Data protection: Number of data breaches in Saxony-Anhalt increased

Published on October 24, 2024

In Saxony-Anhalt, the number of reported data breaches has increased. While there were 186 in 2019, the number has steadily increased in recent years. In 2023, there were 300 data breach reports, as the State Commissioner for Data Protection, Maria Christina Rost, announced on request.

In the event of a breach of the protection of personal data, the General Data Protection Regulation requires that a report be made to the authorities within 72 hours if possible. Anyone who fails to meet the deadline can be fined.

This year, when 161 incidents were reported by September, professionally organized attackers stored data from around 18,000 customers in a cyberattack. This was encrypted and the company could no longer access it, said Rost. The data included names, addresses, photos of properties, bank details and communication processes.

Data published on the darknet

The company ultimately called in a security company. "However, it was not possible to decrypt the data," said Rost. The attackers demanded a ransom of 30 million euros for the provision of the approximately 50-digit key. The company did not pay, and after the deadline had expired, the attackers published the data on the darknet. "The impact of this cyber attack was significant for the company," said Rost. The state commissioner saw a high risk for customers. This assessment means that the company must notify those affected about the attack so that they can take measures to protect themselves. "However, the company initially refused to carry out this notification."

Data storage device forgotten in office

The notification was only made when the state commissioner told the company that if it was not notified, it would point out the publication on the darknet in a public statement in order to protect customers. "A final report from the company is still pending. Sanctions for the late notification are being considered if necessary," said Rost.

In another case, the data protection officer contacted the municipal utilities of a large city. They had an office cleared out by a removal company and left behind old, still readable data storage devices with stored personal data. The incident was reported to the authorities. "Before clearing out the office, the company should have checked whether there were still data storage devices with stored personal data in the office," said Rost. If necessary, it should have ensured that the data storage devices were destroyed in accordance with data protection regulations.

© dpa-infocom, dpa:241024-930-268842/1

Source: Die Zeit