APDCAT records 21% more security breaches in 2022

The Catalan Data Protection Authority (APDCAT) has registered a 21% increase in 2022 compared to the previous year in notifications of security breaches (NVS) of entities and organizations that process personal data. The security breach occurs when the entity suffers an incident that affects the confidentiality, integrity or availability of this data.

Thus, from January 1 to December 31, 2022, the APDCAT has received and processed 150 notifications of personal data security breaches. This confirms the sustained increase in notifications recorded year after year, since the full application of the General Data Protection Regulation. This increase in the number of notifications is attributed to the increase in cyber security incidents that have affected entities, linked to the global growth of this type of attacks and also to the progressive consolidation of the figure of the delegate of data protection (DPD), which acts as a bridge between the organizations and the control authorities that ensure compliance with the rule.

More than 800,000 people affected

The violations notified to the APDCAT in 2022 have affected nearly 800,000 people, a figure that could be much higher considering that in 15 cases it has not been possible to specify the number of people affected. Most of them relate to incidents of encryption and theft of equipment.

As for the groups of people affected, the year 2022 presents results similar to previous years. Regarding the year 2021, the impact on particularly vulnerable people will increase significantly, specifically people served by social services or applicants for aid, services and resources in this area. In this sense, it goes from 2% to 11%, in line with the increase in security breaches affecting sensitive data. Conversely, the percentage of those affecting minors (from 14% to 8%) and students (from 20% to 12%) has decreased, proportionally to the reduction in incidents related to education, which go from 15 % to 7%. On the contrary, those affecting patients are slightly up.

33% of NVS are due to cyber attacks

In terms of causes, in 2022 the malicious external act remains the first cause and grows by 7 percentage points compared to the previous year. Thus, cyber attacks account for 33% of reported global incidents. They are presented broken down into subcategories: theft, encryption, phishing (sending email pretending to be a legitimate entity, to steal credentials and distribute fraudulent emails) and hacking (unauthorized access to data in IT-information technology systems).

In second place is human error, which decreases slightly compared to 2021. As for the causative actions, the sending of data by mistake is in first place, although with a notable reduction compared to 2021 (of 42 % to 27%). In second place is the theft of devices and documentation, which rises slightly, followed by encryption, which experiences an increase of 6 percentage points. It should also be mentioned that this year 2022 improper publication on the internet was responsible for 4% of violations, while in 2021 there was no such case.

Actions of the Authority

In all these cases, the Authority has analyzed whether measures have been taken to resolve or contain the data security incident, limit the risks for the affected persons and avoid, as far as possible, that produce again It has also been analyzed whether the incident has been communicated to the people affected and, in cases where it has been considered that there was a high risk and this communication was lacking, it has been required that it be made effective.

Data confidentiality, the most affected

In the vast majority of incidents, data confidentiality has been affected, in some cases (3%) along with availability. This prevalence of affecting confidentiality has remained constant and with similar percentages since June 2018, with the full application of the RGPD. In a much smaller percentage is the effect on the availability and, finally, the integrity of the data, which has been progressively decreasing since 2020. It should be borne in mind that security violations can affect, at the same time, confidentiality , availability and integrity.

Regarding the type of data affected, as has been usual since 2018, most of the violations have affected contact and identification data. In 2022 it is necessary to point out the remarkable growth of the affect in the data of special categories (the majority, health and related to social services), which have gone from 24% in 2021 to 43% in 2022, as a result of the increase in incidents affecting health and social services environments. This reverses the downward trend that had been detected since 2019. Security breaches can affect, at the same time, several types of data.