Cyber-Espionage is rampant in the Public sector, with State affiliated actors accounting for 79 percent of all breaches involving external actors. Privilege Misuse and Error by insiders account for 30 percent of breaches.
Top 3 Patterns- Cyber-Espionage, Miscellaneous Errors and Privilege Misuse represent 72% of breaches
Threat actors- External (75%), Internal (30%), Partner (1%), Multiple parties (6%) (breaches)
Actor Motives- Espionage (66%), Financial (29%), Other (2%) (breaches)
Data Compromised- Internal (68%), Personal (22%), Credentials (12%) (breaches)
Illustrative Breaches
- U.S. Customs and Border Protection
- Oregon Department of Human Services
- Dominion National The information of consumers, plan providers, and healthcare companies
- City of Tallahassee
- Maryland Department of Labor
- Los Angeles Personnel Department
- US office of personnel management
- Oklahoma Department of Securities
- Federal Emergency Management Agency (FEMA)
- Los Angeles County Department of Health Services
- Alaska Department of Health & Social Services (DHSS)
- Israel’s Likud Party leak on Elector, an application used by Likud and other parties
- Canadian Federal Department and Agencies
- Malicious malware targets Native American Rehabilitation Association (NARA)
- New Mexico Public Regulation Commission
- Society of Tourist Guides
- US Department of Defense
- Canada’s Desjardins Group
- San Francisco International Airport
- U.S. Marshals
- Wright County Residents
- Kent County Council
- US law enforcement agencies and fusion centers – blueleaks
- Health and Education ministries, North Macedonia
- Norway’s Stortinget (parliament)
- Canada Revenue Agency (CRA)
- Customs and Border Protection agency
- The Delaware Division of Public Health
- Greater Manchester Police
- Montreal’s STM public Transport System
- Hall County, Georgia
- Hackney Council, London
- Public Health Department, Wales
- Spokane Regional Health District Disclosure
- Australia’s Department of Foreign Affairs and Trade
- The Ministry of Internal Affairs of Belarus
- Department of Work and Pensions, UK
- Denmark’s government tax portal
- UK Home Office
- HMRC
- Tamil Nadu’s Public Distribution System
- Canada Post
- DC Police Department
- Technisanct
- Belarus border data
- France-Visas
- Argentinian government
- Iran
- The City of Titusville
- Afghanistan
- Texas GOP
- Plumsted Township
- Global Affairs Canada
- Ministry of Health, Indonesia
Data Breach with maximum fines and damages
- The Municipality of Bergen: The Municipality of Bergen was fined €170,000 by Norwegian Data Protection Authority for File with login credentials for 35,000 students and employees found in a public storage area.
- Israel’s Likud Party leak on Elector, an application used by Likud and other parties: A group of 20 Israelis filed a NIS 1 million ($286,370) lawsuit on Sunday against Prime Minister Benjamin Netanyahu’s Likud party and the developers of an app it used to register voters ahead of the parliamentary election, after massive data breaches leaked the personal information of millions of citizens.
- Society of Tourist Guides: A $20,000 fine was issued to the Society of Tourist Guides, a non-profit group that works with the Singapore Tourism Board to promote guides here, for exposing the data of about 100 of its members. In collecting the personal data from its members, such as contact numbers and images of their identification documents, the group did not put in place protection measures, allowing members of the public to be able to access the information.
- US Department of Defense: The US Department of Defense confirmed that computer systems controlled by the Defense Information Systems Agency (DISA) had been hacked, exposing the personal data of about 200,000 people. The data exposed included names and social security numbers. The agency is responsible for the military cyber-security and it sets up communications networks in combat zones. It oversees military communications including calls for US President Donald Trump.
- Puerto Rico: Puerto Rico’s government has lost more than $2.6 million by falling for an email phishing scam.
Enforcements
Name | Fine | Authority |
Mayor’s Office of the city of Kecdkemét | EUR 3,200 | Hungarian National Authority for Data Protection and the Freedom of Information |
Bergen Municipality | EUR 1,70,000 | Norwegian Supervisory Authority |
Italian political party-Movimento 5 Stelle | EUR 50,000 | Italian Data Protection Authority |
Oslo Municipal Education Department | EUR 1,20,000 | Norwegian Supervisory Authority |
Directorate of Social and Child Welfare Institutions of the Ferencvaros District of Budapest | EUR 286 | Hungarian National Authority for Data Protection and the Freedom of Information |
UNIONTRAD COMPANY | EUR 20,000 | French Data Protection Authority |
WORLD TRADE CENTER BUCHAREST SA | EUR 15,000 | Romanian National Supervisory Authority for Personal Data Processing |
Budapest Environs Regional Court | EUR 8,575 | Hungarian National Authority for Data Protection and the Freedom of Information |
Major of Aleksandrów Kujawski | EUR 9400 | Polish National Personal Data Protection Office |
General Confederation of Labour (‘CGT’) | EUR 3,000 | Spanish Data Protection Authority |
Community of Francavilla Fontana | EUR 10,000 | Italian Data Protection Authority |
Rælingen Municipality | EUR 73,600 | Norwegian Supervisory Authority |
Gladsaxe Municipality | EUR 14,000 | Danish Data Protection Authority |
Health and Medical Board of the Region of Örebro County | EUR 11,200 | Data Protection Authority of Sweden |
Lejre Municipality | EUR 6,700 | Danish Data Protection Authority |
Municipality of Rælingen | EUR 46,660 | Norwegian Data Protection Authority |
National Institute for Social Security – Department of the Province of Brescia | EUR 4000 | Italian Data Protection Agency |
Surveyor General of Poland (‘GKK’) | EUR 22,700 | Polish National Personal Data Protection Office |
Bergen Municipality | EUR 2,76,000 | Norwegian Data Protection Authority |
Comune di Collegno | EUR 2,000 | Italian Data Protection Authority |
Gnosjö Municipality | EUR 19,500 | Swedish Data Protection Authority |
Renown Health | USD 75,000 | Office for Civil Rights, US Department of Health |
Swedish Police Department | SEK 2,500,000 | Swedish Authority for Privacy Protection |
Spain | EUR 15 million | The Court of Justice of the European Union |
Istituto Nazionale della Previdenza Sociale (INPS) | EUR 300,000 | Italian Data Protection Authority (Garante) |
Municipality of Rome | EUR 350,000 | Italian Data Protection Authority (Garante) |
Municipality of Enschede | EUR 600,000 | Dutch Data Protection Authority |
Stockholm, Sodermanland and Varmland | SEK 750000 | Swedish Authority for Privacy Protection (IMY) |
Favrskov municipality | EUR 10,000 | Danish Data Protection Authority |
Høylandet Municipality | EUR 40,200 | Norwegian Supervisory Authority |
Midtjylland Region | EUR 53,800 | Danish Data Protection Authority |