Guidelines 01/2021 on Examples regarding Personal Data Breach Notification

December 14th, 2021 | Posted by Claude-Etienne Armingaud in Data Breach | Europe | Guidelines | Privacy

Adopted on 14 December 2021 – Version 2.0

Version history

Version 2.014 12 2021Adoption of the Guidelines after public consultation
Version 1.014 01 2021Adoption of the Guidelines for public consultation

Table of contents – To jump to the Guidelines directly, click here

1           Introduction

2           Ransomware

2.1        CASE No. 01: Ransomware with proper backup and without exfiltration

2.1.1     CASE No. 01 – Prior measures and risk assessment

2.1.2     CASE No. 01 – Mitigation and obligations

2.2        CASE No. 02: Ransomware without proper backup  

2.2.1     CASE No. 02 – Prior measures and risk assessment   

2.2.2     CASE No. 02 – Mitigation and obligations     

2.3        CASE No. 03: Ransomware with backup and without exfiltration in a hospital        

2.3.1     CASE No. 03 – Prior measures and risk assessment   

2.3.2     CASE No. 03 – Mitigation and obligations     

2.4        CASE No. 04: Ransomware without backup and with exfiltration    

2.4.1     CASE No. 04 – Prior measures and risk assessment   

2.4.2     CASE No. 04 – Mitigation and obligations     

2.5        Organizational and technical measures for preventing / mitigating the impacts of ransomware attacks

3           Data Exfiltration Attacks        

3.1        CASE No. 05: Exfiltration of job application data from a website     

3.1.1     CASE No. 05 – Prior measures and risk assessment   

3.1.2     CASE No. 05 – Mitigation and obligations     

3.2        CASE No. 06: Exfiltration of hashed password from a website         

3.2.1     CASE No. 06 – Prior measures and risk assessment   

3.2.2     CASE No. 06 – Mitigation and obligations     

3.3        CASE No. 07: Credential stuffing attack on a banking website         

3.3.1     CASE No. 07 – Prior measures and risk assessment   

3.3.2     CASE No. 07 – Mitigation and obligations     

3.4        Organizational and technical measures for preventing / mitigating the impacts of hacker attacks

4           Internal Human Risk Source  

4.1        CASE No. 08: Exfiltration of business data by an employee  

4.1.1     CASE No. 08 – Prior measures and risk assessment   

4.1.2     CASE No. 08 – Mitigation and obligations     

4.2        CASE No. 09: Accidental transmission of data to a trusted third party        

4.2.1     CASE No. 09 – Prior measures and risk assessment  

4.2.2     CASE No. 09 – Mitigation and obligations     

4.3        Organizational and technical measures for preventing / mitigating the impacts of internal human risk sources     

5           Lost or Stolen Devices and Paper Documents           

5.1        CASE No. 10: Stolen material storing encrypted personal data        

5.1.1     CASE No. 10 – Prior measures and risk assessment   

5.1.2     CASE No. 10 – Mitigation and obligations     

5.2        CASE No. 11: Stolen material storing non-encrypted personal data

5.2.1     CASE No. 11 – Prior measures and risk assessment   

5.2.2     CASE No. 11 – Mitigation and obligations     

5.3        CASE No. 12: Stolen paper files with sensitive data  

5.3.1     CASE No. 12 – Prior measures and risk assessment  

5.3.2     CASE No. 12 – Mitigation and obligations     

5.4        Organizational and technical measures for preventing / mitigating the impacts of loss or theft of devices        

6           Mispostal       

6.1        CASE No. 13: Postal mail mistake      

6.1.1     CASE No. 13 – Prior measures and risk assessment   

6.1.2     CASE No. 13 – Mitigation and obligations     

6.2        CASE No. 14: Highly confidential personal data sent by mail by mistake     

6.2.1     CASE No. 14 – Prior measures and risk assessment   

6.2.2     CASE No. 14 – Mitigation and obligations     

6.3        CASE No. 15: Personal data sent by mail by mistake

6.3.1     CASE No. 15 – Prior measures and risk assessment   

6.3.2     CASE No. 15 – Mitigation and obligations     

6.4        CASE No. 16: Postal mail mistake      

6.4.1     CASE No. 16 – Prior measures and risk assessment   

6.4.2     CASE No. 16 – Mitigation and obligations     

6.5        Organizational and technical measures for preventing / mitigating the impacts of mispostal

7           Other Cases – Social Engineering      

7.1        CASE No. 17: Identity theft    

7.1.1     CASE No. 17 – Risk assessment, mitigation and obligations  

7.2        CASE No. 18: Email exfiltration         

7.2.1     CASE No. 18 – Risk assessment, mitigation and obligations  

 

THE EUROPEAN DATA PROTECTION BOARD

Having regard to Article 70 (1e) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, (hereinafter “GDPR”),

Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 20181)References to “Member States” made throughout this document should be understood as references to “EEA Member States”.,

Having regard to Article 12 and Article 22 of its Rules of Procedure,

Having regard to the Communication from the Commission to the European Parliament and the Council titled Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition – two years of application of the General Data Protection Regulation2) COM(2020) 264 final, 24 June 2020.,

