When do I have to report a cyber attack according to the GDPR and when not? 18 examples!
by Svenja Koch
Part of the General Data Protection Regulation introduced in 2018 is the obligation to report data security breaches to the competent authority. There is still a lack of clarity for many companies regarding which cyberattacks and IT security incidents are actually reportable. This article provides 18 examples of data security breaches that occur in practice and are reportable.
The EU General Data Protection Regulation and the obligation to report.
The relevant part regarding the notification obligation is Article 33 of the GDPR. This article, called "Notification of personal data breaches to the supervisory authority," regulates the notification obligation of companies. Thus, the GDPR states that companies must notify the competent authorities of the incident in the event of a personal data breach. The notification must include as precise a description as possible of the cyberattack or data breach type and how many data records are affected. In addition, the company must provide an assessment of what consequences will result from this data breach. The article also specifies a time frame for the notification. This must be done within 72 hours of the security breach becoming known. Furthermore, the company must name a responsible person from IT security for the process, including contact details. Article 33 also requires that the authorities be informed of the countermeasures taken and that the responsible party document the data breach context. The competent authority may also request to inspect this documentation.
In addition, there is also Article 34 of the GDPR, which also sets out obligations for notification in the event of a data breach. This article regulates the obligation to inform natural persons. These are, therefore, the company's customers or other persons whose data organization processes. If the data breach creates a high risk to these individuals' personal rights and freedoms, then the company has a duty to inform them without undue delay. Again, the company must inform the individuals about the scope of the incident. Alternatively, if the effort required to inform the individuals in person is too great, then a public announcement of the data protection breach stating the individuals affected is sufficient.
This is why the implementation of the GDPR is a challenge for many companies
The GDPR has caused nervousness among many companies. Above all, the high fines possible in the event of violations are a cause for concern. Small and medium-sized companies are particularly affected. These often have less professional IT departments. Practice shows that it is precisely the group of SMEs overwhelmed with the implementation of the GDPR. At the same time, this group of companies is increasingly affected by cyber attacks. Therefore, the implementation of the General Data Protection Regulation is all the more topical for small and medium-sized enterprises.
Uncertainty also prevails among many companies regarding what types of cyberattacks and data protection breaches they must now report to the competent authority. The regulation itself is not specific on this point and speaks only of data breaches of personal data. The definition of risks to the personal rights and freedoms of data subjects also leaves room for interpretation. In some cases, companies are also not sure when they have to inform the data subjects. Combined with the tight timeframe of 72 hours set by the regulation, organizations are quickly overwhelmed in the event of specific cyberattacks or attacks with ransomware.
Ransomware - the most common trigger for reportable data breaches
Ransomware cyberattacks have become one of the most common forms of data breaches suffered by businesses and other organizations. A ransomware attack does not always follow the same pattern. While ransomware ensures that access to data is blocked by encryption, this has not necessarily resulted in a reportable data breach.
Therefore, it is always important to analyze the exact circumstances in the case of cyberattacks with ransomware. Above all, it is a matter of identifying whether and to what extent the attackers have stolen personal information. This task lies within the area of competence of an organization's IT Security. Due to the complex situation surrounding ransomware, the European Union has set up a committee to draft guidelines on cyberattacks of this type and thus provide concrete assistance to organizations and companies.
Examples of the notification obligation under the GDPR Regulation
Due to the lack of clarity as to which specific situations trigger the obligation for organizations to notify, the European Data Protection Board published extended guidelines at the beginning of 2021. These include 18 concrete examples of use that occur in practice due to cyberattacks and similar incidents. Based on these examples, companies have clues as to when they need to submit a notification.
Example 1: Ransomware attack, data backup available, no extraction of data
A ransomware attack encrypted all of a company's data. However, the company used encryption itself. The key was not compromised during the attack, preventing access to personal data. The company restored all data via a backup.
Documentation required under Article 33: Yes
Obligation to notify the competent data protection authority: No
Duty to inform data subjects: No
Example 2: Ransomware attack without proper backup.
In an agricultural business, data was encrypted by a ransomware attack. An external IT security service provider analyzes the attack and determines that the hackers encrypted the data but did not copy it. Personal data involves some customers as well as employees of the company, totaling about a dozen records. In the absence of an electronic backup, the recovery of the information was from paper information.
Since the scale of this and similar cyberattacks is comparatively small, and no high-risk data is affected, the company does not have to inform the affected individuals. However, the company must document the measures taken and also inform the competent authority.
Documentation required under Article 33: Yes
Obligation to notify the competent data protection authority: Yes
Duty to inform data subjects: No
Example 3: Ransomware attack on a hospital, no data extraction, backup available.
A hospital was the target of a cyberattack, and ransomware encrypted much of the data. Personal data of employees and patients in the order of several thousand records were affected.
