The scale of the Target data breach of late 2013 made it one of the largest data breaches in history, affecting up to 40 million customers1. However, it turned out to only be the first of a series of significant breaches that earned 2014 the title of "Year of the data breach" across a variety of industry and media reporting.
In the 2014 IOCTA it was highlighted how a lack of reporting hindered law enforcement from mounting a suitable response to network intrusions, with industry preferring (where possible) to allow the incident to be handled by private security companies. Since then however, there has been a clear increase in the level of reporting to and subsequent involvement of law enforcement in such investigations.
Almost 75% of Member States indicated that they had investigated some form of data breach or network intrusion, with almost half of Member States running 10 or more distinct investigations. Over one third of EU law enforcement agencies identified network intrusions as an increasing threat.
Not all network intrusions lead to the leakage of data or theft of intellectual property. The defacement of business or private websites was one of the most commonly reported cyber-attacks within EU law enforcement. It was also noted that there is an increasing number of these attacks with a terrorist context. The 2015 Verizon Data Breach Investigation Report (DBIR)2 identified that in 70% of attacks where the motive could be established, a breach occurs with the intention of instigating further attacks on secondary victims. For example, using a hacked server for hosting malware or phishing.
Nevertheless 2015 has already witnessed a number of significant data breaches. In May and July respectively, adult hookup websites AdultFriendFinder and AshleyMadison3, an allegedly discreet website for those seeking extra-marital affairs, were hacked. Both leaked personal and sensitive details related to millions of their customers, leaving them vulnerable to extortion and social engineering attacks. AshleyMadison's clientele were largely North American, however AdultFriendFinder had approximately 3.5 million customers worldwide. The proportion of these within Europe is unknown, therefore the impact of these breaches on European citizens may never be fully appreciated. However over 1400 customers were identified as senior executives of Fortune 500 companies4, over one fifth of which are based within Europe. It is therefore safe to assume that European citizens feature amongst those who have had their personal details disclosed.
The majority of data breaches occurred as a result of compromised credentials (typically those with administrator rights), with the rest largely made up of phishing attacks and, in the case of industries using point-of-sale (PoS) terminals, RAM scraping. Broken down differently, 25% of breaches were as a result of crimeware, 20% the result of insider misuse and 15% as a consequence of physical theft or loss. Almost one third were additionally as a result of miscellaneous human errors, such as sending sensitive information to the wrong recipient or accidentally publishing sensitive data to public servers5.
The table below identifies some of the more prominent publicised data breaches from the first half of 2015 which originated from within, or which are believed to impact, the EU6. The number of breaches apportioned to each country is at least partly representative of the stringency of the reporting regulations within that jurisdiction.