Contact
The Catalan Data Protection Authority (APDCAT) has received and processed 182 notifications of security breaches (NVS) of personal data from January 1 to December 31, 2024, which represents a decrease of 0.5% compared to 2023, in which 183 were registered. This is the first year in which the sustained increase that notifications had experienced since the GDPR established this obligation in 2018 has stopped. These are notifications that refer to the scope of action of the APDCAT, which includes administrations, public companies and private companies that perform public functions.
The moderation of NVS in 2024 is related to the decrease in cyberattack notifications, which went from 31% in 2023 to 17% in 2024. More specifically, the stabilization is related to the decrease in ransomware attack notifications, which have gone from 19% to 3%.
Human error becomes the first cause of incidents (growing from 43% to 59%), while external malicious act is in second place (down from 52% to 33%). This significant change is related to the decrease in cyberattacks. Internal malicious act remains in third place with slight upward variations compared to previous years. This type of incident is related to abuse of access privileges by employees who extract, copy or forward data without authorization.
230,000 people affected
These NVS registered by the Authority this past year 2024 have affected nearly 230,000 people, a figure far removed from that of 2023, when one and a half million people were affected. This decrease is related to the decrease in data kidnapping cyberattacks (ransomware), which are those that generally affect a higher volume of people. The drastic decrease in people affected also has to do with the fact that 41% of the reported incidents have affected only between 1 and 10 people.
In the vast majority of incidents, the confidentiality of the data is affected, along with the availability in some cases (7%). In 2024, this impact on confidentiality remains at the same percentage as the previous year (92%), while breaches affecting availability decrease, consistent with the decline in the number of ransomware attacks.
As usual, most breaches affect basic identifying data (name and surname and, in some cases, date of birth) and contact details, in a high percentage combined with data from identity documents (such as DNI, NIE or passport). This considerably increases the risk of harm for the affected people (owners of the compromised data), such as the risk of identity theft or fraud.
2024 is the first year that the sustained 20% annual increase in security breach notifications that the Catalan Data Protection Authority had been recording since 2018, with 14% fewer cyberattacks, and 230,000 people affected, far from the million and a half in 2023.