Free Demo Contact
Data Breach Report: 5 Key Takeaways

Data Breach Report: 5 Key Takeaways

24 October 2023

The Dutch Data Protection Authority (AP) published its annual data breach report in the summer of 2023. The report presents the figures for 2022 and supplements them with tips and developments. This is relevant reading for anyone involved in information security and privacy protection. We also reviewed the report. Below are several points of attention we identified.

Key Point #1: High-Profile Data Breaches Are Only The Tip of The Iceberg

When data breaches make the news, it is almost always about spectacular hacks in which the personal data of sometimes millions of people is stolen. The data breach report shows that this is only the tip of the iceberg.

Comparison within Europe

In the past year, the AP recorded 21,151 data breaches. This is not an extreme spike in a bad year; it is even lower than the previous year. With more than 150 notifications per 100,000 inhabitants, the Netherlands is the European leader by a wide margin, ahead of Liechtenstein (136) and Denmark (131). This does not necessarily mean that our information security is less mature; it mainly reflects the degree of digitalization.

Hacks in the news are just the tip of the iceberg

Sectors with the Highest Risk of Data Breaches

The data breaches are not evenly distributed across sectors. Managers in social welfare and healthcare must be especially alert, as this sector accounts for 41% of all data breach notifications. Public administration is second with 23%, and financial institutions complete the top three with 9%.

There is then a second tier consisting of police and justice (4%), and education, other business services, information and communications, and specialized business services (all 3%). Data breaches within police and justice fall under the Police Data Act (Wpg) and the Judicial and Criminal Procedure Data Act (Wjsg). Data breaches in education receive significant attention because they often involve sensitive data about a vulnerable group (young people).

All other sectors together account for the remaining 10% of notifications. That does not make these sectors inherently safer. It still averages several notifications per day. It is also fair to ask whether the topic receives the same priority across sectors and whether all data breaches are recognized and reported at the same speed.

Key Point #2: Data Breaches Are Not Caused Only by Cybercrime

When we think about data breaches, we often focus on hackers who deliberately steal passwords and personal data, engage in phishing, or use ransomware to hold organizations digitally hostage. Crime reporter John van den Heuvel, himself a victim of a data breach, also points in the report to the professionalization enabled by a new, young generation of criminals. This crime targets large volumes, and in several major healthcare hacks in 2022, medical personnel data on about 900,000 patients and clients was stolen.

Data breaches caused by more than just cybercrime

Every Day Causes of Data Breaches

It is therefore understandable that many people view data breach prevention primarily as the responsibility of the IT department and security specialists. It is important to realize that the vast majority of cases do not involve cybercrime. Of the 21,151 reported data breaches in 2022, 1,825 cases, less than 10%, involved cybercrime. In the same year, there were 3,347 notifications in which an employee sent an email containing personal data to the wrong recipient or recipients. The largest contributor to data breaches is not even digital: more than 10,000 times per year, letters or packages containing personal data are misdelivered, lost, or opened in transit. In terms of volume, a misdirected letter cannot be compared to the quantities collected in serious hacks. However, its impact can still be severe for victims and the organization involved. Cybercrime remains a top priority, but the other causes must not be ignored.

Key Point #3: The Growing Importance of Least Privilege

In the past year, the number of reports of user authorizations that were set too broadly increased by 65%. This means employees can view personal data that they do not need for their job. This creates a data breach, regardless of whether employees actually view or use that data. Misuse can take various forms. From healthcare staff who, out of curiosity, look at the medical records of a celebrity, to employees who started an online trade in personal data they could easily export from the GGD COVID systems.

Belang van Principle of Least Privilege

The 'Principle of Least Privilege'

This confirms the importance of the Principle of Least Privilege, POLP. It is a key information security principle that people receive access only to the data they actually need for their jobs. The Dutch DPA writes the following on its website:

“Ensure that your employees can view only the personal data they truly need for their work. Periodically review log files for unlawful access.”

The Role of Identity and Access Management

This is a logical principle, but it becomes complex to manage as soon as organizations have more than a few employees and required entitlements change frequently and quickly. People often have multiple and changing roles, are promoted, or receive additional privileges after training. To keep this manageable, we must automate access issuance and management as much as possible, based on well-defined user roles and associated entitlements. This is called Role-Based Access Control, RBAC. An automated Identity and Access Management (IAM) solution, such as HelloID, with a full RBAC framework, helps to comply with this Principle of Least Privilege.

This benefits both sides. Legitimate users have access only on a need-to-know basis, and if an account is hacked, the damage remains relatively limited.

There are additional tools to implement the Principle of Least Privilege with more precision. With RBAC, we typically automate about 80% of all entitlements. The remaining permissions can be granted via individual service requests submitted by users or their managers. By automating those requests, we can better manage the additional entitlements and prevent an undesirable accumulation of rights.