HAS ADOPTED THE FOLLOWING GUIDELINES

1         INTRODUCTION

  1. The GDPR introduces, in certain cases, the requirement for a personal data breach to be notified to the competent national supervisory authority (hereinafter “SA”) and to communicate the breach to the individuals whose personal data have been affected by the breach (Articles 33 and 34).
  2. The Article 29 Working Party already produced a general guidance on data breach notification in October 2017, analysing the relevant Sections of the GDPR (Guidelines on Personal data breach notification under Regulation 2016/679, WP 250) (hereinafter “Guidelines WP250) 3)G29 WP250 rev.1, 6 February 2018, Guidelines on Personal data breach notification under Regulation 2016/679 – endorsed by the EDPB. However, due to its nature and timing, this guideline did not address all practical issues in sufficient detail. Therefore, the need has arisen for a practice-oriented, case-based guidance, that utilizes the experiences gained by SAs since the GDPR is applicable.
  • This document is intended to complement the Guidelines WP 250 and it reflects the common experiences of the SAs of the EEA since the GDPR became applicable. Its aim is to help data controllers in deciding how to handle data breaches and what factors to consider during risk assessment.
  • As part of any attempt to address a breach the controller and processor should first be able to recognize one. The GDPR defines a “personal data breach” in Article 4(12) as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

In its Opinion 03/2014 on breach notification4)G29 WP213, 25 March 2014, Opinion 03/2014 on Personal Data Breach Notification, p. 5 and in its Guidelines WP 250, WP29 explained that breaches can be categorised according to the following three well-known information security principles:

  • “Confidentiality breach” – where there is an unauthorised or accidental disclosure of, or access to, personal data.
    • “Integrity breach” – where there is an unauthorised or accidental alteration of personal data.
    • Availability breach” – where there is an accidental or unauthorised loss of access to, or destruction of, personal data.5)See Guidelines WP 250, p. 7. – It must be taken into consideration that a data breach can concern either one category or more categories … Continue reading
  • A breach can potentially have a range of significant adverse effects on individuals, which can result in physical, material, or non-material damage. The GDPR explains that this can include loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy. It can also include any other significant economic or social disadvantage to those individuals. One of the most important obligation of the data controller is to evaluate these risks to the rights and freedoms of data subjects and to implement appropriate technical and organizational measures to address them.
  • Accordingly, the GDPR requires the controller to:
    • document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken6)GDPR Article 33(5);
  • notify the personal data breach to the supervisory authority, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons7)GDPR Article 33(1);
  • communicate the personal data breach to the data subject when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons8)GDPR Article 34(1)..
  • Data breaches are problems in and of themselves, but they may be also symptoms of a vulnerable, possibly outdated data security regime, they may also indicate system weaknesses to be addressed. As a general truth, it is always better to prevent data breaches by preparing in advance, since several consequences of them are by nature irreversible. Before a controller can fully assess the risk arising from a breach caused by some form of attack, the root cause of the issue should be identified, in order to identify whether any vulnerabilities that gave rise to the incident are still present, and are still therefore exploitable. In many cases the controller is able to identify that the incident is likely to result in a risk, and is therefore to be notified. In other cases the notification does not need to be postponed until the risk and impact surrounding the breach has been fully assessed, since the full risk assessment can happen in parallel to notification, and the information thus gained may be provided to the SA in phases without undue further delay9)GDPR Article 33(4)..
  • The breach should be notified when the controller is of the opinion that it is likely to result in a risk to the rights and freedoms of the data subject. Controllers should make this assessment at the time they become aware of the breach. The controller should not wait for a detailed forensic examination and (early) mitigation steps before assessing whether or not the data breach is likely to result in a risk and thus should be notified.
  • If a controller self-assesses the risk to be unlikely, but it turns out that the risk materializes, the competent SA can use its corrective powers and may resolve to sanctions
  • Every controller and processor should have plans, procedures in place for handling eventual data breaches. Organisations should have clear reporting lines and persons responsible for certain aspects of the recovery process
  • Training and awareness on data protection issues for the staff of the controller and processor focusing on personal data breach management (identification of a personal data breach incident and further actions to be taken, etc.) is also essential for the controllers and processors. This training should be regularly repeated, depending on the type of the processing activity and size of the controller, addressing latest trends and alerts coming from cyberattacks or other security incidents.
  • The principle of accountability and the concept of data protection by design could incorporate analysis that feeds into a data controller’s and data processor’s own “Handbook on Handling Personal Data Breach” that aims to establish facts for each facet of the processing at each major stage of the operation. Such a handbook prepared in advance would provide a much quicker source of information to allow data controllers and data processors to mitigate the risks and meet the obligations without undue delay. This would ensure that if a personal data breach was to occur, people in the organisation would know what to do, and the incident would more than likely be handled quicker than if there were no mitigations or plan in place.
  • Though the cases presented below are fictitious, they are based on typical cases from the SA’s collective experience with data breach notifications. The analyses offered relate explicitly to the cases under scrutiny, but with the goal to provide assistance for data controllers in assessing their own data breaches. Any modification in the circumstances of the cases described below may result in different or more significant levels of risk, thus requiring different or additional measures. These guidelines structure the cases according to certain categories of breaches (e.g. ransomware attacks). Certain mitigating measures are called for in each case when dealing with a certain category of breaches. These measures are not necessarily repeated in each case analysis belonging to the same category of breaches. For the cases belonging to the same category only the differences are laid out. Therefore, the reader should read all cases relevant to relevant category of a breach to identify and distinguish all the correct measures to be taken.
  • The internal documentation of a breach is an obligation independent of the risks pertaining to the breach, and must be performed in each and every case. The cases presented below try to shed some light on whether or not to notify the breach to the SA and communicate it to the data subjects affected.