With the help of an external specialist's analysis, IT Security determines that the attackers did not extract the data but only encrypted it. Nevertheless, this is a data breach with a high risk to personal rights and freedoms, as patient data is involved and the number of records is very high.
Documentation required under Article 33: Yes
Notification requirement to the competent data protection authority: Yes
Duty to inform data subjects: Yes
Example 4: Ransomware attack with data extraction, no backup available.
Hackers encrypted the servers of a public transport company with ransomware. An internal IT Security audit revealed that the attackers copied the databases. Several thousand data sets are involved, and both employees and users of the local transport service are affected. In the process, the attackers also stole credit card data and ID card information. An existing backup was also compromised and encrypted by the attack.
The attack represents a data breach with a high risk to those affected' personal rights and freedoms. Accordingly, all notification requirements of the GDPR take effect and the company must document the measures taken.
Documentation required under Article 33: Yes
Reporting obligation to the competent data protection authority: Yes
Duty to inform data subjects: Yes
Example 5: Attackers extract applicant information from a website
An employment agency was the victim of a cyberattack, whereby personal information of employees was stolen. An evaluation reveals that as many as 213 individuals were affected. The data breach was not noticed by IT Security until a month after the actual attack.
As far-reaching personal data is affected in this attack, there is a high risk to the rights and freedoms of those affected. For this reason, the company is required to inform both the competent authority and all affected employees about the data breach.
Documentation required under Article 33: Yes
Obligation to notify the competent data protection authority: Yes
Duty to inform data subjects: Yes
Example 6: Extraction of hashed passwords from a website
Through an SQL vulnerability, hackers have gained access to a database in which passwords and other user information are stored in encrypted form. The salt for decryption was not compromised. Records of 1,200 users are affected. For security purposes, the website operator informed the users via mail and advised them to change their passwords. On the other hand, there is no obligation to notify under paragraph 33 or 34 of the GDPR, as no unencrypted or personal data was stolen.
Documentation required according to Article 33: Yes
Obligation to notify the competent data protection authority: No
Duty to inform data subjects: No
Example 7: Cyberattack on an online bank
In the attack on an online banking website, attackers attempted to tap all existing login IDs by randomly testing credentials. Through a vulnerability in the website, the personal data of the bank's customers came into the attackers' possession in some cases. This included names, address data, birth information, and tax numbers. An analysis of the attack revealed that the hackers attempted to access about 100,000 accounts and were successful with 2,000 records.
Due to the nature of the stolen data, there is a high risk to the rights and freedoms of those affected. The bank must, therefore, immediately inform the competent authority and also the affected customers. This applies both to the 2,000 accounts to which the hackers had direct access and all other customers to whom access was attempted.
Documentation required under Article 33: Yes
Reporting obligation to the competent data protection authority: Yes
Duty to inform data subjects: Yes
Example 8: A former employee steals company data
After being terminated, an employee misuses his access to the company's internal databases and steals data on the company's customers. A few months later, the former employee uses this contact data for customer acquisition.
Since this is general contact data that is likely to be publicly available, high risk can be ruled out for this data breach. Nevertheless, a notification to the authority is necessary because a personal data breach has occurred.
Documentation required under Article 33: Yes
Notification requirement to the competent data protection authority: Yes
Duty to inform data subjects: No
Example 9: Accidental transfer of data to a trusted third-party provider.
An insurance company noticed that it had access to about two dozen external customer records via an Excel file. The data belonged to a partner company, and a faulty configuration allowed access. No other parties had access to the records, and the insurance company immediately notified the partner of the data breach. Written assurance was provided that the data had been deleted.
The records did not contain any personal information, only public contact information, and information about the insurance company. In addition, access was limited to a trusted party, so there was no high risk from this data breach. However, since there was a misconfiguration in the workflow, documentation of the incident is appropriate.
Documentation required under Article 33: Yes
Notification requirement to the competent data protection authority: No
Duty to inform data subjects: No
Example 10: Theft of a data carrier with encrypted content
During a break-in at a kindergarten, thieves steal two tablets. An app is installed on them in which personal information about the children is stored. This includes names, dates of birth, and information about education. However, since the data is stored in encrypted form and the kindergarten operators deleted the data on the tablets via a remote connection immediately after discovering the theft, the data breach does not pose a high risk to personal rights.
Documentation required under Article 33: Yes
Notification requirement to the competent data protection authority: No
Duty to inform data subjects: No
Example 11: Theft of unencrypted digital information
An employee of a service provider has his notebook stolen. The device contained 100,000 customer data records. These contained names, addresses, and dates of birth. The hard drive containing the data was neither encrypted nor protected by a password. Due to the nature of the data and the scope of the data breach, both the authority and the affected customers must be informed.
