08-02-2024

Personal Data Breaches in Lithuania During the Year of 2023

After reviewing the statistics of receiving notifications about the personal data breaches (PDB) in Lithuania during the year of 2023, it is apparent that the State Data Protection Inspectorate (SDPI) received 254 notifications regarding the PDB and the number of the affected data subjects in Lithuania was 571,833. Having compared this with the previous year data, the SDPI received fewer notifications regarding the PDB than in 2022 (in 2022, the SDPI received 304 notifications regarding the PDB), moreover, the number of the affected data subjects in Lithuania has decreased more than triple (in 2022, the number of affected data subjects in Lithuania was 1,955,382).

In accordance to the nature of the PDB, statistically, breaches of confidentiality prevail in Lithuania. In 2023, they comprised as much as 76% of all cases; 10% of cases were attributed to integrity breaches; 10% of cases - to accessibility breaches; and in 4% of cases, the breach incident was not deemed to be PDB (did not conform to the notion of it).

Having analysed the notifications regarding the PDB received in 2023, the SDPI determined that 85% of PDB occurred through various reasons (human error, IT systems’ disturbances etc.) and 15% - due to cybernetic incidents (data encoding, ransom demand, social engineering, data phishing attacks etc.).

Having compared this with previous year data, it is noted that there are far less PDB due to cyber incidents than during the year of 2022 (in 2022, 35% of PDB occurred due to cyber incidents and 65% occurred through others reasons).

It is important to note that even though cyber incidents only comprised 15% of all PDB that occurred in 2023, however, during such incidents, as much as 49% of data subjects’ data was affected (from all the subjects affected in 2023); 51% of data subjects’ data was affected due to other reasons. Having compared this with the previous year data, it is noticed that 82% of data subjects were affected due to the cybernetic incidents that occurred in 2022 (out of all the number of data subjects affected in 2022); 18% of data subjects were affected due to other reasons.

Having compared this with the previous year data, more PDB occur through human error. In 2023, 72% of PDB occurred through human error (in 2022, there were 60% of such cases). The PDB that occurred due to other reasons comprise 28% of cases (in 2022, there were 40% of such cases).

In 2023, 12 notifications regarding the PDB were received; during such PDB, data encoding and ransomware attacks were happening. In 2023, during the PDSI, DDoS attacks were noticed. The importance of determining the reliability, reputation, country of origins of manufacturers of the software and hardware used or of the cloud services providers, as well as, the assessment of potential risks to the security of data become bigger.

The SDPI alerts attention to the fact that after determining the occurrence of the PDB and the danger to the rights and liberties of natural persons, the data controller must promptly, but no longer than within 72 hours from being aware about the PDB, inform the SDPI about this in accordance to the requirements of the GDPR. In 2023, 77% of data controllers informed about the PDB that occurred within no later than 72 hours, however, 23% - later than within 72 hours.

 

inforgrafikas EN galutinis.jpg