2         RANSOMWARE

  1. A frequent cause for a data breach notification is a ransomware attack suffered by the data controller. In these cases a malicious code encrypts the personal data, and subsequently the attacker asks the controller for a ransom in exchange for the decryption code. This kind of attack can usually be classified as a breach of availability, but often also a breach of confidentiality could occur.

2.1         CASE No. 01: Ransomware with proper backup and without exfiltration

Computer systems of a small manufacturing company were exposed to a ransomware attack, and data stored in those systems was encrypted. The data controller used encryption at rest, so all data accessed by the ransomware was stored in encrypted form using a state-of-the-art encryption algorithm. The decryption key was not compromised in the attack, i.e. the attacker could neither access it nor use it indirectly. In consequence, the attacker only had access to encrypted personal data. In particular, neither the email system of the company, nor any client systems used to access it were affected. The company is using the expertise of an external cybersecurity company to investigate the incident. Logs tracing all data flows leaving the company (including outbound email) are available. After analysing the logs and the data collected by the detection systems the company has deployed, an internal investigation supported by the external cybersecurity company determined with certainty that the perpetrator only encrypted data, without exfiltrating it. The logs show no outward data flow in the timeframe of the attack. The personal data affected by the breach relates to clients and employees of the company, a few dozen individuals altogether. A backup was readily available, and the data was restored a few hours after the attack took place. The breach did not result in any consequences on the day-to-day operation of the controller. There was no delay in employee payments or handling client requests.

  1. In this case, the following elements were realized from the definition of a ‘personal data breach’: a breach of security led to unlawful alteration and unauthorized access to personal data stored.

2.1.1        CASE No. 01 – Prior measures and risk assessment

  1. As with all risks posed by external actors, the likelihood that a ransomware attack is successful can be drastically reduced by tightening the security of the data controlling environment. The majority of these breaches can be prevented by ensuring that appropriate organizational, physical and technological security measures have been taken. Examples of such measures are proper patch management and the use of an appropriate anti-malware detection system. Having a proper and separate backup will help to mitigate the consequences of a successful attack should it occur. Moreover, an employee security education, training, and awareness (SETA) program, will help to prevent and recognise this kind of attack. (A list of advisable measures can be found in section 2.5.) Among those measures, a proper patch management that ensures that the systems are up to date and all known vulnerabilities of the deployed systems are fixed is one of the most important since most of the ransomware attacks exploit well known vulnerabilities.
  2. When assessing the risks, the controller should investigate the breach and identify the type of the malicious code to understand the possible consequences of the attack. Among those risks to be considered is the risk that data was exfiltrated without leaving a trace in the logs of the systems.
  3. In this example, the attacker had access to personal data and the confidentiality of cipher text containing personal data in encrypted form was compromised. However, any data that might have been exfiltrated cannot be read or used by the perpetrator, at least for the time being. The encryption technique used by the data controller conforms to the state-of-the-art. The decryption key was not compromised and presumably could also not be determined by other means. In consequence, the confidentiality risks to the rights and freedoms of natural persons are reduced to a minimum barring cryptanalytic progress that renders the encrypted data intelligible in the future.

The data controller should consider the risk to individuals due to the breach10)For guidance on “likely to result in high riskprocessing operations, see A29 Working Party “Guidelines on Data Protection Impact Assessment … Continue reading. In this example, the adverse effects of the breach were mitigated fairly soon after the breach occurred. Having a proper backup regime

11)Backup procedures should be structured, consistent and repeatable. Examples of back up procedures are the 3-2-1 method and the grandfather-father-son … Continue reading

makes the effects of the breach less severe and here the controller was able to effectively make use of it.

  • On the severity of the consequences for the data subjects, only minor consequences could be identified since the affected data was restored in a few hours, the breach did not result in any consequences on the day-to-day operation of the controller and had no significant effect on the data subjects (e.g. employee payments or handling client requests).

2.1.2        CASE No. 01 – Mitigation and obligations

  • Without a backup few measures to remediate the loss of personal data can be undertaken by the controller, and the data has to be collected again. In this particular case however, the impacts of the attack could effectively be contained by resetting all compromised systems to a clean state known to be free of malicious code, fixing the vulnerabilities and restoring the affected data soon after the attack. Without a backup, data is lost and the severity may increase because risks or impacts to individuals may also do so.
  • The timeliness of an effective data restoration from the readily available backup is a key variable when analysing the breach. Specifying an appropriate timeframe to restore the compromised data depends on the unique circumstances of the breach at hand. The GDPR states that a personal data breach shall be notified without undue delay and, where feasible, not later than after 72 hours. Therefore, it could be determined that exceeding the 72-hour time limit is unadvisable in any case, but when dealing with high risk level cases, even complying with this deadline can be viewed as unsatisfactory.
  • In this case, following a detailed impact assessment and incident response process, the controller determined that the breach was unlikely to result in a risk to the rights and freedoms of natural persons, hence no communication to the data subjects is necessary, nor does the breach require a notification to the SA. However, as all data breaches, it should be documented in accordance with Article 33 (5). The organisation may also need (or later be required by the SA) to update and remediate its organizational and technical personal data security handling and risk mitigation measures and procedures. Within the frame of this update and remediation, the organisation should thoroughly investigate the breach and identify the causes and the methods used by the perpetrator in order to prevent any similar events in the future.
Actions necessary based on the identified risks
Internal documentationNotification to SACommunication to data subjects
üXX

2.2         CASE No. 02: Ransomware without proper backup

One of the computers used by an agricultural company was exposed to a ransomware attack and its data was encrypted by the attacker. The company is using the expertise of an external cybersecurity company to monitor their network. Logs tracing all data flows leaving the company (including outbound email) are available. After analysing the logs and the data the other detection systems have collected the internal investigation aided by the cybersecurity company determined that the perpetrator only encrypted the data, without exfiltrating it. The logs show no outward data flow in the timeframe of the attack. The personal data affected by the breach relates to the employees and clients of the company, a few dozen individuals altogether. No special categories of data were affected. No backup was available in an electronic form. Most of the data was restored from paper backups. The restoration of the data took 5 working days and led to minor delays in the delivery of orders to customers.

