Personal Data Security Breaches in Lithuania in 2024
The State Data Protection Inspectorate (VDAI) received 273 reports of personal data security breaches (PDSBs) in 2024, affecting 1,467,368 data subjects in Lithuania.
Compared to previous years, the number of PDSB reports received by VDAI in 2024 increased compared to 2023 (when 254 reports were received), and the number of affected data subjects nearly tripled (571,833 affected individuals in 2023).
Statistically, confidentiality breaches accounted for the majority of PDSBs in Lithuania, making up 87% of all cases in 2024. Integrity breaches accounted for 6% of cases, accessibility breaches for another 6%, and in 1% of cases, the incident was not classified as a PDSB (as it did not meet the definition).
After analysing the PDSB reports received in 2024, VDAI determined that 52% of breaches resulted from human error. These incidents were caused by actions taken due to negligence, lack of awareness that such actions could lead to a PDSB, or circumstances where technical and organisational measures were insufficient to prevent them. PDSBs caused by other factors accounted for 15% of cases. These included various IT system failures, such as system errors that prevented timely data updates, leading to disruptions in service provision by data controllers. Additionally, programming errors resulted in unauthorised individuals gaining access to personal data.
VDAI also identified that 33% of PDSBs were the result of cyber incidents. Among these, 11% were due to ransomware attacks, 66% resulted from unauthorised access to IT systems, 18% involved social engineering methods, and 5% were caused by credential-stuffing attacks.
Notably, cyber incidents impacted 49% (712,881) of all affected data subjects in 2024, while breaches caused by other factors affected 51% (754,487) of data subjects.
VDAI emphasises that data controllers must notify the authority without undue delay—and no later than 72 hours after becoming aware of a PDSB—if the breach poses a risk to individuals' rights and freedoms, as stipulated by the GDPR. In 2024, 79% of data controllers reported PDSBs within the required 72-hour period, while 21% submitted their reports late.
In October 2024, following an investigation into a PDSB, VDAI imposed a EUR 9,000 fine on a public institution for violations of GDPR provisions. Additionally, based on its review of 2024 PDSB reports and identifying inadequate personal data security measures, VDAI issued 38 recommendations to help ensure compliance with GDPR requirements in personal data processing.