CNIL – causes of reported data breaches (May – October 2018)

CNIL Data Breaches 25-May to 1 October 2018

The CNIL (the French Data Protection Authority) received 742 notifications of personal data breaches (and see the original report in French) that affected over 33 million individuals located in France or elsewhere. 695 related to confidentiality breaches.

The accommodation and food services sector had the highest number of breaches – 185. This is due to a specific case where a booking service provider was affected by a data breach.

Cause of the breaches

Hacking via malicious software or phishing 421 (63%)
Data sent to the wrong recipients 62 (9%)
Lost or stolen devices 47 (7%)
Unintentional publication of information 43 (6%)
Unknown cause 99 (15%)

It should be noted that the figures given don’t add up to the 742 notifications and the causes are not known in all cases. But where the causes are known one view is that that the ‘Human factor’ is an underlying concern – links in phishing emails don’t click themselves  – and not having robust information security measures in place – training, checking who emails are going to etc – increases the risk of data breaches.

Actions you should be taking

The key actions:

  • Train staff on a regular basis on how to spot possible social engineering attacks, to  not click links or attached files on suspicious emails ‘to see what happens’ and to check who they are sending email to
  • Apply software patches when they come out
  • Use multi-factor authentication to reduce the risk of unauthorised logins
  • Use anti-malware measures on endpoints

If you want an independent audit on the effectiveness of the measures you currently in place, help with training and getting a culture that has information security and data privacy in its core principles, or are considering ISO27001 certification as one of the ways to meet security requirements expected by customers and suppliers, please get in touch.

e: ian.grey@wadiff-consulting.co.uk
t: +44 (0)7941 188462