The latest CNIL annual report shows a very sharp increase in the number of data breaches, around 79% in 2021 compared to 2020.
This week, the National Commission for Computing and Liberties published its 2021 activity report, which ranges from its repressive action to regulatory support, including cybersecurity, which is now ubiquitous. On the more specific point of personal data, the CNIL has intensified its controls, and above all, received a record number of reports.
A sharp increase in reports, the smallest structures still very vulnerable
Last year, the CNIL indicates that it received 5,037 breach notifications, a record and a particularly impressive increase of 79% between 2020 (2,821) and 2021. And beware, these are notifications “ complete and initial “, because the data constable had received a total of 6,158.
On average, therefore, we are talking about 14 daily notifications and 420 monthly, for the sole question of personal data breaches. SMEs and micro-enterprises alone account for almost 7 out of 10 notifications (69%), with hacking as the primary reason. This statistic is unfortunately logical, since the smallest structures do not benefit from the same means of defense as the large ones (no IT department, etc.). Consequently, they are less aware of cyber risk.
This is confirmed by the fact that large companies represent only 6% of the notifications sent to the CNIL, and medium-sized companies, 25%.
Data breaches still mainly linked to ransomware
Obviously, the question arises as to the reasons behind this strong growth in data breach notifications. The first, and we regularly mention it at Clubic, is the marked increase in cyberattacks, in particular by ransomware, identified as the first IT threat for businesses, public bodies and local authorities.
The second reason, which the CNIL welcomes this time, is none other than taking into account the notification obligation, imposed by the GDPR, today the only text to impose specific cybersecurity obligations. It must be said that the scale of the sanctions (20 million euros fine or 4% of turnover) discourages many companies from walling themselves in the secrecy of data breaches.
But companies and organizations have understood, for their own account, that it was imperative to better arm themselves internally to fight against breaches. To do this, they raise awareness and put in place direct processes that make it possible to detect and react to these violations.
The entities most affected by data breaches are from specialized, scientific and technical activities (21%), health (18%), public administration (12%) or finance and insurance (10%).
As for the causes of violations, they are mainly caused by an external act (accidental or malicious), up to 63%. Internal acts represent 17%. More than half of notifications (3,000, a 128% increase) were the result of hacking, often ransomware, which remains a scourge and causes small players to panic. They often have everything to lose…
On the same subject :
500,000 victims of a health data leak: the CNIL condemns Dedalus Biologie
Source : CNIL report
1