Personal Data Breach Examples

Blog article Data Breach Types featured image, depicting a knight charging an unsuspecting hacker

1. What is a data breach?

The words “Data Breach” are now present everywhere, constantly appearing in news headlines or in those unsettling emails hinting at the possibility that our personal information might be at risk.

Indeed, in today’s digital landscape, such breaches have become so common that it’s natural to question what they actually mean and if they’re as serious as they sound. In fact, these incidents are now an uncomfortable reality in our connected society, unleashing a cascade of consequences ranging from financial or reputational damage to legal complications and erosion of consumer trust.

With that in mind, there has never been a more crucial time to be proactive when faced with the news of a potential data breach. Understanding the implications of these events and knowing how to respond is now crucial. Join us as we unravel the intricacies of these data breaches.

Before delving deeper, let’s begin by clarifying commonly confused concepts — namely, security incidents and actual data breaches:

  • A security incident is a broader term that encompasses any event that may compromise the confidentiality, integrity, or availability of personal data.
  • A data breach, by contrast, refers to a security incident in which personal data is disclosed, accessed, or acquired in an unauthorized or accidental manner. In other words, a data breach signals a specific situation in which personal data has been compromised.

As you can imagine, data breaches can occur in various ways — be it through targeted cyberattacks, unintentional errors by employees, or inherent weaknesses within an organization. We can think of phishing emails, malwares, misplacement of devices or documents, server and backup failures, or the accidental sharing of sensitive information with the wrong recipient.

In sum, don’t think of data breaches as confined to IT systems as it also involves paper processes and physical security!

2. Types of personal data breaches

Knowing this, we can categorize data breaches as follows:

  • “Confidentiality breach” – When we talk about a confidentiality breach, we’re essentially focusing on the necessity to keep sensitive information private. It’s all about making sure that unauthorized individuals don’t get access on data they shouldn’t. Thus, a confidentiality breach has the effect of revealing such information.
  • “Integrity breach” – Regarding an integrity breach, we’re essentially talking about the accuracy and reliability of data throughout its lifecycle. The idea here is to prevent any unauthorized changes to the data. Thus, an integrity breach occurs when the information that was supposed to be protected is altered.
  • “Availability breach” – Data should always be easily accessible by authorized parties. This means that hardware, IT infrastructure and systems that hold said information should stay operational. Therefore, an availability breach means that such data is no longer accessible when needed, resulting in disruptions.

Keep in mind that these categories don’t exclude one another! In fact, a breach can blend elements from different categories. However, you should know that when personal data is temporarily inaccessible due to planned system maintenance for instance, it shouldn’t be labeled as a ‘data breach’ according to Article 4(12) of the GDPR.

Data breaches can also materialize in various ways. In this context, Article 4(12) of the GDPR defines a personal data breach as “a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.”

Where:

  • “Destruction” refers to the state where personal data no longer exists or is no longer in a form useful to the controller.
  • “Alteration” involves damages, corruption, or incompleteness of personal data.
  • “Loss” indicates that the data may still exist, but the controller has lost control, access, or possession of it.
  • “Disclosure and access” encompass unauthorized or unlawful processing personal data by recipients not authorized to receive or access the data, as well as any processing activities that violate GDPR regulations.

As you might imagine, data breaches can have serious impacts for data subjects. In line with the GDPR and the European Data Protection Board Guidelines, these consequences can range from losing control over personal data, potential discrimination, identity theft, financial loss, exposure of private details without authorization, harm to reputation, and, the breach of confidentiality, especially for data protected by professional secrecy.

In any case, swift notification of a breach is crucial! So, upon becoming aware of a breach, a controller should go beyond containment and assess the risks. Consequently, he must decide on the necessary measures and determine whether notifying the supervisory authority and, if the risks is very high, the affected individuals.

3. Data breach scenarios

Having clarified the fundamental aspects of data breaches, let’s now examine some data breach scenarios.