2.2.1        CASE No. 02 – Prior measures and risk assessment

  • The data controller should have adopted the same prior measures as mentioned in part 2.1. and in section

2.9. The major difference to the previous case is the lack of an electronic backup and the lack of encryption at rest. This leads to critical differences in the following steps.

  • When assessing the risks, the controller should investigate the method of infiltration and identify the type of the malicious code to understand the possible consequences of the attack. In this example the ransomware encrypted the personal data without exfiltrating it. As a result, it appears the risks to the rights and freedoms of data subjects result from the lack of availability of the personal data, and the confidentiality of the personal data is not compromised. A thorough examination of the firewall logs and its implications is essential in determining the risk. The data controller should present the factual findings of these investigations upon request.
  • The data controller needs to keep in mind that if the attack is more sophisticated the malware has the functionality to edit log files and remove the trace. So – given that logs are not forwarded or replicated to a central log server – even after a thorough investigation that determined that the personal data was not exfiltrated by the attacker, the data controller cannot state that the absence of a log entry proves the absence of exfiltration, therefore the likelihood of a confidentiality breach cannot be entirely dismissed.
  • The data controller should assess the risks of this breach

12)For guidance on “likely to result
in high risk
processing operations, see footnote 10 above.

if the data was accessed by the attacker. During the risk assessment, the data controller should also take into consideration the nature, the sensitivity, the volume, and the context of personal data affected in the breach. In this case no special categories of personal data are affected, and the quantity of breached data and the number of affected data subjects is low.

  • Gathering exact information on the unauthorized access is key for determining the risk level and preventing a new or continued attack. If the data had been copied from the database, it would obviously have been a risk-increasing factor. When uncertain about the specifics of the illegitimate access, the worse scenario should be considered and the risk should be assessed accordingly.
  • The absence of a backup database can be considered a risk enhancing factor depending on the severity of consequences for the data subjects resulting from the lack of availability of the data.

2.2.2        CASE No. 02 – Mitigation and obligations

  • Without a backup few measures to remediate the loss of personal data can be undertaken by the controller, and the data has to be collected again, unless some other source is available (e.g. order confirmation e-mails). Without a backup, data may be lost and the severity will depend on the impact for the individuals.
  • The restoration of the data should not prove to be overly problematic

13)This will depend on the complexity and structure of the personal data. In the most complex scenarios, re-establishing data integrity, consistency … Continue reading

if the data is still available on paper, but given the lack of an electronic backup database, a notification to the SA is considered necessary, as the restoration of the data took some time and could cause some delays in the orders’ delivery to customers and a considerable amount of meta-data (e.g. logs, time stamps) might not be retrievable.

  • Informing the data subjects about the breach may also depend on the length of time the personal data is unavailable and the difficulties it might cause in the operation of the controller as a result (e.g. delays in transferring employee’s payments). As these delays in payments and deliveries may lead to financial loss for the individuals whose data has been compromised, one could also argue the breach is likely to result in a high risk. Also, it might not be possible to avoid informing the data subjects if their contribution is needed for restoring the encrypted data.
  • This case serves as an example for a ransomware attack with risk to the rights and freedoms of the data subjects, but not reaching high risk. It should be documented in accordance with Article 33 (5) and notified to the SA in accordance with Article 33 (1). The organisation may also need (or be required by the SA) to update and remediate its organizational and technical personal data security handling and risk mitigation measures and procedures.
Actions necessary based on the identified risks
Internal documentationNotification to SACommunication to data subjects
üüX

2.3         CASE No. 03: Ransomware with backup and without exfiltration in a hospital

The information system of a hospital / healthcare centre was exposed to a ransomware attack and a significant proportion of its data was encrypted by the attacker. The company is using the expertise of an external cybersecurity company to monitor their network. Logs tracing all data flows leaving the company (including outbound email) are available. After analysing the logs and the data the other detection systems have collected the internal investigation aided by the cybersecurity company determined that the perpetrator only encrypted the data without exfiltrating it. The logs show no outward data flow in the timeframe of the attack. The personal data affected by the breach relates to the employees and patients, which represented thousands of individuals. Backups were available in an electronic form. Most of the data was restored but this operation lasted 2 working days and led to major delays in treating the patients with surgery cancelled / postponed, and to a lowering the level of service due to the unavailability of the systems.

2.3.1        CASE No. 03 – Prior measures and risk assessment

  • The data controller should have adopted the same prior measures as mentioned in part 2.1. and in section

2.5. The major difference to the previous case is the high severity of consequences for a substantial part of the data subjects

14)For guidance on “likely to result in high risk
processing operations, see footnote 10 above.

.

  • The quantity of breached data and the number of affected data subjects are high, because hospitals usually process large quantities of data. The unavailability of the data has a high impact on a substantial part of the data subjects. Moreover, there is a residual risk of high severity to the confidentiality of the patient data.
  • The type of the breach, nature, sensitivity, and volume of personal data affected in the breach are important. Even though a backup for the data existed and it could be restored in a few days, a high risk still exists due to the severity of consequences for the data subjects resulting from the lack of availability of the data at the moment of the attack and the following days.

