Government Organisations/Public Administration

Cyber-Espionage is rampant in the Public sector, with State affiliated actors accounting for 79 percent of all breaches involving external actors. Privilege Misuse and Error by insiders account for 30 percent of breaches.

Top 3 Patterns- Cyber-Espionage, Miscellaneous Errors and Privilege Misuse represent 72% of breaches

Threat actors- External (75%), Internal (30%), Partner (1%), Multiple parties (6%) (breaches)

Actor Motives- Espionage (66%), Financial (29%), Other (2%) (breaches)

Data Compromised- Internal (68%), Personal (22%), Credentials (12%) (breaches)

Illustrative Breaches

  • U.S. Customs and Border Protection 
  • Oregon Department of Human Services
  • Dominion National The information of consumers, plan providers, and healthcare companies
  • City of Tallahassee
  • Maryland Department of Labor
  • Los Angeles Personnel Department
  • US office of personnel management
  • Oklahoma Department of Securities
  • Federal Emergency Management Agency (FEMA)
  • Los Angeles County Department of Health Services
  • Alaska Department of Health & Social Services (DHSS)
  • Israel’s Likud Party leak on Elector, an application used by Likud and other parties
  • Canadian Federal Department and Agencies
  • Malicious malware targets Native American Rehabilitation Association (NARA)
  • New Mexico Public Regulation Commission
  •  Society of Tourist Guides
  • US Department of Defense
  • Canada’s Desjardins Group
  • San Francisco International Airport
  • U.S. Marshals
  • Wright County Residents
  • Kent County Council
  • US law enforcement agencies and fusion centers – blueleaks
  • Health and Education ministries, North Macedonia
  • Norway’s Stortinget (parliament)
  • Canada Revenue Agency (CRA)
  • Customs and Border Protection agency
  • The Delaware Division of Public Health
  • Greater Manchester Police
  • Montreal’s STM public Transport System
  • Hall County, Georgia
  • Hackney Council, London
  • Public Health Department, Wales
  • Spokane Regional Health District Disclosure
  • Australia’s Department of Foreign Affairs and Trade
  • The Ministry of Internal Affairs of Belarus
  • Department of Work and Pensions, UK
  • Denmark’s government tax portal  
  • UK Home Office        
  • HMRC
  • Tamil Nadu’s Public Distribution System
  • Canada Post
  • DC Police Department
  • Technisanct
  • Belarus border data
  • France-Visas
  • Argentinian government
  • Iran
  • The City of Titusville 
  • Afghanistan
  • Texas GOP
  • Plumsted Township 
  • Global Affairs Canada
  • Ministry of Health, Indonesia

Data Breach with maximum fines and damages

  • The Municipality of Bergen: The Municipality of Bergen was fined €170,000 by Norwegian Data Protection Authority for File with login credentials for 35,000 students and employees found in a public storage area.
  • Israel’s Likud Party leak on Elector, an application used by Likud and other parties: A group of 20 Israelis filed a NIS 1 million ($286,370) lawsuit on Sunday against Prime Minister Benjamin Netanyahu’s Likud party and the developers of an app it used to register voters ahead of the parliamentary election, after massive data breaches leaked the personal information of millions of citizens.
  •  Society of Tourist Guides: A $20,000 fine was issued to the Society of Tourist Guides, a non-profit group that works with the Singapore Tourism Board to promote guides here, for exposing the data of about 100 of its members. In collecting the personal data from its members, such as contact numbers and images of their identification documents, the group did not put in place protection measures, allowing members of the public to be able to access the information.
  • US Department of Defense: The US Department of Defense confirmed that computer systems controlled by the Defense Information Systems Agency (DISA) had been hacked, exposing the personal data of about 200,000 people. The data exposed included names and social security numbers. The agency is responsible for the military cyber-security and it sets up communications networks in combat zones. It oversees military communications including calls for US President Donald Trump.
  • Puerto Rico: Puerto Rico’s government has lost more than $2.6 million by falling for an email phishing scam.


Mayor’s Office of the city of
EUR 3,200Hungarian National Authority for
Data Protection and the Freedom
of Information
Bergen MunicipalityEUR 1,70,000Norwegian Supervisory Authority
Italian political party-Movimento
5 Stelle
EUR 50,000Italian Data Protection Authority
Oslo Municipal Education
EUR 1,20,000Norwegian Supervisory Authority
Directorate of Social and Child Welfare
Institutions of the Ferencvaros District of Budapest
EUR 286Hungarian National Authority for
Data Protection and the Freedom
of Information
UNIONTRAD COMPANYEUR 20,000French Data Protection Authority
WORLD TRADE CENTER BUCHAREST SAEUR 15,000Romanian National Supervisory
Authority for Personal Data
Budapest Environs Regional
EUR 8,575Hungarian National Authority for
Data Protection and the Freedom
of Information
Major of Aleksandrów KujawskiEUR 9400Polish National Personal Data
Protection Office
General Confederation of Labour
EUR 3,000Spanish Data Protection Authority
Community of Francavilla
EUR 10,000Italian Data Protection Authority
Rælingen MunicipalityEUR 73,600Norwegian Supervisory Authority
Gladsaxe MunicipalityEUR 14,000Danish Data Protection Authority
Health and Medical Board of the
Region of Örebro County
EUR 11,200Data Protection Authority of
Lejre MunicipalityEUR 6,700Danish Data Protection Authority
Municipality of RælingenEUR 46,660Norwegian Data Protection
National Institute for Social
Security – Department of the
Province of Brescia
EUR 4000Italian Data Protection Agency
Surveyor General of Poland
EUR 22,700Polish National Personal Data
Protection Office
Bergen MunicipalityEUR 2,76,000Norwegian Data Protection
Comune di CollegnoEUR 2,000Italian Data Protection Authority
Gnosjö MunicipalityEUR 19,500Swedish Data Protection Authority
Renown Health USD 75,000 Office for Civil Rights, US
Department of Health
Swedish Police Department SEK 2,500,000 Swedish Authority for Privacy
Spain EUR 15 million The Court of Justice of the
European Union
Istituto Nazionale della Previdenza Sociale (INPS)
EUR 300,000 Italian Data Protection Authority (Garante)
Municipality of Rome EUR 350,000 Italian Data Protection Authority (Garante)
Municipality of Enschede EUR 600,000 Dutch Data Protection Authority
Stockholm, Sodermanland and VarmlandSEK 750000 Swedish Authority for Privacy
Protection (IMY)
Favrskov municipalityEUR 10,000Danish Data Protection Authority
Høylandet MunicipalityEUR 40,200Norwegian Supervisory Authority
Midtjylland RegionEUR 53,800Danish Data Protection Authority