3.1. Scenario n°1

Picture the following: A large family planning center experienced a security breach where multiple laptops were stolen, compromising sensitive health and social welfare data along with personal information of 1000 data subjects. Particularly noteworthy is that the laptops stored data related to the use of emergency contraceptive pills, abortion, as well as test results for sexually transmitted diseases.

What type of breach is it?

In the present scenario, we can argue that the data breach primarily concerns confidentiality, but it can also concern availability if no backup exists, preventing the family planning center to properly attribute the data and results of the tests.

Furthermore, in this case, the data would have been compromised primarily due to the loss and potential disclosure of this sensitive information.

What are the potential consequences regarding confidentiality?

  • The first impact is a breach of medical secrecy: The laptops contained intimate medical information of the patients, who could be minors, and that could become available to unauthorized people.
  • In addition, the publication of this information could impact the daily life of the patients and their families (e.g. data on sexually transmitted diseases, data on assaults, data on abortion, social situation of the patient…)
  • Ultimately the disclosure of said data could have severe effect on the patients, encompassing emotional damage (discrimination & blackmail) as well as financial damage (possible loss of job prospect).

What are the potential consequences regarding availability?

  • The first impact regarding availability is that it may prevent the family planning center from informing the patient of the test result of sexually transmitted diseases, leading to aggravation of the disease and potential spreading.
  • Moreover, it could also lead to long delay in reimbursement or financial/medical assistance of the patients.

Would notification be required?

If we look at the potential impacts for the data subjects, notification should take place. Hence, the supervisory authority should be notified within 72 after the family planning became aware of the breach. Due to the gravity of the breach, the patients should also be notified within undue delay – note that, in specific circumstance delay or absence of notification could be acceptable if duly justified.

What appropriate safeguard might have reduced the risks?

  • Firstly, the potential impacts of the confidentiality breach could have been avoided by utilizing strong encryption paired with a robust and secret key to safeguard the data against unauthorized access.
  • Secondly, by possessing recent and secure backup, the availability breach could have been avoided, or the consequences and negative impacts minimized.
  • In addition, following the incident, the controller could have quickly mitigated the high risk to individuals’ rights and freedoms by implementing rapid action against unauthorized access.

Hence, and assuming the safeguards had been implemented, notification to the data subjects may not have been necessary – Keep in mind that this must be demonstrated by the controller to the competent supervisory authority.

Related Article

How to create lasting phishing awareness

3.2. Scenario n°2

In 2022, a real-life scenario unfolded at the medical Intercommunal Vivalia, encompassing multiple healthcare institutions in the province of Luxembourg, Belgium. The institution fell victim to a ransomware attack, causing substantial damage. Approximately 200 servers and 1500 computers were affected, with 400GB of patient data illicitly extracted. The breach had far-reaching consequences, rendering several critical services unavailable, including canceled appointments, rescheduled surgeries, disrupted radiology services, and the abandonment of COVID testing.

What type of breach is it?

In the present scenario, it is clear that the breach primarily concerned availability since the data became inaccessible because of the ransomware. It was also a confidentiality breach since a important volume of data was extracted by the hackers.

What are the consequences regarding confidentiality?

  • Again, the first impact is the medical secrecy, the 400 GB of data extracted raised grave concerns about the confidentiality of sensitive healthcare records. This breach may have exposed personal and medical details to unauthorized individuals.
  • Moreover, the exposure of this information could have significantly disrupted the everyday lives of patients and their families, leading to blackmail, financial repercussions, and overall emotional distress.

What are the consequences regarding availability?

  • Primarily, the ransomware attack on Vivalia’s systems led to prolonged unavailability of critical healthcare services. With approximately 200 servers and 1500 computers affected, the disruption prevented access to patient records, medical histories, and other essential data, impacting the delivery of healthcare.
  • Additionally, the inaccessibility of the data stored in the servers and computers has resulted in delayed or canceled appointments, rescheduled surgeries, and disrupted diagnostic services.
  • In sum, the breach significantly impacted the availability of crucial healthcare data, posing challenges to patient care, operational efficiency, and the overall functionality of Vivalia’s healthcare services.