Documentation required under Article 33: Yes
Obligation to notify the competent data protection authority: Yes
Duty to inform data subjects: Yes
Example 12: Notebook containing sensitive information is stolen
A notebook containing handwritten data about patients is stolen from a rehabilitation facility. This information includes names as well as health information. There is no digital copy of this information. The theft of this information poses a high risk to the personal rights and freedoms of individuals. Although it is not digitally stored information, the incident still falls within the scope of the GDPR.
Documentation required under Article 33: Yes
Obligation to notify the competent data protection authority: Yes
Duty to inform data subjects: Yes
Example 13: Mixed up shipments and invoices
A mail-order company mixes up the contents of two packages during shipping. As a result, two customers receive each other's orders. Paper invoices, on which personal information is visible, are also in the packages. The company notices the error, organizes the return shipment, and corrects the glitch. Since there is no negative impact on either party, no notification obligation under the GDPR occurs. However, contacting the affected customers is still necessary to correct the misdelivery.
Documentation required according to Article 33: Yes
Reporting obligation to the competent data protection authority: No
Duty to inform data subjects: No
Example 14: Accidental sending of sensitive data by e-mail
The human resources department of a public administrative institution accidentally sends a file containing personal information about the participants as an attachment to an email about an upcoming training course. The records include names, addresses, social security numbers, and email addresses. Approximately 60,000 individuals are affected. This wide-ranging data breach poses a high risk, making notification to the authorities and that affected imperative.
Documentation required under Article 33: Yes
Obligation to notify the competent data protection authority: Yes
Duty to inform data subjects: Yes
Example 15: Accidental sending of personal information via email.
A business English course organizer accidentally sends a list of participants to the previous group instead of to the hotel where the course is being held. The records include names, email addresses, and specifics about food preferences, and only two people filled them out, stating that they were lactose intolerant. This data breach poses very little risk to the data subjects. For this reason, the organizer only needs to document the incident.
Documentation required under Article 33: Yes
Obligation to notify the competent data protection authority: No
Duty to inform data subjects: No
Example 16: A misdirected letter with personal information
An insurance company regularly informs its policyholders about the next car insurance phase. This takes place with serial letters sent by an automated system. This letter contains personal information about the policyholder, such as the name, age, license plate number, health status, and insurance premium.
Due to a mechanical error, two letters ended up in one envelope. Thus, in addition to his own information, a policyholder also received the insurance data of another person. The GDPR requires that the competent authority be informed and the process documented.
Documentation required under Article 33: Yes
Notification requirement to the competent data protection authority: Yes
Duty to inform data subjects: No
Example 17: Identity theft
An alleged customer contacts a telecommunications provider by telephone. This person pretends to be a customer of the company and wants to change the e-mail address to which the telecommunications provider sends the billing data. The employee on the phone checks the identity by asking for some personal information. The scammer answers these correctly so that the change of mail address is accepted. After a few months, the current customer gets in touch and complains why he no longer receives bills via e-mail. In this case, the company's behavior is particularly critical, which is why there is a high risk for the person affected as well as potentially for other customers. For this reason, the reporting obligation takes effect, and the company must document the incident.
Documentation required under Article 33: Yes
Reporting obligation to the competent data protection authority: Yes
Duty to inform data subjects: Yes
Example 18: Data extraction via the e-mail system
Three months after setting up an e-mail system, a company discovers that some accounts have been changed and special rules have been used. For example, an unknown person manipulated the system and moved information on credit card data, bank information, invoices, payments, and transfers to an unused folder. From there, it was forwarded to an external email address. At the same time, a social engineering attack took place and the attacker posed as a supplier. The bank details of the original supplier were changed, and the attacker introduced fake invoices into the system. After the discovery, an evaluation by IT Security revealed that the attacker captured the names and income data of 99 employees in total. For ten individuals, the attacker also obtained the number of children, marital status, and details about work hours.
This cyber-attack, which remained undetected for a long time, reveals many security gaps in IT security. For this reason, detailed documentation is required and immediate information to the authorities and all affected persons.
Documentation required under Article 33: Yes
Obligation to notify the competent data protection authority: Yes
Duty to inform data subjects: Yes
Conclusion
With the obligation to report incidents, the European Union is pursuing the goal of ensuring transparency. Consumers, in particular, experience additional protection and more rights as a result of the General Data Protection Regulation. Organizations that store or process personal data are under an obligation to notify data protection breaches without delay. On the other hand, the notification obligation creates confusion and increases the organizational effort, particularly affecting SMEs. With the concrete case studies, organizations now have a good guide at their side that sheds light on the issue. This will make it easier to decide which information measures IT Security must initiate in the event of cyberattacks.