six statutory inquiries bringing the total number of multinational technology company statutory inquiries to 21. Out of these 21 inquires Facebook and its platforms WhatsApp and Instagram account for 11.

A DPC Inquiry is examining whether Facebook has complied with the obligation to have a legal basis to process personal data of individuals using the Facebook platform. While another is investigating the extent to which Facebook – acting as the data controller – can refuse to give a person their requested data if Facebook believes that the request is ‘manifestly unfounded or excessive.’

Because Facebook is headquarter in Ireland the Irish commissioner is the starting point for all EU data investigation and complaints into the social media giant.

As a result the French digital advocacy organisation – La Quadrature du Net – put in a complaint with the regulator which then started a “detailed examination of the processing operations underpinning the analysis of users’ behaviour/ activities (including profiling) on the Facebook platform and how that relates to the delivery of targeted advertisements to the user.”

5: Brexit

The DPC has spent significant resources on dealing with Brexit.

In the event of a no-deal and a lack of GDPR adoption by the UK, the rules around data transfer could be drastically changed as the UK would be considered a ‘third country’. This will greatly restrict the ability of businesses outside of the UK to transfer data into the country.

The DPC found that: “The main concern was that smaller companies who did not routinely transfer data to third countries could be in contravention of the GDPR if they continued to do so post-Brexit without applying the relevant safeguards to the transfer.”

See Also: EU Courts Consider Vital Data Transfer Tool

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.