European suffered 229 public data breaches since 2004, study suggests

Better disclosure makes UK light up as hotspot

US organisations now suffer so many data breaches it has become a full time job simply documenting them. But what has been going on in Europe?

One of the first studies of publically-reported data breaches in the 28 countries of the EU (plus Norway and Switzerland) by the Central European University's Center for Media, Data and Society (CMDS) has calculated that between 2004 and 2014 the continent's organisations suffered 229 known incidents covering 227 million personal records.

This excluded global incidents that happened elsewhere and involved European citizens, which is the first complexity the study had to grapple with - databases and the organisations looking after them are now global and so boundaries and measurements start to blur.

A second issue was that the data was taken from 'credible' and sourced media reports in each country, an innovative methodology that nevertheless raises the issue of how much can really infer from public reports written up by journalists.

We know that some countries have tougher disclosure laws than others - the UK and Germany for instance - and different national and corporate cultures have probably affected the stream of public disclosures. Consequently, national comparisons become treacherous enough to call the whole exercise into question.

Although this means that the CEU's figure of 229 breaches is without a shadow of a doubt a significant understatement, it does at least offer a baseline of sorts.

The CEU found that the Internet-connected population of the 30 countries now stands at 409 million, which gives some idea of how many people's records could be at risk. The peak for breach incidents was 2011, which recorded about 50, but the peak for the number of records breached was by some margin 2013 despite that year recording only 30 incidents.

The conclusion is that there seem to be fewer disclosed breaches in recent times but those that occur are larger; so far 2014 has recorded about the same proportion of incidents and a far smaller number of breached records as 2013.

One interesting finding is that the UK seems to be a breach hotspot, recording 245 compromised records per 100 Internet users, far above the 79 for Germany. Another is that 89 percent of breaches happened in commercial organisations and 10 percent in governments.

More than half of all incidents were caused by the actions of an insider rather than a hacker, most likely through error rather than malevolence. This is an important point to offset hacking hysteria although it might reflect the way breaches happened in the past.

The larger question remains what effect legislation is going to have going forward. The UK appears to have more breach incidents than any other country but also has a culture of disclosure, more defined data protection and an active information commissioner., so this doesn't necessarily mean it has a bigger problem.

The EU's new E-Privacy Directive , under which breaches of personal data must be reported to national authorities, could start to lift the lid on what has been going on under the surface in countries where secrecy still prevails. The EU is also tightening and unifying data protection under the EU General Data Protection Regulation (GDPR).

"In countries where there are no disclosure rules, people will never learn what data about them has been collected and lost. And it is harder for journalists to cover privacy issues in countries where privacy breaches don't have to be publicised," said the CEU's CMDS director, Phil Howard, by email.

"If there's one thing this study reveals, it's that there is a lot we don't know about who has what kinds of data about us, how much of it is safe, and how much of it has already been exposed."

The media still focused on external hacking when many incidents were caused by internal mismanagement, he argued.

Join the CSO newsletter!

Error: Please check your email address.

Tags Central European Universitysecuritydata breach

More about EUSwitzerland

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E. Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts