AMSTERDAM - The number of reported data leaks due to cyber attacks is increasing explosively. Last year, the Dutch Data Protection Authority (AP) received 2,210 reports that people's data had been stolen through a digital attack. That is 88 percent more than a year earlier. The increase may be partly due to the fact that affected organizations report faster, but the privacy watchdog is very concerned.
"Last year we sounded the alarm when the number of reports rose by 30 percent. The year before the increase was 25 percent. This year we are short of words," said Dennis Davrados, data breach coordinator for the privacy regulator.
According to the authority, malicious parties are increasingly targeting IT suppliers. These are companies that provide software services to small entrepreneurs so that they do not have to build such programs themselves. Within those companies, a lot of the personal data of citizens comes together, and they are worth their weight in gold to criminals. Last year there were 28 data breaches at such IT suppliers. That led to 1,800 reports from affected users. "It is estimated that at least 7 million victims have been affected. Because not all data breaches are reported to the AP, there are probably many more," said the regulator.
After a data breach, citizens are often not informed or are only informed very late, the authority noted. In the meantime, they cannot protect themselves.
In total, the regulator received almost 25,000 reports of data breaches last year. That number is comparable to previous years. These reports are not only concerning attacks by criminals but also organizations that make a mistake themselves, for example by sending a letter to the wrong person or by not properly protecting the addresses of the recipients in a mass e-mail.
Most cases went no further than a report to the AP. 17,840 data breaches were so small that the Dutch Data Protection Authority did nothing further with it. Just over 7,000 cases are one step higher, where the authority conducts 'in-depth supervision'. The service then not only looks at what happened but also what an affected organization is doing to prevent a recurrence. In 36 cases, the regulator decided last year to start an investigation. This can eventually lead to a fine or other punishment. The organization did not disclose how many of those investigations are still ongoing.
The past also plays a role when deciding how to approach an organization. "That you stumble once, okay, that can happen. That you stumble a second time, that's also possible. But on the third time, we will ask if you are wearing good shoes," said Özlem Sehirli-Kaya, head of the investigative department of the authority.