Cases of data and privacy breaches continue to rise around the world, both due to the increase in criminal actions and due to greater surveillance and recording of incidents that occur. Last year, the Catalan Dades Protection Authority (APDCAT) received 183 security violation notifications, which represents an increase of 22% compared to 2022.
The number of people in Catalonia who were victims of these violations is around 1.5 million, although the figure could be much higher, because analysts have not been able to determine the approximate number of those affected in 21 of the cases. The large increase in the section of citizens whose data has been compromised reaches 82% and is due to the fact that one of the main cyber attacks that was registered in 2023 was the health data of a total of 800,000 people.
The APDCAT directed by Meritxell Borràs points out that the high increase in recorded data security violations is basically due to two causes. On the one hand, because cybersecurity incidents affecting entities that operate with citizen data have increased throughout the world. On the other hand, it must be taken into account that each year the existence of more cases is reported due to "the progressive consolidation of the figure of the data protection delegate, who ensures that organizations comply with the standard and notify this type of incidents." ”.
Just over half (52%) of security breach notifications in 2023 were due to malicious external actions. Compared to malicious acts, unintentional internal accidents, identified as leaks due to human errors, represented 42%. There were also 4% of malicious internal acts, which were caused by abuse of access privilege by employees who extracted, copied or forwarded data without authorization. Only 1% of cases were accidental.
Almost a third of all security breach notifications, 31% were due to cyber attacks. In 26% of the cases, personal data was communicated by mistake, while 21% of the leaks were due to the theft of computer equipment or documentation.
The unintentional improper publication of data on the Internet, such as on transparency portals or on the electronic dashboard of the entity or company responsible for processing the data, has been responsible for 6% of unintentional data disclosures. The APDCAT highlights that there has been an increase in security incidents “that have their origin in the development of technological solutions that have not taken privacy into account in the design, which has allowed unauthorized people to access the data.”
If cyberattacks are divided by type, 19% were ransomware, which consists of kidnapping data to demand a ransom. 7% were attacks on systems and 5% were phishing, impersonation of entities such as banks so that the victim provides their data.
Last year there were several relevant incidents, such as the attack on the Clínic hospital in Barcelona, victim of a hacker group called RansomHouse that published the extracted data over four months on the dark web, since its attempted extortion to avoid filtration, it was not accepted by the management of the health center.
