Revealing the Extent of Data Breaches

October 7, 2014

This May, the Court of Justice of the European Union passed the “Right to Be Forgotten” ruling, a landmark proposal meant to strengthen already-existing protections of European citizens' personal data by erasing personal online data after it is no longer necessary. The previous legislation (dating back to 1995) was out of synch with the digital age and, as  Director of CEU's Center for Media, Data and Society (CMDS) Phil Howard is highlighting in his latest research, Europeans had cause for concern. In the largest-ever study of European data privacy breaches, Howard reveals that, in the past decade, over 226 million personal records have been compromised in Europe.

This is the largest investigation of privacy breaches in Europe ever undertaken,” said Howard. “We looked 350 incidents over a 10-year period, with a very focused look at the 229 incidents that directly involved the privacy of people living in Europe.”

The total population of the countries covered in this study is 524 million, and the total population of Internet users in these countries is 409 million. Expressed in ratios, this means that for every 100 people in the study countries, 43 personal records have been compromised. For every 100 Internet users in the study countries, 56 records have been compromised.

New information technologies have allowed more and more people to conduct the business of their personal lives over digital media. Even people who do not use smart phones or have social media profiles are tracked, surveilled, and surveyed, making facts about their attitudes, behaviors, and other life details are tracked electronically. “Many of those activities, such as banking, shopping, e‐government, social networking, and emailing, require disclosure of a certain degree of personal data. The data citizens or companies store online ranges from email or postal addresses, login information or passwords to sensitive personal information, including bank and credit card account information. The more activities take place online, the more data is stored in servers. Such situations pose certain challenges to maintaining privacy and keeping data safe,” Howard writes in the paper.

In order to analyze the breaches, Howard and 12 students from CEU's School of Public Policy (SPP) researched those that were reported in media outlets. Students reviewed breach reports in their native languages and, after six months of research and refining, brought the total down to 229 well-verified cases representing almost every country in the EU, plus Norway and Switzerland. They found that Germany, Greece, Netherlands, Norway and the UK are all countries with unusually high levels of privacy breaches.

Interestingly, one of the team's main findings is that the loss of private information seems to involve organizational insiders – the people who work for the organization – more than malicious hackers. According to Howard, 57 percent of the incidents involved organizational errors, insider abuse, or other internal mismanagement. Hackers were clearly identified in 47 percent of incidents (2 percent unspecified).

In the news we hear a lot of news stories about hackers who break into systems and steal our personal information.” Howard said. “But that was the minority of incidents – far and away, most of the cases organizational errors, insider abuse, or other internal mismanagement.

And it is not always bank account numbers or credit card data that is at risk. There are some unusual examples of data breach, where the data was lost or published in a surprising way, Howard and the students stated in the report. One example is from Denmark, where personal information of HIV patients was included in a PowerPoint presentation. This, in itself, was an accidental leak but only for the audience at the presentation; however, later, the presentation was published online. Another incident happened in the UK when a staff member of an educational institution lost a camera that held sensitive information, namely photographs of job applicants’ passports. Another case took place before the 2011 Bulgarian elections when the Ministry of Foreign Affairs accidentally published online the names as well as the addresses of the permanent residences of Bulgarian nationals living abroad. Although the information was available online only for a few hours, it made these citizens an easy and open target for theft and burglary. In another incident, FC Manchester City (a soccer club) opened investigations against a rival club which might have hacked confidential records of players’ signings along with their personal records.

Howard said the next move for public policy is mandatory reporting. “When personal records are compromised, both companies and government offices should be required to report the possible privacy breaches both to the victims and a privacy commissioner. Most people don’t know who has legitimate access to their personal records, and they deserve to know when those records have been compromised."

The full report can be downloaded here: http://cmds.ceu.hu/article/2014-10-07/data-breaches-europe-reported-brea.... The research was conducted in conjunction with a course taught by Howard at SPP with students Gulnara Alimbayeva, Roxana Damian, Tamilla Dauletbayeva, Orsolya Gulyas, Zintis Hermansons, Tautvydas Juskauskas, Attila Mester, Róbert Papp, Radka Pudilova, and Marija Stojanovska Rupcic.