Famous Data Breaches

26.10.2022

Back to blog list

Famous Data Breaches

The EU General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. This data protection law has been effective for five years now. Many data breaches have been reported since then. Five missteps can be generally recognized.

On May 25, 2018, the EU's General Data Protection Regulation (GDPR), the most comprehensive data protection law in the world to date, came into force. The GDPR has left its mark across Europe. Many of the data violations tend to be on a small scale, but there have definitely been some notable missteps by companies with high fines resulting from data breaches. 

 

The Micro Focus has compiled five most interesting cases of data breaches:

1. Google data breach: €50 million euros in fines

The French data protection authority CNIL imposed its first GDPR fine of €50 million euros on Google in January 2019, making it the largest data breach fine in the history of European data protection. The authority accuses Google of two violations of the European GDPR. The essential data protection information was spread over several documents and could not be found at all or only with difficulty by laypersons. This violates the principle of data transparency. Furthermore, the information provided by Google, even if it was found entirely, is too inaccurate to provide the user with real information about the purposes of the data collection. In addition, the setting functions for personalized advertising are illegal.

The data violation complaint was filed by the Noyb organization and by the French company La Quadrature du Net. In addition to the current action against Google, Noyb has also recently filed similar complaints against major streaming services such as Netflix, Apple Music, Amazon Prime and Spotify.

The penalties here could theoretically be even more than €50 million euros, as up to two percent of the annual revenue generated worldwide is possible as a data breach penalty.

2. Not a good deal

In April 2019, the Polish data protection authority UODO imposed a data breach fine of 943,000 zloty, the equivalent of around €221,000 euros, on the public company Bisnode AB.

The company is a digital business information provider that had collected personal data in order to collect it in its own database and use the data for commercial purposes. The sanctioned company obtains its data sets from publicly available sources.

The data breach penalty was imposed on the company because it had not fulfilled its information obligations. In total, almost six million data records are affected. According to Article 14 of the GDPR, the company should have informed the data subjects about the use of their data – and it should have done so in all six million cases involving personal data.

As it turned out in the proceedings, the responsible parties acted deliberately knowingly failing to inform data subjects about the use of their personal data. This and the lack of insight on the part of the company had a direct influence on the amount of the imposed personal data violation fine. 

3. Sensitive patient data in the hands of fake doctors

In 2018, the Portuguese data protection authority CNPD imposed the first significant fine in Europe for a breach of the GDPR. Accordingly, the Barreiro Montijo hospital near Lisbon had to pay a total of €400,000 euros after the data breach.

Among the reasons cited by the data protection authorities was that too many people had unauthorized access to confidential patient data. The hospital operator knowingly and with full intent granted internal IT technicians access to the data that should only be accessible to physicians. In addition, a total of 985 active users were registered as "physicians" in the system, although only 296 physicians worked at the hospital in 2018. The hospital justified this by stating that temporary profiles were created as part of a service contract, which would explain the discrepant numbers.

4. First GDPR sanction in Germany 

Germany imposed its first fine for a breach of the GDPR in November 2018, when social and dating website Knuddels.de reported a data breach of 1.87 million credentials and 800,000 user email addresses in September.

The data protection authority of Baden-Württemberg found that the website had stored data such as the passwords in plain text, which violated the GDPR directive on pseudonymization and encryption of personal data.

However, due to the speed with which the data breach was reported, the authority showed significant leniency towards Knuddels. Moreover, the website responded promptly and informed the users affected by data breach by return of post. The fine of €20,000 euros was therefore comparatively small.

5. It costs nothing to ask? That does not apply to the GDPR

In May 2018, the small mail order company Kolibri Image asked the Data Protection Commissioner of the German state of Hesse for advice. The company had asked one of its service providers several times for an order processing contract, but had not received it.

Kolibri Image wanted to find out from the Hessian data protection authority how to proceed. The latter replied that both sides were obliged to conclude such a contract that governs data processing. Not only the service provider, but also the client is responsible for data protection reasons. The company is obliged to draw up a corresponding agreement itself and send it to the service provider for signature. Corresponding templates can be found on the administration's website.

On December 17, 2018, the State Commissioner imposed a fine of €5,000 euros for not complying with data security regulations plus 250 euros in fees. He particularly justified the decision with a violation of Article 83 (4) of the GDPR. The principle "asking questions costs nothing" did not work here.

 

Tell me where the data is: Nine famous data breaches

A data breach can happen quickly: malicious attacks, sloppiness or simply by mistake. With the General Data Protection Regulation (EU GDPR) effective, such a mishap can have fatal consequences for the company affected by data breach. After all, penalties of up to a maximum of four percent of the (global) annual turnover or €20 million euros are threatened.

Apart from that, such incidents with data must also be reported and made quasi-public – and that is very unpleasant and quite embarrassing for any company.