Would notification be required?

Without surprise, since a large volume of  data was  extracted and made unavailable, the incident adversely affect data subjects. Thus, notification was necessary to the concerned data subjects as well as the supervisory authority.

What appropriate safeguard might have reduced the risks?

  • Again, an effective and secure backup solution paired with encryption would have allowed restoring the data, or at least helped mitigating the breach.
  • In addition, strong and up to date antivirus might have prevented the ransomware from corrupting the institution’s database.
  • Moreover, proper training of the employees and adequate ICT material would have helped preventing the deployment of the ransomware.
  • Post-breach, the controller could also have promptly nullified, or reduced, the high risk to individuals’ rights and freedoms, by taking immediate action against the unauthorized access.

Should those safeguards had been in place and remained secure, notification to the individuals may not have been required, or at least the impact would have been reduced.

Be prepared to handle the worst case scenario

Set up a robust incident & breach management practice throughout your organization.

4. Notorious data breaches

As we  just saw in the above scenarios, data breaches can be caused by a variety of incidents. While the impact in these examples may already appear as significant, it is essential to understand that data breaches may carry even more serious and severe implications, as you can see below:

  • Dutch government (2020) : In March 2020, the Dutch government experienced a very important data breach, involving the loss of two external hard drives containing the personal information of over 6.9 million organ donors, equivalent to approximately half of the country’s population. The compromised database stored electronic copies of donor forms submitted to the Dutch Donor Register between February 1998 and June 2010. The breach exposed sensitive details, including donors’ names, gender, date of birth, addresses, and certain medical information.
  • Air Europa Data Breach (2023):After hackers gained access to personal financial information following a breach, Air Europa, the third-largest airline in Spain, advised customers to cancel all their credit cards, as all card numbers, expiration dates, and three-digit CVV numbers were taken from the company’s databases. According to the airline, the breach was found after suspicious activity on one of its systems was detected.
  • Target (2013): In 2013, Target, a major retail corporation, fell victim to a significant data breach during the holiday shopping season. The breach impacted over 40 million customer credit and debit card accounts. Cybercriminals gained unauthorized access through a third-party HVAC vendor (Yes, you read that correctly, through Heating, Ventilation, and Air Conditioning), highlighting vulnerabilities in interconnected devices. The attackers stole sensitive payment information, leading to unauthorized transactions, financial losses, and a wave of fraudulent activities.
  • Facebook-Cambridge Analytica (2018): This event, although not a typical breach, entailed unauthorized access as well as extraction of personal data from millions of Facebook profiles. Following the 2016 U.S. Presidential election, the data was subsequently utilized for targeted political advertising.
  • Yahoo (2013-2014): The Yahoo data breach occurred in 2013-2014 but was disclosed in 2016. It was one of the largest cybersecurity incidents in history. Hackers gained unauthorized access to Yahoo’s systems, compromising the personal information of approximately 3 billion user accounts. The stolen data included names, email addresses, passwords, and, in some cases, encrypted or unencrypted security questions and answers.

Conclusion

In summary, incidents related to data, whether impacting confidentiality, integrity, or availability, pose significant risks for individuals and businesses alike. The loss of confidentiality puts personal privacy at risk, breaches of integrity compromise information reliability, and disruptions in availability can hinder access to crucial services. This can lead to financial losses, identity theft, damage to reputation, and disruptions in operations. To mitigate these consequences and safeguard data, it has never been more crucial to implement robust security measures, proactive initiatives, and to stay informed about the ever-evolving threats.

Liked reading this article? Spread the word!

Get the inside scoop on simplified privacy management

Get exclusive tips ‘n tricks straight to your inbox. Join +1,100 privacy professionals already subscribed and stay ahead of the game!

Written by

Kevin François

Consultant @ CRANIUM