
Nearly 60,000 Data Breaches Reported Since the Launch of GDPR - amatas
https://amatas.com/news/view/nearly-60-000-data-breaches-reported-since-the-launch-of-gdpr
======
giancarlostoro
This is the kind of thing that makes me not want to register anywhere except
on sites that use known open source and actively maintained software (so
mostly forums). But I guess it's too late. The best I can do is generate a
bunch of unlinked email addresses, and randomize passwords everywhere with my
password manage. I used to use LastPass a lot, but once I lost my vault I
havent gone back to fill a new vault, I really do want to use BitWarden as a
LastPass alternative, but I've just been putting it off for a while. Maybe
it's definitely time to take the plunge.

~~~
atoav
If you own a domain you can use a catchall e-mail adress and then just invent
the part left of the @ as you go. Then store that adress with a random
password generated by keepass.

As a nice side effect you see who lost your data to the spammers, based on the
email adress and you can block whole email addresses from getting stuff

~~~
JeanMarcS
Exactly ! I've done that for years (and for the email alias part, well, at
least the last 15 years), and it's a relief.

Back at the beginning of the 2000's, I use to get hundreds of spams. So I
decided to use an alias of a special mail on my own domain name for each new
site I register to.

I used alias for not having to configure a new account on my mail client.

And then it's super easy to shame whoever sold your email.

Best anecdote I have ? An antivirus / antispam brand. I registered as reseller
with an alias.

Less than a week later, I started receiving unsolicited mail on the alias.

I asked them why it happened, but never received anything more convincing than
"Mmmm, don't know, let me check".

Of course I explained them I won't be buying their product anymore for my
clients, and destroyed the alias.

------
ckastner
Note that what constitutes a reportable breach under Article 33 GDPR [1] is
not entirely clear yet, so companies tend to over-report rather than risk the
consequences of under-reporting.

For example, I know of a financial institution that reported a breach because
they sent an account statement to the wrong address.

(Edit: well, certain breaches _are_ entirely clear, of course. It's the
breaches at the lower boundary that are in question.)

[1] [https://gdpr-info.eu/art-33-gdpr/](https://gdpr-info.eu/art-33-gdpr/)

~~~
elliekelly
When the definition is unclear like this I would say companies tend to over-
report what they're reasonably certain probably _isn 't_ a breach and under-
report things in the grey area that probably _are_ a breach.

We can be reasonably certain the regulators won't want to be bothered with
every account statement misdelivery but they haven't specifically told us.
Self-reporting this is low risk and demonstrates an effort at complying with
the regulation. It also has the added "benefit" (from the corporation's
perspective) of demonstrating to the regulator how onerous and unreasonable
the compliance obligations will be for their office if they don't make an
effort to set "reasonable" compliance and reporting standards (again, from the
corporation's perspective).

But the contractor who "misplaced" the flashdrive of customer data? Well we
haven't been told that's a breach because we don't know that it's "lost." It
certainly feels like something a regulator would care about more than a
misdelivered account statement but they haven't specifically told us they care
about this scenario yet. That's a risky thing to self-report because there
will probably be consequences and we have no idea what the consequences are
because it hasn't come up for anyone else yet either. In that case it's
low(er) risk _not_ to report it and hang our hat on the ambiguity of the new
regulation in the very unlikely event the regulator even gets wind of the
breach. The strategy is to ask for forgiveness for our ignorance of the scope
rather than clarification.

It's not right, but that's how it works.

Source: Corporate attorney/Former Chief Info Security Officer at an investment
bank. I quit over their handling of a particularly egregious PII breach.

------
Sujan
Hey amatas, your "GDPR in 5" popups is broken in Firefox 65 on Windows.

~~~
Semaphor
Still in FF 67, Windows

------
zccah3888
Surprised to find the Dutch in first place. I believe it’s their obsession
with accountability that encouraged more people to report instances of breach.

------
rubyfan
How do we know if GDPR is actually working?

Did we expect 60K? Does that mean we should expect a reduction in the future
because companies are taking the right actions? Should we expect to see a
reduction in identity thefts? How does the EU know the law works?

~~~
michaelbuckbee
Not on the government side, but on the implementation side it has at a minimum
caused organizations to shift from "better keep this data just in case" to
"hey, can we maybe not have all this data around I don't want to be
responsible for it."

------
mpweiher
Wow, I have to admit I didn't expect that large an effect.

Even if that were the only effect of GDPR, I think we could already chalk it
up as a huge win, but it won't be. The recent news about German anti-trust
regulators using very GDPR-like language to forbid Facebook data
gathering/correlating, but with the additional teeth of anti-trust, is also a
good sign.

I also saw that less than 100 fines were levied, so for now a rate of 600:1
breaches:fines.

~~~
michaelbuckbee
Note: the setup is not Data Breach -> Fine.

What you'll get a fine for is:

\- Not reporting a major databreach promptly when you become aware of it

\- Not responding well or taking proper steps to notify affected people

\- Not taking basic precautions to safeguard data

\- Being warned and then disregarding guidance (what it seems Facebook has
done)

~~~
opportune
what this creates at actual companies: PMs making $250k+ per year to sit on
their asses and read about GDPR and tell you whether or not to post comms and
whether you should do encryption without knowing any details about it

~~~
Angostura
Only at really shitty companies.

------
Radim
This is how we see privacy breaches play out:

1\. GDPR… who cares? Give me a break, sick of that shit.

2\. OK, let's do the bare minimum to comply.

3\. Hey, you, IT guy! You know where we're storing all the data, right? Good.
Put that in a document somewhere. DPIA: done.

4\. Oh shit, someone's laptop got stolen / email account got breached. What
sensitive data was actually there? Who's affected? What now?

Disclosure: we built SW for automated AI discovery and analytics of personal
data, PII Tools. It's used by auditors, and I can say the most severe problems
come from unexpected places (file shares, archives, email attachments…), not
your "front-facing central DB" that's typically top of everyone's mind.

~~~
jacquesm
> I can say the most severe problems come from unexpected places (file shares,
> archives, email attachments…),

As to your ...: backups, old hardware that is discarded, lost USB sticks that
had data on them they shouldn't have had in the first place, test systems,
developer laptops with data on them they should not have.

