US organisations now suffer so many data breaches it has become a full time job simply documenting them. But what has been going on in Europe?
One of the first studies of publically-reported data breaches in the 28 countries of the EU (plus Norway and Switzerland) by the Central European University's Center for Media, Data and Society (CMDS) has calculated that between 2004 and 2014 the continent’s organisations suffered 229 known incidents covering 227 million personal records.
This excluded global incidents that happened elsewhere and involved European citizens, which is the first complexity the study had to grapple with – databases and the organisations looking after them are now global and so boundaries and measurements start to blur.
A second issue was that the data was taken from ‘credible’ and sourced media reports in each country, an innovative methodology that nevertheless raises the issue of how much can really infer from public reports written up by journalists.
We know that some countries have tougher disclosure laws than others – the UK and Germany for instance - and different national and corporate cultures have probably affected the stream of public disclosures. Consequently, national comparisons become treacherous enough to call the whole exercise into question.
Although this means that the CEU’s figure of 229 breaches is without a shadow of a doubt a significant understatement, it does at least offer a baseline of sorts.
The CEU found that the Internet-connected population of the 30 countries now stands at 409 million, which gives some idea of how many people’s records could be at risk. The peak for breach incidents was 2011, which recorded about 50, but the peak for the number of records breached was by some margin 2013 despite that year recording only 30 incidents.
The conclusion is that there seem to be fewer disclosed breaches in recent times but those that occur are larger; so far 2014 has recorded about the same proportion of incidents and a far smaller number of breached records as 2013.
One interesting finding is that the UK seems to be a breach hotspot, recording 245 compromised records per 100 Internet users, far above the 79 for Germany. Another is that 89 percent of breaches happened in commercial organisations and 10 percent in governments.
More than half of all incidents were caused by the actions of an insider rather than a hacker, most likely through error rather than malevolence. This is an important point to offset hacking hysteria although it might reflect the way breaches happened in the past.
The larger question remains what effect legislation is going to have going forward. The UK appears to have more breach incidents than any other country but also has a culture of disclosure, more defined data protection and an active information commissioner., so this doesn't necessarily mean it has a bigger problem.
The EU’s new E-Privacy Directive , under which breaches of personal data must be reported to national authorities, could start to lift the lid on what has been going on under the surface in countries where secrecy still prevails. The EU is also tightening and unifying data protection under the EU General Data Protection Regulation (GDPR).
“In countries where there are no disclosure rules, people will never learn what data about them has been collected and lost. And it is harder for journalists to cover privacy issues in countries where privacy breaches don’t have to be publicised,” said the CEU’s CMDS director, Phil Howard, by email.
“If there’s one thing this study reveals, it’s that there is a lot we don’t know about who has what kinds of data about us, how much of it is safe, and how much of it has already been exposed.”
The media still focused on external hacking when many incidents were caused by internal mismanagement, he argued.