1. Sony PlayStation

Energy providers, online banks, universities and dating agencies have also committed one or two data privacy violations. Most of these are admittedly not as spectacular as the famous Playstation hack, one of the biggest data security incidents in IT history to date. In 2011, hackers penetrated Sony's PlayStation Network and compromised around 77 million unencrypted user accounts. Only the credit card data was encrypted – but only rather weakly. Sony had to shut down the network completely at that time and respond to several governments or pay fines for data security violation. They did not make much difference anyway, since shutting down the network alone cost Sony $171 million. 

2. Facebook

Already, the list of (disclosed) data mishaps is long. And it shows one thing quite clearly: the size of a company does not matter. The fact alone that it has been Facebook that has attracted particularly negative attention in recent times should be warning enough. While the Cambridge Analytica scandal was more of a deliberately political affair, the data breach at the beginning of April this year is really a homegrown data breach. 540 million customer records of personal data were stored on publicly accessible Amazon cloud servers and were freely available to anyone – until it was finally removed. A few months earlier, hundreds of applications had widespread access to photos of several million members of the online network for several days. This included images that users uploaded to Facebook servers but did not post.

3. Yahoo

The Internet company Yahoo has proven that even this amount can be topped – twice. After confessing in September 2016 that more than data of 500 million user accounts had already been hacked in 2014(!), it had to admit two months later that the data of more than a billion Yahoo accounts had already fallen into the wrong hands a year earlier, in 2013. No hack known to date has had anywhere near as many victims of data security crime. Incidentally, it is still not entirely clear how the hackers got in. At least the communications group Verizon will be happy about this: it took over Yahoo in June 2017 and reduced the purchase price by $350 million in one fell swoop.

4. Deep root analytics

The Deep Root Analytics company has put the data of 198 million US voters unsecured on the Internet. In addition to names, dates of birth, addresses and telephone numbers, some of the data also contained information about the religion or ethnicity of the voters and their views on controversial issues. The file with the data, last updated in January 2017, was found by the UpGuard IT security company. Deep Root Analytics confirmed the data authenticity and has since taken the file with data offline.

5. German Post

Europe is not a paradise of the data protection either. Subsidiary of Deutsche Post, for example, can prove it. Under the domain umziehen.de, there operates a portal on which people enter personal data such as their new address after moving to inform banks or insurance companies automatically. A database of this kind, containing around 200,000 relocation data records, leaked onto the Internet unprotected at the beginning of July this year. Human error was to blame for the data leak, funnily enough on the fringes of a security update. Upon this update, a copy of the data was created, which should have been deleted afterwards – but it was not.

6. Toy manufacturer VTech

Chinese toy manufacturer VTech faced a problematic incident in 2015, when hackers were able to crack the database and thus access all customer data and profiles. The data included not only details such as name, address and login data, but also photos and chats between parents and children – which caused additional turmoil. Almost five million accounts were affected worldwide.

7. Energy supplier MVV

It does not always have to be the evil data hackers who make life difficult for companies. Sometimes all it takes is a stressed, over-motivated or careless employee with a mail program. This is what happened at the MVV German energy provider. An employee caused a data breach by accidentally sending 1,000 customer data (including bank details) to a private person. The Outlook auto-complete function and carelessness of the employee were to blame.

8. Online Bank Comdirect

Speaking of bank data, we should mention the online bank Comdirect that had to deal with a curious problem related to data security. Customers who tried to log in ended up not on their accounts, but on someone else's. The company justified the technical problems by citing a faulty software installation. Only a restart of the IT systems brought order back into the system. 

9. RWTH Aachen University

On the other hand, the two messages from RWTH Aachen University were sent to the correct e-mail addresses. In the first one, the faculty's mentoring team informs about a free mathematics help course in the summer semester. Basically, this would be a good thing, if it weren't for the file "Bachelor-Complete List" in the attachment, which contains personal data in the form of a table with about 8,000 full names, including the matriculation number and the respective e-mail address. In the second e-mail sent shortly afterwards, the mentoring team apologizes for having sent the list unintentionally and asks the recipients to delete the e-mail.

The fact that there was hardly anything to hear about data mishaps in Austria was not because this country has been a model student so far. Rather, it was because such data incidents preferred to be swept under the rug. Although the Data Protection Act (DSG 2000), which was effective until May 2018, had provided for a duty to inform since 2010, this regulation was so woolly and unclearly worded that it left a lot of room for maneuver. In addition, the threatened penalties were rather low, with a maximum of €10,000 euros. The EU's General Data Protection Regulation (GDPR) changed a lot. Now a data breach can be expensive – and above all quite embarrassing.

Many data breaches are preventable. On the one hand, they occur due to careless mistakes, stress and hectic daily routines. Sometimes, however, it is ignorance of new or untrained employees. The data protection supervisory authority in Saxony-Anhalt lists some typical data breaches in its report. Companies in Saxony-Anhalt reported 115 data protection violations in 2019.

 

Prevention and first aid in the event of data protection breaches

Data protection breaches or data mishaps occur easily. Notification and documentation related to data security creates a significant amount of work for the company. They must be prepared professionally. The supervisory authority shows measures for data breach prevention in each case. Each data breach should be proven in subsequent audits.