Key Point #4: Data Security and Prevention

The report shows that least privilege alone is not sufficient. In 2022, there were 746 notifications, nearly a doubling, of personal data being added to the wrong files. For example, when a provider accidentally adds a psychological report to another client’s file. Other people’s personal data was displayed in someone’s customer portal 619 times, sensitive papers or USB sticks were lost 657 times, and 3,347 emails containing personal data were sent in error. In such cases, employees have fully justified access to personal data, but then share it with the wrong people.

Data breaches due to lost or incorrectly assigned documents

Technical Tools to Mitigate Data Breaches

Part of the issue relates to awareness because information security still starts with informed, engaged, and alert employees. There are also technical tools to limit such data breaches. Consider Information Protection, also known as Information Rights Management, as part of overall data management and governance. A few examples follow:

  • Sensitivity Labels: With tools such as Microsoft Purview, you can classify files, for example, medical or confidential, and restrict downstream processing per label. The protection effectively travels with the data to the recipient. You can configure what is and is not permitted per category of information and type of recipient. Can the data be viewed only, or can it also be edited, or forwarded further? Temporary access is also possible. Labeling information is often still a manual activity, but there are increasing options, for example, with AI tools, to semi-automate labeling.

  • Data Loss Prevention: In addition, tools scan unstructured data, such as emails and documents, for sensitive information. Such applications can recognize specific text patterns, BSN numbers, license plate numbers, and credit card numbers, and can block an email or file, or require additional confirmation before allowing access.

  • Smarter Storage and Archiving: The GDPR requires organizations to store only the minimum necessary personal data. There are also many guidelines on maximum retention periods, often depending on the specific use. It is important to establish clear agreements within the organization and, where possible, automate them in data management. Data that you do not retain without justification cannot be spread without justification either.

These are several examples that, in addition to improved access security, help you control the downstream use of data. Start by gaining insight into all types of data in your organization, then ensure that access to the data is effectively secured and that it is processed only as intended. Finally, ensure that data is deleted promptly.

Key Point #5: Put an Incident Response Plan in Place

Preventing data breaches remains the most important priority. With more than 20,000 data breaches per year, you should assume it may happen to you as well. It is critical to be well prepared.

What Does the Dutch Data Protection Authority Do with Notifications?

Let us look at how the Dutch Data Protection Authority handles reported data breaches. Of all 21,151 notifications, about two-thirds, 14,599 data breaches, were monitored only; about one-third, 6,552 notifications, were subject to enhanced supervision; and 35 data breaches were ultimately investigated in depth:

  • Monitoring means that after an initial assessment, no further action is taken. These are usually minor notifications, such as a misdirected letter or email.

  • Enhanced supervision applies when there are greater risks, for example, when many victims are involved or because sensitive personal data was involved. This still concerns thousands of cases, and the AP will usually contact the organization only if there are ambiguities or irregularities in the notification. If appropriate measures have been taken and victims informed, such a review is usually completed quickly.

  • That leaves the 35 notifications in which the AP started a formal investigation. These were the notifications that posed the greatest risks to victims. This occurs especially when organizations do not inform victims after a cyberattack, even though they are obligated to do so. It can also concern leaks that were not reported directly but were brought to light through a customer complaint. In 2022, the AP received 2,000 tips from citizens about possible data breaches.

Monitoring based on disaster plan

Risks When Negligent

The message is clear. If you give privacy and information security sufficient priority, treat an unforeseen data breach seriously, and inform victims promptly, then you have little to fear. Claims and fines are most likely when you are not in control, do not handle breaches properly, or try to cover them up.

The Importance of Compliance and Information Sharing

This means you must not only work to be and remain compliant with the GDPR and relevant information security standards, such as ISO 27001, BIO, and NEN7510. You must also invest in information sharing. For example, with our HelloID platform, all issued entitlements are registered and visible at any time. The same applies to additional access requests involving the requester and approver, as well as all access attempts to cloud applications via the platform. All information is easily accessible for audits and certifications, and a complete audit trail is available in the event of a data breach.

Responsibilities and the Role of IT Service Providers

The AP also focuses closely on IT service providers because they can offer hackers potential access to multiple customer organizations at once. Several hacks in the healthcare sector were executed via suppliers. In the case of data breaches, there is a clear division of roles. A vendor cannot report a data breach involving customer data on its own. The vendor must inform its customers immediately of any irregularities so they can file a notification with the AP, inform their own customers, and provide further guidance. At Tools4ever, we manage accounts and access data. The original customer data originates from connected systems, and if anything were to happen, we have protocols in place to inform you, the customer, immediately.

Learn more?

Want to learn more about how Identity and Access Management (IAM) solutions help prevent data breaches? Then view our IAM use case on improving organizational security.