2.3.2        CASE No. 03 – Mitigation and obligations

  • A notification to the SA is considered necessary, as special categories of personal data are involved and the restoration of the data could take a long time, resulting in major delays in patient care. Informing the data subjects about the breach is necessary due to the impact for the patients, even after restoring the encrypted data. While data relating to all patients treated in the hospital during the last years have been encrypted, only those patients who were scheduled to be treated in the hospital during the time the computer system was unavailable were impacted. The controller should communicate the data breach to those patients directly. Direct communication to the other patients some of which may not have been in the hospital for more than twenty years may not be required due to the exception in Article 34 (3) c). In such a case, there shall instead be a public communication

15)GDPR Recital 86 explains that “Such communications to data subjects should be made as soon as reasonably feasible and in close cooperation with the … Continue reading

or similar measure whereby the data subjects are informed in an equally effective manner. In this case, the hospital should make the ransomware attack and its effects public.

  • This case serves as an example for a ransomware attack with high risk to the rights and freedoms of the data subjects. It should be documented in accordance with Article 33 (5), notified to the SA in accordance with Article 33 (1) and communicated to the data subjects in accordance with Article 34 (1). The organisation also needs to update and remediate its organizational and technical personal data security handling and risk mitigation measures and procedures.
Actions necessary based on the identified risks
Internal documentationNotification to SACommunication to data subjects
üüü

2.4         CASE No. 04: Ransomware without backup and with exfiltration

The server of a public transportation company was exposed to a ransomware attack and its data was encrypted by the attacker. According to the findings of the internal investigation the perpetrator not only encrypted the data, but also exfiltrated it. The type of breached data was the personal data of clients and employees, and of the several thousand people using the services of the company (e.g. buying tickets online). Beyond basic identity data, identity card numbers and financial data such as credit card details are involved in the breach. A backup database existed, but it was also encrypted by the attacker.

2.4.1        CASE No. 04 – Prior measures and risk assessment

  • The data controller should have adopted the same prior measures as mentioned in part 2.1. and in section

2.5. Though backup was in place, it was also affected by the attack. This arrangement alone raises questions about the quality of the controller’s prior IT security measures and should be further scrutinised during the investigation, since in a well-designed backup regime, multiple backups must be securely stored without access from the main system, otherwise they could be compromised in the same attack. Furthermore, ransomware attacks may lie undiscovered for days slowly encrypting rarely used data. This can render multiple backups useless, so backups should also be taken periodically and be isolated. This would increase the likelihood of recovery albeit with increased loss data.

  • This breach concerns not only data availability, but confidentiality as well, since the attacker may have modified and / or copied data from the server. Therefore, the type of the breach results in high risk

16)For guidance on “likely to result in high risk
processing operations, see footnote 10 above

.

  • The nature, sensitivity, and volume of personal data increases the risks further, because the number of individuals affected is high, as is the overall quantity of affected personal data. Beyond basic identity data, identity documents and financial data such as credit card details are involved too. A data breach concerning these types of data presents high risk in and of themselves, and if processed together, they could be used for

– among others – identity theft or fraud.

  • Due to either faulty server logic or organizational controls, the backup files were affected by the ransomware, preventing the restore of data and enhancing the risk.
  • This data breach presents a high risk to the rights and freedoms of individuals, because it could likely lead to both material (e.g. financial loss since credit card details were affected) and non-material damage (e.g. identity theft or fraud since identity card details were affected).

2.4.2        CASE No. 04 – Mitigation and obligations

  • Communication to the data subjects is essential, so they can make the necessary steps to avoid material damage (e.g. block their credit cards).
  • Aside from documenting the breach in accordance with Article 33 (5), a notification to the SA is also mandatory in this case (Article 33 (1)) and the controller is also obliged to communicate the breach to the data subjects (Article 34 (1)). The latter could be undertaken on a person-by-person basis, but for individuals where contact data is not available the controller should do so publicly, provided that such communication would not be susceptible to trigger additional negative consequences on the data subjects, e.g. by way of a notification on its website. In the latter case a precise and clear communication is required, in plain sight on the homepage of the controller, with exact references of the relevant GDPR provisions. The organisation may also need to update and remediate its organizational and technical personal data security handling and risk mitigation measures and procedures.
Actions necessary based on the identified risks
Internal documentationNotification to SACommunication to data subjects
üüü

2.5         Organizational and technical measures for preventing / mitigating the impacts of ransomware attacks

  • The fact that a ransomware attack could have taken place is usually a sign of one or more vulnerabilities in the controller’s system. This also applies in ransomware cases in which the personal data has been encrypted, but has not been exfiltrated. Regardless of the outcome and the consequences of the attack, the importance of an all-encompassing evaluation of the data security system – with particular emphasis on IT security – cannot be stressed enough. The identified weaknesses and security holes are to be documented and addressed without delay.
  • Advisable measures:

(The list of the following measures is by no means exclusive or comprehensive. Rather, the goal is to provide prevention ideas and possible solutions. Every processing activity is different, hence the controller should make the decision on which measures fit the given situation the most.)