TYPES OF DATA PRIVACY VIOLATIONS 

The supervisory authority lists the following data protection violations in the activity report.

SENDING E-MAILS TO UNINTENDED RECIPIENTS AND WITH AN OPEN DISTRIBUTION LIST

When e-mails are sent to unauthorized recipients, the cause is often the incorrect entry of an e-mail address or the use of an incorrect e-mail distribution list. Then it depends on the content of the information whether this leads to a reportable data protection.

Significant risks for the data subjects can arise here, for example, if particularly sensitive data (e.g., special categories of personal data or bank or other detailed asset data) is transmitted in the e-mail. However, the rule already applies here that sensitive data must not be sent by e-mail unencrypted, so that unauthorized persons cannot read the data at all if they receive it improperly.

Remedy:

• Train employees to take great care when working with corporate data, entering the email address or distribution list when sending emails.
• Set data security guidelines and train your employees on email encryption.
• Use of the BCC sending mode.
• Technical default setting in the e-mail program, as a result of which the respective recipients are not notified to other recipients or e-mails cannot be sent to large distribution lists or can only be sent after a new request.

MAILINGS OF LETTERS WITH SENSITIVE DATA TO UNAUTHORIZED PERSONS

If, for example, emails are addressed incorrectly, e.g., by mixing up labels or envelopes, a data protection breach may occur immediately. This is especially true if responsible parties send sensitive data, such as account data or payroll or health data, and a person unauthorized to view this data opens this mail. The sending of mail subject to professional secrecy (e.g., tax documents) also usually leads to a notification obligation on the part of the responsible party.

Remedy and data restoration:

• Create an instruction, including on how to work with data, and point out the problem.
• In the case of sensitive data, the dual control principle should also be applied.
• Conduct training to ensure that the recipient specified in the address field is correct.
• Ask unauthorized persons who have received the email to return it to the sender. Advise them that there is no authorization to process the data from the email.

SENDING OF E-MAILS BY THE EMOTET VIRUS

This treacherous virus uses the address books of e-mail programs and sends e-mails automatically. So I could already look at e-mails sent within a department several times.

Remedy and data restoration:

Prevention:

• Security updates for the operating system and applications
• Antivirus programs
• Data backup concept
• Setup and use of a user account without administrative rights
• No opening of e-mails / attachments without first checking for harmlessness
• Establishment of a reporting chain in case of incidents

Reaction:

• Immediate disconnection from the network
• Information to parties involved, such as supervisors, colleagues, customers and business partners
• Report to management and, if available, data protection officer and IT security officer
• Restart computer and import data backup

DISPOSAL OF DOCUMENTS CONTAINING PERSONAL DATA IN PAPER WASTE

Information that should not be seen by everyone can always be found in the wastepaper garbage can. Whether this is information that includes the corporate sensitive data (quotations, invoices, sales or logs) or contains personal data about data subjects (e.g. payslips, copies of ID cards) – dispose of sensitive information and personal data properly.

Remedy:

• Introduce a cleaning concept
• Organizational regulations for handling paper waste
• Introduce suitable shredders – these must destroy the paper with data in accordance with the protection requirement (DIN 66399).
• Regulate the use of the cleaning company (persons, times, activities, substitution arrangements, checks, confidentiality declarations, training and clear instructions, etc.).
• Conclude an order processing agreement if the cleaning company processes personal data on your behalf.

LOSS OF DATA CARRIERS

Data carriers or terminal devices on which personal data is stored are lost or stolen. During the period of activity, however, acquaintances or family members had also taken information to harm employees.

Remedy:

• Provide data security training for employees on how to handle data media and end devices.
• Use only encrypted data carriers.

ENCRYPTION BY MALWARE

If malware is activated by opening an e-mail attachment, data is encrypted in the case of encryption Trojans. To the extent that data subjects are adversely affected by the encryption, the data breach must be reported.

Remedy:

Preventive measures, such as

• Software updates, reduction of attack surfaces (minimization of hardware and software)
• Settings in e-mail programs (text-only), disabling macros in Office programs or reducing executable programs
• Introduction of spam filters, network drives
• Data security awareness and training
• If feasible: prevention of unwanted programs (application whitelisting)
• Restriction of PowerShell options 
• Network segmentation
• Securing remote access / restrictive handling
• User concept – restrictive handling of administrators
• Virus protection programs
• Data backup and data protection concept
• Detection of ransomware files on file servers by resource managers
• Central log or logging server
• Contingency plan and drills
• Data breach response 
• Real-time scanning by ransomware servers
• Vulnerability scans and penetration tests
• With adequate prevention, ransom payment is not necessary
• Filing a report with the appropriate state cybercrime authorities
• Disconnection of infected systems from the network
• External support (computer forensics) to secure evidence of data violation, minimize damage and recovery
• Restoration of the system environment