In the first half of 2024, the Autoriteit Persoonsgegevens received more than 9.8 thousand data breach notifications from companies and organizations. This is lower than in the first half of both 2023 and 2022 (both 10.5 thousand). Data breaches can include errors in sending emails with incorrect personal data, hacking or phishing. Most often, the data breach came precisely from an incident involving a letter or mail package. Data breaches were most common among large companies. This is according to figures from CBS and the Autoriteit Persoonsgegevens (AP).
The AP started a project with CBS in 2023 to make information from data breaches reported to the AP available for scientific and statistical research. The collaboration is a pilot project. The AP's figures are preliminary.
In 41 percent of the data breach reports by companies and organizations in the first half of 2024, involved an incident involving a letter or mail package containing personal data. This type of incident was also the most common in previous years. For example, it involved a letter or postal package that was sent or delivered to the wrong recipient, or a letter or postal package that was received open in return or was lost.
In 18 percent of the cases, it involved a data breach in which something went wrong with personal data in an email, such as sending it to the wrong recipient. In 8 percent of data breach reports, some form of cybercrime took place, such as hacking, malware or phishing.
In addition, the remaining incidents (33 percent) may include personal data added to the wrong file, a customer's personal data displayed in the wrong customer portal, or a USB stick or paper with personal data lost.
Almost 7 in 10 data breach reports were made by a large company or large organization (250 or more employees). With this, large companies or organizations (0.2 percent of all companies in the Netherlands) represent a relatively large share of data breach reports. Far fewer reports came from smaller companies (0 to 50 or 50 to 250 employees; both just over 1,400 reports).
Half of the data breach notifications came from the public administration, government services and compulsory social insurance industry (over 2.5 thousand) or an organization in the health and welfare sector (2.4 thousand). This mainly includes the large companies from which the data breach notifications came.
Often a data breach report involved the person's name (89 percent), followed by contact information such as address, place of residence, email or phone number (62 percent). The least often involved passport or other proof of identity (4 percent).
In most data breach notifications (88 percent), the notifier indicated that no measures had been taken to encrypt personal data prior to the incident, hashed or otherwise make it inaccessible to unauthorized persons.
When a company reports a data breach to the Autoriteit Persoonsgegevens Authority, it usually involves a single breach. However, in 1 percent of the data breach reports, the reporter indicated that it involved several similar breaches at the same time, for example as a result of a large-scale mail shipment. This shows that the more than 9.8 thousand data breach reports from the first half of 2024 represented a total of more than 16.5 thousand breaches. By comparison, in all of 2023, there were 25.7 thousand breaches reported.
A data breach report can involve either an incident involving one person or an incident involving millions of individuals at once.
Research institutions can use the data breach information in CBS' secure microdata environment for scientific research. The results can contribute to the resilience of organizations against cyber incidents. The information is not traceable to individual organizations that have reported data breaches. With this project, the AP is implementing the Cyber Security Council's recommendation: 'Make data breach notifications available for research purposes'.