  • Keeping the firmware, operating system and application software on the servers, client machines, active network components, and any other machines on the same LAN (including Wi-Fi devices) up to date. Ensuring that appropriate IT security measures are in place, making sure they are effective and keeping them regularly updated when processing or circumstances change or evolve. This includes keeping detailed logs of which patches are applied at which timestamp.
    • Designing and organising processing systems and infrastructure to segment or isolate data systems and networks to avoid propagation of malware within the organisation and to external systems.
    • The existence of an up-to-date, secure and tested backup procedure. Media for medium- and long-term back-up should be kept separate from operational data storage and out of reach of third parties even in case of a successful attack (such as daily incremental backup and weekly full backup).
    • Having / obtaining an appropriate, up-to-date, effective and integrated anti-malware software.
    • Having an appropriate, up-to-date, effective and integrated firewall and intrusion detection and prevention system. Directing network traffic through the firewall/intrusion detection, even in the case of home office or mobile work (e.g. by using VPN connections to organizational security mechanisms when accessing the internet).
    • Training employees on the methods of recognising and preventing IT attacks. The controller should provide means to establish whether emails and messages obtained by other means of communication are authentic and trustworthy. Employees should be trained to recognize when such an attack has realized, how to take the endpoint out of the network and their obligation to immediately report it to the security officer.
    • Emphasize the need of identifying the type of the malicious code to see the consequences of the attack and be able to find the right measures to mitigate the risk. In case a ransomware attack has succeeded and there is no back-up available, tools available such as the ones by the “no more ransom” (nomoreransom.org) project may be applied to retrieve data. However, in case a safe backup is available, restoring the data from it is advisable.
    • Forwarding or replication all logs to a central log server (possibly including the signing or cryptographic time-stamping of log entries).
    • Strong encryption and multi factor authentication, in particular for administrative access to IT systems, appropriate key and password management.
    • Establish a Computer Security Incident Response Team (CSIRT) or Computer Emergency Response Team (CERT) within the organization, or join a collective CSIRT/CERT. Create an Incident Response Plan, Disaster Recovery Plan and a Business Continuity Plan, and make sure that these are thoroughly tested.
    • When assessing countermeasures – risk analysis should be reviewed, tested and updated.

3         DATA EXFILTRATION ATTACKS

  • Attacks that exploit vulnerabilities in services offered by the controller to third parties over the internet, e.g. committed by way of injection attacks (e.g. SQL injection, path traversal), website compromising and similar methods, may resemble ransomware attacks in that the risk emanates from the action of an unauthorized third party, but those attacks typically aim at copying, exfiltrating and abusing personal data for some malicious end. Hence, they are mainly breaches of confidentiality and, possibly, also data integrity. At the same time, if the controller is aware of the characteristics of this kind of breaches, there are many measures available to controllers that can substantially reduce the risk of a successful execution of an attack.

3.1         CASE No. 05: Exfiltration of job application data from a website

An employment agency was the victim of a cyber-attack, which placed a malicious code on its website. This malicious code made personal information submitted through online job application forms and stored on the webserver accessible to unauthorized person(s). 213 such forms are possibly affected, after analysing the affected data it was determined that no special categories of data were affected in the breach. The particular malware toolkit installed had functionalities that allowed the attacker to remove any history of exfiltration and also allowed processing on the server to be monitored and to have personal data captured. The toolkit was discovered only a month after its installation.

3.1.1        CASE No. 05 – Prior measures and risk assessment

  • The security of the data controller’s environment is extremely important, as the majority of these breaches can be prevented by ensuring that all systems are constantly updated, sensitive data is encrypted and applications are developed according to high security standards like strong authentication, measures against brute force, attacks, “escaping” or “sanitising”17)Escaping or sanitizing user inputs is a form of input validation, which ensures that only properly formatted data is entered into an information … Continue reading user inputs, etc. Periodic IT security audits, vulnerability assessments and penetration tests are also required in order to detect these kinds of vulnerabilities in advance and fix them. In this particular case, file integrity monitoring tools in production environment might have helped to detect the code injection. (A list of advisable measures is to be found in section 3.7).
  • The controller should always start to investigate the breach by identifying the type of the attack and its methods, in order to assess what measures are to be taken. To make it fast and efficient, the data controller should have an incident response plan in place which specifies the swift and necessary steps to take control over the incident. In this particular case, the type of the breach was a risk enhancing factor since not only was data confidentiality curtailed, the infiltrator also had the means to establish changes in the system, so data integrity also became questionable.
  • The nature, sensitivity and volume of personal data affected in the breach should be assessed to determine to what extent the breach affected the data subjects. Though no special categories of personal data were affected, the accessed data contains considerable information about the individuals from the online forms, and such data could be misused in a number of ways (targeting with unsolicited marketing, identity theft, etc.), so the severity of the consequences should increase the risk to the rights and freedoms of the data subjects18)For guidance on “likely to result in high riskprocessing operations, see footnote 10 above..

3.1.2        CASE No. 05 – Mitigation and obligations

  • If possible, after solving the problem, the database should be compared with the one stored in a secure backup. The experiences drawn from the breach should be utilized in updating the IT infrastructure. The data controller should return all affected IT systems to a known clean state, remedy the vulnerability and implement new security measures to avoid similar data breaches in the future, e.g. file integrity checks and security audits. If personal data was not only exfiltrated, but also deleted, the controller has to take systematic action to recover the personal data in the state it was in before the breach. It may be necessary to apply full backups, incremental changes and then possibly rerun the processing since the last incremental backup – which requires that the controller is able to replicate the changes made since the last backup. This could require that the controller has the system designed to retain the daily input files in case they need to be processed again and requires a robust method of storage and a suitable retention policy.
  • In light of the above, as the breach is likely to result in a high risk to the rights and freedoms of natural persons, the data subjects should definitely be informed about it (Article 34(1)), which of course means that the relevant SA(s) should also be involved in the form of a data breach notification. Documenting the breach is obligatory according to Article 33 (5) GDPR and makes the assessment of the situation easier.
Actions necessary based on the identified risks
Internal documentationNotification to SACommunication to data subjects
üüü

3.2         CASE No. 06: Exfiltration of hashed password from a website

An SQL Injection vulnerability was exploited to gain access to a database of the server of a cooking website. Users were only allowed to choose arbitrary pseudonyms as usernames. The use of email addresses for this purpose was discouraged. Passwords stored in the database were hashed with a strong algorithm and the salt was not compromised. Affected data: hashed passwords of 1.200 users. For safety’s sake, the controller informed the data subjects about the breach via e-mail and asked them to change their passwords, especially if the same password was used for other services.

