When am I dealing with a reportable incident data breach?


At the moment that unauthorized persons (can) access personal data, there is a potential data breach. In many cases, organizations are required to report the incident to the Personal Data Authority (AP). The AP was established and designated as the regulator of the General Data Protection Regulation (AVG) and the AVG Implementation Act (UAVG). When a data breach occurs depends on the circumstances. For example, a data breach need not be reported if the risk to rights and freedoms of data subjects is limited. This is in contrast to when an unauthorized person gains access to a customer’s passport or bank account number. After all, in that case, misuse of identity or financial consequences cannot be ruled out. Such incidents must be reported to the AP within 72 hours.

Data breach in the physical domain

For example, the most recognizable incidents occur when an employee leaves an unencrypted USB stick on the train. In some cases, it also involves a physical document. The data breach need not always be caused by the data subject. Consider the theft of a bag containing a client’s file. In both cases, the data breaches in question are notifiable data breaches of a physical nature.

Why a physical data breach may be more beneficial

The advantage of a physical incident is that an employee usually knows what kind of data the documents contain. After all, it often involves a limited amount of information. Furthermore, the discovery of the data breach does not immediately lead the finders to access an entire IT network. This allows for highly targeted measures and investigative actions to be taken in such incidents. To illustrate, if the file on a found USB stick contains passwords, then the passwords of the relevant accounts can be changed in a very targeted way. Examples of targeted investigative actions include checking the logs of the accounts involved and investigating anomalous login actions. Are there any deviating devices used at login? Have logins occurred from different locations or providers? Are there any IP addresses that can be traced to anomalous services, such as use of TOR or an anonymous VPN service?

Why a physical data breach can also lead to a major incident

Despite the fact that the damage in a physical data breach is often limited, it also happens in practice that a physical data breach leads to a larger incident. Let’s take the example of passwords on a USB flash drive. These passwords can be misused or shared with third parties. Misusing this data does take extra time. Passwords must be used at the right address and within the right environment, and data will first need to be copied onto a device.

Regardless of the extent of the data breach, a physical data breach must also be reported to the AP.

Regardless of the extent of the data breach, a physical data breach must also be reported to the Personal Data Authority. This is because we cannot ascertain the intention of the finder, and it is not always possible to say exactly what happened to the data during the period that it was lost. In addition to a notification, it is therefore also advisable to conduct an investigation into what has been done with the data.

What factors reduce risk of data misuse?

The notification to the AP should also include the extent to which there are factors that reduce the likelihood of misuse of the leaked data.

This is because the likelihood that an unauthorized person has been able to log into the systems is lower when additional security measures are used at login time:

  • Multifactor authentication (such as an SMS with a temporary code at the first login),
  • A corporate VPN (so that the corporate network and associated applications can be used only through the VPN);
  • Whitelisting of IP addresses (an employee can only log in from allowed IP addresses: the IP address of the company itself);
  • So-called ‘MDM’: mobile device management (an employee must pre-register his or her devices with management before these devices can be used in the network),
  • Encrypting personal data.

At the point when sufficient measures have been taken and no anomalies have been observed in the logs, misuse of the data is less likely. If it involves losing personal data, the employee may be able to explain what data this was. If a person’s identity can be ascertained, it is wise to inform them and warn them of possible consequences.

Should it be the case that the (unencrypted) USB drive contains personal data of multiple individuals and it is not known to whom the data belonged, forensics could be valuable. After all, the data was copied to the USB drive at some point, such as from a computer or laptop. Copying the data usually also leaves forensic traces on the computer or laptop involved. This could then be examined to determine what data was copied to the USB drive. It may be possible to trace persons involved who can then be informed.

Data breach in the event of a hack

NFIR regularly deals with incidents that are less easily noticed: cybercriminals who navigate the network undetected for days, weeks or even years. We often determine this in response to a very palpable consequence, such as running a ransomware attack or an email account sending spam. How do you determine that such incidents were only limited to that consequence? Can you determine within 72 hours that there is no reportable incident?

