The EDPB (European Data Protection Board) has recently published a guide that seeks to clarify the most common situations in which data breaches can occur, as well as the importance of notifying the data protection authorities.
The project was adopted on the 14th of January 2021, with the final form to be established in a few months, currently being open for public consultation until the 2nd of March 2021.
However, the examples contained in it are relevant even now, especially since they are based on real situations that led to data breaches.
‘’As part of any attempt to address a breach the controller should first be able to recognize one. The GDPR defines a “personal data breach” in Article 4(12) as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
The EDPB starts the list of the most frequent cases in data breaches with the ransomware.
In most cases a ransom attack suffered by the data controller involves the encryption of personal data through a malicious code and in exchange for decryption the attacker requests a ransom.
The EDPB classifies ransomware into the following:
◦ Ransomware with proper backup and without exfiltration
◦ Ransomware without proper backup
◦ Ransomware with backup and without exfiltration in a hospital
◦ Ransomware without backup and with exfiltration
- Data exfiltration attacks
These attacks target the services offered by the controller to third parties via internet. These typically aim at copying, exfiltrating and abusing personal data for malicious activities. However, if the controller is aware of these data breaches, it can significantly reduce the risk of such an attack. Again, the EDPB provides with concrete examples of types of data exfiltration attacks classified as follows:
◦ Exfiltration of job application data from a website
◦ Exfiltration of hashed password from a website
◦ Credential stuffing attack on a banking website
- Internal human risk source
Human errors are hard to prevent. It is recommended that the data controllers analyse the vulnerabilities and take the necessary measures to avoid them. These are classified by the EDPB as follows:
◦ Exfiltration of business data by a former employee
◦ Accidental transmission of data to a trusted third party
- Lost or stolen devices and paper documents
A common type of data breaches occurs through stolen devices and paper documents. EDPB recommends that security measures should be taken prior to the breach as recovering a lost device or document is much more difficult.
Here as well, the guide is providing different scenarios of data breaches through stolen materials:
◦ Stolen material storing encrypted personal data
◦ Stolen material storing non-encrypted personal data
◦ Stolen paper files with sensitive data
‘’ The risk source is an internal human error in this case as well, but here no malicious action led to the breach. It is the result of inattentiveness.’’
◦ Snail mail mistake
◦ Sensitive personal data sent by mail by mistake
◦ Personal data sent by mail by mistake
- Other cases-social engineering
◦ Identity theft
◦ Email exfiltration
Although the cases presented in this guide are fictitious, they are meant to aid the data controllers to assess their data breaches.
EDPB advices the readers to read all the cases relevant to the specific category of data breach to identify and distinguish all the correct measures to be taken.
Sovy can help you get compliant and stay compliant using our on-line tools, including:
- Walk through a data mapping exercise and build your data inventory.
- Train your employees with industry-standard eLearning courses.
- Maintain your compliance program in the cloud
- Manage cookie consent and data rights
We also offer advisory services in compliance, governance risk, adverse event and remediation.