Do Supervisory Authorities Care About Data Breaches?

At Knowligence, we’re big data nerds, and love to dig in to raw data and find insights. Over the next few weeks, I’ll be picking apart a topic near and dear to my heart – data breaches, and their seeming lack of enforcement under the GDPR. I also plan to discuss why this may be giving firms a false sense that reporting breaches, and mitigating against future breaches isn’t important in the eyes of regulators.

Let’s Talk About Data

Fortunately, there’s a lot of great source material to work with, so doing this analysis is (relatively) easy. For example, the VERIS Community Database (VCDB) tracks breach information around the world. According to their website, VCDB

… aims to collect and disseminate data breach information for all publicly disclosed data breaches. The data are coded into VERIS format and we also provided the dataset in an interactive visualization [Note: The link is woefully out of date and doesn’t actually work] available for public use. We encourage you to visit the site and interact with the data. … We intend to continue to augment this dataset to capture as many incidents as possible so that others can benefit. … The data are currently biased towards the Health sector since nearly half of the incidents came from the [DHS Health and Human Services] publications. Subsequent updates have brought the dataset to over 3,600 incidents coded and thousands of breaches still waiting to be entered.

As noted, the data is heavly concentrated in the US healthcare sector, but with over 8000 records currently logged, other industries & countries also have healthy representation. Here’s a chart looking at the total number of incidents (log scale), by industry for each country. Due to the strict reporting laws in most states, the US looks appallingly high compared to other countries. Other “leaders” include the UK, Canada, and Australia.

Chart of largest data breach reporting countries.

I looked at specific cases where data breach notifications also led to a follow-on enforcement action, particularly under the GDPR. Sites like Enforcement Tracker and dataprivacyfines.com, both do an excellent job tracking this information, and include a breakdown of specific Articles being cited by the Supervisory Authorities (SAs).

Here’s that same chart, looking at only member state, EEA and UK-reported breaches at default scale:

Chart analyzing EU/EEA data breach reporting.
Data breach reporting in the EU is … not great.

Do Regulators Care About Breaches?

There have been an alarming number of data breaches that have occurred since the GDPR went into force. Here’s just a smattering of the bigger cases:

  • Marriott Hotels (2014-2018): Originally reported in 2018, Marriott suffered a multi-year breach where over 383,000,000 customer records, including 30+ million records of EU resident data, were compromised. This included personal data, such as contact information, passport numbers, preferred guest numbers and travel information. In 2019, the ICO issued an ‘Intent to Fine’ order against Marriott for over £99 million, but they have not enforced the penalty. (ICO Notice)
  • Canva (2019): In May 2019, Canva, makers of an online graphic-design program, suffered a data breach that affected 139 million users globally. The data exposed included customer usernames, real names, email addresses, passwords, as well as city & country information. To date, there has been no enforcement action taken against Canva.
  • Orvibo (2019): In July 2019, security researchers disovered that Orvibo, a smart home products company, exposed a database containing 2 billion records of nearly 1 million users. The data breach affected users from around the world, including the US, UK, France and Australia, and included user emails, precise geolocation data, IP addresses, and other personal details.
  • Gekkko Group (2019): France-based Gekko Group, a subsidiary of the Accor Hotels chain, suffered a major breach exposing personal data of over 600,000 customers worldwide. A database containing over 1 terabyte of customer data was left exposed and accessible. The security researchers who discovered the vulnerability first notified Gekko and Accor’s information security and data protection teams, but received no response. They then escalated to the French Data Protection Authority (CNIL). (VPN Mentor Security Disclosure). It is unclear whether CNIL plans to bring an enforcement action, but to date, no fines have been assessed.

It seems reasonable to ask the following: how seriously are SAs treating data breaches and the notification requirements under Articles 33 and 34, and the related obligations of controllers & processors to implement “appropriate technical and organisational measures” under Article 32?

While I’m just getting started, the preliminary data doesn’t inspire much hope. Supervisory Authorities in Ireland and the UK, for example, have done little in the way of enforcement at all, while heavy-hitters like Hungary, Spain and Italy, are focusing on data subject rights or legal basis issues, particularly concentrating on the actions of smaller firms.

The data suggests that big breaches aren’t getting much scrutiny at all, despite their oversized impacts on data subjects. For example, of the 341 notices and fines, only 12 (3%) are for violations under Articles 33 & 34. Article 32 violations are considerably higher at 82 (24%), but consider a broader range of issues beyond data breaches.

As I dig in deeper, I plan to release additional findings over the next few weeks, and discuss why I believe this lack of prioritiziation has the potential to create a false sense that data breaches are NBD, from a GDPR perspective.

Stay tuned!