Challenges of a data breach in a hack

Relative to a physical data breach, in a hack it is more difficult to determine what data has disappeared. There are often no visual traces of this data leak. Therefore, NFIR recommends that the nature and extent of such incidents be investigated. In practice, it is in fact common for data to have been stolen in the period before the ransomware attack was carried out. Increasingly, attackers are indicating in the ransom note that they have taken away data. They then often express the intention to publish this data if payment is not made. Of course, this is a choice of that attacker. After all, they made the choice to mention it.

It is important to realize that they have (possibly) succeeded in taking this data away unseen. Until this is investigated, this is nothing more than conjecture. Indeed, it may also be an empty threat. However, this does reflect a pain point: once an unauthorized person has gained themselves unlawful access to the company network, it is not easy to find out exactly what they have done and what data this involves.

Thus, in ransomware attacks, the taking of data is increasingly made known by the attackers. But what if an attacker’s goal is different? Is it really the case that only one email account has been hacked and is spreading spam (or even phishing emails)? Does an attacker indeed only want to make systems inaccessible through a DDoS attack, or could this possibly be a distraction? To do this, did attackers actually use a single IP address from a foreign country, or did they also, for example, acquire servers in the Netherlands with which they quietly attacked other accounts? Could it be that unauthorized people have actually gained access to multiple accounts, which they want to use for other purposes?

As you can see, it is quite difficult to answer this until an estimate can be made of the purpose of an attacker and/or the size and scale of the incident. Some consequences are highly visible, such as a data breach in the physical domain, a user spreading spam or inaccessible services due to ransomware or a DDoS attack). Other consequences are more difficult to notice, such as the removal of information from a corporate network.

Importance of forensics

Conducting forensic investigations can often provide answers to this, depending on the traces available. During the intake interview, NFIR inventories both observations from the organization (how did the incident start? Were there problems in the network before the incident occurred?), as well as the available traces in the corporate network. For example, from logs from the network (such as from a firewall, antivirus, or security monitoring), NFIR examines which systems and accounts may have been affected, in what order, and the time period during which the unauthorized person accessed the systems. For example, forensic examinations of the identified servers or computers can be used to retrieve opened folders and files.

To best answer this, NFIR asks that as few interactions as possible be performed on potentially infected systems. In fact, any actions performed on it may overwrite important forensic traces. It is therefore important not to turn off a potentially infected system, but to disconnect it from the network. Even if it is suspected that an encryption process is active at that time. Indeed, interrupting an encryption process can also prevent data from being decrypted, even if the organization decides to pay.

Security incident? Meet Incident Response

Our Incident Response team is available 24/7 to identify and resolve any cyber incident.

At the moment that unauthorized persons (can) access personal data, there is a potential data breach. In many cases, organizations are required to report the incident to the Personal Data Authority (AP). The AP was established and designated as the regulator of the General Data Protection Regulation (AVG) and the AVG Implementation Act (UAVG).

Assume a duty to report incidents to the Personal Data Authority (AP) within 72 hours.

Steps to take in the event of a data breach are:

  1. Provide an overview of the situation. NFIR provides support in this regard.
  2. Take immediate action to mitigate the damage from the data breach. And assess the risks.
  3. Determine whether or not you should report the data breach to the Data Protection Authority (AP). If so, do so immediately.
  4. Determine whether or not you must report the data breach to affected individuals. If so, do so as soon as possible.
  5. Record the data breach in your data breach register.

Are you facing unexpected events in your IT environment, such as workstations being blocked, security breaches, no longer being able to access your data, a possible data breach or a cybersecurity attack? At your request, NFIR will take immediate action with an incident response team.

Ransomware is on the rise, no one will deny that anymore. Where once the goal was to gain access to bank accounts, attackers are now getting paid to decrypt victims' files.

read more: How can your organization prepare for a cyber incident?

The number of ransomware attacks in the Netherlands is large and even increasing. In a recent survey, nearly three-quarters of Dutch companies surveyed said they would be hit by a ransomware attack by 2021. Only slightly more than a third said they had a cybersecurity strategy ready. This is while the impact of a ransomware attack on your business or organization is enormous. Your business operations are severely hampered or even made impossible. Trade secrets (can) be resold and data leaked. Your external partners no longer trust your organization and take a wait-and-see attitude. And don't think "that won't happen to us," because it can happen to anyone. From large companies and organizations to SMEs employing 20 people.

Read more: What impact does a ransomware attack have on my organization?