3.2.1        CASE No. 06 – Prior measures and risk assessment

  • In this particular case data confidentiality is compromised, but the passwords in the database were hashed with an up-to-date method, which would decrease the risk regarding the nature, sensitivity, and volume of personal data. This case presents no risks to the rights and freedoms of the data subjects.
  • Furthermore, no contact information (e.g. e-mail addresses or phone numbers) of data subjects was compromised, which means there is no significant risk for the data subjects of being targeted by fraud attempts (e.g. receiving phishing e-mails or fraudulent text messages and phone calls). No special categories of personal data were involved.
  • Some user names could be regarded as personal data, but the subject of the website does not allow for negative connotations. Although it has to be noted that the risk assessment may change

19) For guidance on “likely to result in high risk
processing operations, see footnote 10 above.

, if the type of the website and the data accessed could reveal special categories of personal data (e. g. website of a political party or trade union). Using state of the art encryption could mitigate the adverse effects of the breach. Assuring that a limited number of attempts to login is allowed will prevent brute force login attacks to be successful, thus reducing largely the risks imposed by attackers already knowing the usernames.

3.2.2        CASE No. 06 – Mitigation and obligations

  • The communication to the data subjects in some cases could be considered a mitigating factor, since the data subjects are also in a position to make the necessary steps to avoid further damages from the breach, for example by changing their password. In this case, notification was not mandatory, but in many cases it can be considered a good practice.
  • The data controller should correct the vulnerability and implement new security measures to avoid similar data breaches in the future like, for example, systematic security audits to the website.
  • The breach should be documented in accordance with Article 33 (5) but no notification or communication needed.
  • Also, it is strongly advisable to communicate a breach involving passwords to data subjects in any case even when the passwords were stored using a salted hash with an algorithm conforming to the state-of-the-art. The use of authentication methods obviating the need to process passwords on the server side is preferable. Data subjects should be given the choice to take appropriate measures regarding their own passwords.
Actions necessary based on the identified risks
Internal documentationNotification to SACommunication to data subjects
üXX

3.3         CASE No. 07: Credential stuffing attack on a banking website

A bank suffered a cyber-attack against one of its online banking websites. The attack aimed to enumerate all possible login user IDs using a fixed trivial password. The passwords consist of 8 digits. Due to a vulnerability of the website, in some cases information regarding data subjects (name, surname, gender, date and place of birth, fiscal code, user identification codes) were leaked to the attacker, even if the used password was not correct or the bank account not active anymore. This affected around 100.000 data subjects. Out of these, the attacker successfully logged into around 2.000 accounts which were using the trivial password tried by the attacker. After the fact, the controller was able to identify all illegitimate log-on attempts. The data controller could confirm that, according to antifraud checks, no transactions were performed by these accounts during the attack. The bank was aware of the data breach because its security operations centre detected a high number of login requests directed toward the website. In response, the controller disabled the possibility to log in to the website by switching it off and forced password resets of the compromised accounts. The controller communicated the breach only to the users with the compromised accounts, i.e. to users whose passwords were compromised or whose data was disclosed.

3.3.1        CASE No. 07 – Prior measures and risk assessment

  • It is important to mention that controllers handling data of highly personal nature

20)Such as information of the data subjects referred to payment methods such as card numbers, bank accounts, online payment, payrolls, bank statements, … Continue reading

have a larger responsibility in terms of providing adequate data security, e.g. having a security operation’s centre and other incident prevention, detection and response measures. Not meeting these higher standards will certainly result in more serious measures during an SA’s investigation.

  • The breach concerns financial data beyond the identity and user ID information, making it particularly severe. The number of individuals affected is high.
  • The fact that a breach could happen in such a sensitive environment points to significant data security holes in the controller’s system, and may be an indicator of a time when the review and update of affected measures is “necessary” in line with Articles 24 (1), 25 (1), and 32 (1) of the GDPR. The breached data permits the unique identification of data subjects and contains other information about them (including gender, date and place of birth), furthermore it can be used by the attacker to guess the customers’ passwords or to run a spear phishing campaign directed at the bank customers.
  • For these reasons, the data breach was deemed likely to result in a high risk to the rights and freedoms of all the data subjects concerned

21)For guidance on “likely
to result in high risk
processing operations, see footnote 10 above.

. Therefore, the occurrence of material (e.g. financial loss) and non-material damage (e.g. identity theft or fraud) is a conceivable outcome.

