A Look at Data Breach Statistics in 2020
2020 has proved to be a challenging year from all points of view. With the health crisis brought on by the COVID-19 pandemic disrupting the worldwide economy and crippling many sectors, cybersecurity may have been the last thing on anyone’s mind. However, many malicious actors took advantage of the chaos to wreak havoc and cash in on the relaxation of cybersecurity efforts. As a consequence, 2020 has been a stellar year for data breaches and regulatory fines.
The rushed adoption of widespread remote work policies in all business sectors created large gaps in cybersecurity which resulted in an increase in security incidents. According to cybersecurity company Malwarebytes’ Enduring from Home: COVID-19’s Impact on Business Security report, remote workers became the source of nearly 20% of cybersecurity incidents in 2020. Among the companies that answered their survey, 24% also faced unexpected expenses linked directly to cyberattacks and breaches that occurred due to work from home.
The report also showed a worrying trend among remote workers to use their personal devices instead of their company-issued ones. 27.7% of respondents said they used their personal devices more than the devices provided by their workplace, with a further 31.2% admitting they sometimes used personal devices for work. Only 39.1% strictly used only work-issued devices to perform their duties.
Some of the companies’ key concerns when it came to remote work were related to devices being more exposed at home where unauthorized individuals may have access to them, the difficulty of managing devices using remote work resources, shadow IT and a decrease in the effectiveness of IT support carried out remotely. All this in the situation where only 61% of companies provided employees with work-issued devices and 45% did not perform security and online privacy analyses of software tools they implemented to transition to work from home.
Main Causes of Data Breaches
According to the IBM and the Ponemon Institute Cost of a Data Breach report 2020, which interviewed 3200 individuals working for 524 organizations in 17 countries and regions, 52% of all data breaches were caused by malicious outsiders, a further 25% by system glitches and 23% by human error. Customers’ personally identifiable information (PII) which comprised 80% of all data breaches, was the type of record most often lost or stolen. This is hardly surprising given PII is the most valuable type of data due to its sensitivity. As a consequence, it is also the type of data most often protected by data protection regulations.
Compromised credentials and cloud misconfiguration were responsible for 19% of malicious data breaches, with third-party software vulnerabilities accounting for another 16%. Human error was also not the only way employees contributed to data breaches. Malicious insiders were the root cause of 7% of data breaches, with social engineering and phishing attacks targeting employees directly accounting for a further 17%.
Employees were also shown to be more negligent in some sectors than in others. At the top of the list was the Entertainment industry where 34% of all data breaches were caused by careless employees, followed by the public and consumer products sectors where human error accounted for 28% of data breaches. In the healthcare sector, despite heavy regulations, employee negligence was responsible for 27% of all data breaches. On the other end of the spectrum, in Transportation, only 13% of data breaches were caused by human error, while in Retail and Tech it accounted for 17%.
GDPR Fines Keep Increasing
While the enforcement of some data protection regulations, such as HIPAA in the US, have been relaxed because of the pandemic, European data protection agencies have continued their work unhindered. This year has brought a number of record fines due to non-compliance with the EU’s General Data Protection Regulation. To date, 281 fines have been issued this year, amounting to over €162 million.
Google was the worst hit, with its appeal of France’s Data Protection Authority CNIL’s €50 million fine being dismissed by the country’s highest court and the Swedish Data Authority slapping the tech giant with another €7 million fine for its failure to comply with an individual’s right to be forgotten.
In October 2020, the second-largest GDPR fine ever imposed, of approximately €35 million, was issued by the Data Protection Authority of Hamburg, Germany to clothing retailer H&M for recording meetings with employees during which sensitive information was disclosed and then sharing them internally among managers.
British Airways was fined €22 million for its failure to prevent a data breach that affected 400,000 customers due to poor cybersecurity measures. Marriott meanwhile was hit with a €20.4 million fine for the spectacular data breach that affected 83 million guest records and was a consequence of its lack of due diligence after acquiring the Starwood Group which was at the root of the incident.
As companies face the difficulties posed by the COVID-19 pandemic, it is essential that they do not neglect cybersecurity. Malicious actors are always looking for opportunities to profit and this year has been no different. At the same time, while data protection authorities have shown themselves more lenient due to current circumstances, they have not held back from applying eye-watering penalties when gross neglect of data protection requirements was identified.
All this shows that cybersecurity, which up until a few years ago was considered an afterthought by many organizations, is now a crucial part of business operations and there will no longer be a time when it is acceptable to disregard it.
Download our free ebook on
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.