3.3.2        CASE No. 07 – Mitigation and obligations

  • The controller’s measures mentioned in the case description are adequate. In the wake of the breach it also corrected the vulnerability of the website and took other steps to prevent similar future data breaches, such as adding two-factor authentication to the concerned website and moving up to a strong customer authentication.
  • Documenting the breach according to Article 33 (5) GDPR and notifying the SA about it are not optional in this scenario. Furthermore, the controller should notify all 100.000 data subjects (including the data subjects whose accounts were not compromised) in accordance with Article 34 GDPR.
Actions necessary based on the identified risks
Internal documentationNotification to SACommunication to data subjects
üüü

3.4         Organizational and technical measures for preventing / mitigating the impacts of hacker attacks

  • Just as in case of ransomware attacks, regardless of the outcome and the consequences of the attack, re- evaluating IT security is compulsory for controllers in similar cases.
  • Advisable measures:

22)For secure web application
development see also: https://
www.owasp.org/index.php/Main_Page .

(The list of the following measures is by no means exclusive or comprehensive. Rather, the goal is to provide prevention ideas and possible solutions. Every processing activity is different, hence the controller should make the decision on which measures fit the given situation the most.)

  • State-of-the-art encryption and key management, especially when passwords, sensitive or financial data are being processed. Cryptographic hashing and salting for secret information (passwords) is always preferred over encryption of passwords. The use of authentication methods obviating the need to process passwords on the server side is preferable.
    • Keeping the system up to date (software and firmware). Ensuring that all IT security measures are in place, making sure they are effective and keeping them regularly updated when processing or circumstances change or evolve. In order to be able to demonstrate compliance with Article 5(1)(f) in accordance with Article 5 (2) GDPR the controller should maintain a record of all updates performed, including also the time when they were applied.
    • Use of strong authentication methods like two-factor authentication and authentication servers, complemented by an up-to-date password policy.
    • Secure development standards include the filtering of user input (using white listing as far as practicable), escaping user inputs and brute force prevention measures (such as limiting the maximum amount of retries). “Web Application Firewalls” may assist in the effective use of this technique.
    • Strong user privileges and access control management policy in place.
    • Use of appropriate, up-to-date, effective and integrated firewall, intrusion detection and other perimeter defence systems.
    • Systematic IT security audits and vulnerability assessments (penetration testing).
    • Regular reviews and testing to ensure that backups can be used to restore any data whose integrity or availability was affected.
    • No session ID in URL in plain text.

4         INTERNAL HUMAN RISK SOURCE

  • The role of human error in personal data breaches has to be highlighted, due to its common appearance. Since these types of breaches can be both intentional and unintentional, it is very hard for the data controllers to identify the vulnerabilities and adopt measures to avoid them. The International Conference of Data Protection and Privacy Commissioners recognized the importance of addressing such human factors and adopted the resolution to address the role of human error in personal data breaches in October 2019

23) http://globalprivacyassembly.org/wp-content/uploads/2019/10/AOIC-Resolution-FINAL-ADOPTED.pdf

. This resolution stresses that appropriate safeguarding measures should be taken to prevent human errors and provides a non-exhaustive list of such safeguards and approaches.

4.1         CASE No. 08: Exfiltration of business data by an employee

During his period of notice, the employee of a company copies business data from the company’s database. The employee is authorized to access the data only to fulfill his job tasks. Months later, after quitting the job, he uses the data thus gained (basic contact data) to feed a new data processing for which he is the controller in order to contact the clients of the company to entice them to his new business.

4.1.1        CASE No. 08 – Prior measures and risk assessment

  • In this particular case no prior measures were taken to prevent the employee from copying contact information of the company’s clientele, since he needed – and had – legitimate access to this information for his job tasks. Since fulfilling most customer relation jobs require some kind of employee access to personal data, these data breaches may be the most difficult to prevent. Limitations to the scope of access may limit the work the given employee is able to do. However, well thought out access policies and constant control can help prevent such breaches.
  • As usual, during risk assessment the type of the breach and the nature, sensitivity, and volume of personal data affected are to be taken into consideration. These kinds of breaches are typically breaches of confidentiality, since the database is usually left intact, its content “merely” copied for further use. The quantity of data affected is usually also low or medium. In this particular case no special categories of personal data were affected, the employee only needed the contact information of clients to enable him to get in touch with them after leaving the company. Therefore, the data concerned is not sensitive.
  • Although the only goal of the ex-employee that maliciously copied the data may be limited to gaining the contact information of the company’s clientele for his own commercial purposes, the controller is not in a position to consider the risk for the affected data subjects to be low, since the controller does not have any kind of reassurance on the intentions of the employee. Thus, while the consequences of the breach might be limited to the exposure to uncalled-for self-marketing of the ex-employee, further and more grave abuse of the stolen data is not ruled out, depending on the purpose of the processing put in place by the ex- employee

24)For guidance on “likely
to result in high risk
processing operations, see footnote 10 above

.

4.1.2        CASE No. 08 – Mitigation and obligations

  • The mitigation of the adverse effects of the breach in the above case is difficult. It might need to involve immediate legal action to prevent the former employee from abusing and disseminating the data any further. As a next step, the avoidance of similar future situations should be the goal. The controller might try to order the ex-employee to stop using the data, but the success of this action is dubious at best. Appropriate technical measures such as the impossibility of copying or downloading data to removable devices may help.
  • There is no “one-size fits-all” solution to these kinds of cases, but a systematic approach may help to prevent them. For example, the company may consider – when possible – withdrawing certain forms of access from employees who have signalled their intention to quit or implementing access logs so that unwanted access can be logged and flagged. The contract signed with employees should include clauses that prohibit such actions.
  • All in all, as the given breach will not result in a high risk to the rights and freedoms of natural persons, a notification to the SA will suffice. However, the information to the data subjects might be beneficial for the data