Verizon’s security expert Bryan Sartin said this week that he was “surprised” so little information about data breaches had shown up in public in the 12 months since GDPR came into force.
The telecommunications company’s head of global security services told BBC News that “There’s a time bomb around these breaches.”
The annual Verizon Data Breach Investigations Report (DBIR) collates information from more than 2,000 confirmed breaches that hit large and small organisations all over the world.
It also logs information about more than 40,000 incidents such as spam and malware campaigns and web attacks.
Companies that lose data face fines of up to 4% of their global revenues, under European data protection laws.
The report also revealed a growing threat to senior staff in large companies from well organised phishing attacks.
Mr Sartin said: “There are so many investigations happening covering information under GDPR and at any moment any of those may leak or get some public attention.”
The General Data Protection Regulation (GDPR) came into force last May and requires companies that lose data to notify regulators quickly after a breach.
Big fines can be levied if the organisation is judged to have not done enough to protect personal data or clean up after a breach.
Satya Guptan CTO and Co-Founder at Virsec told Endpoint Security Review: “The latest Verizon 2019 Data Breach Investigations Report highlights that cyberattacks are becoming much more targeted and dangerous. They noted a huge increase in C-level executives being individually targeted. The same trend is happening with specific network tools and industrial equipment. Attackers are prolific at scanning networks and finding specific types of vulnerable equipment, then targeted them with specific malware designed for these devices.
“There continues to be a temporal disconnect between the time frame for attacks versus response. The report points out that attack chains act “within minutes” while “the time to discovery is more likely to be months.” This gap must be tightened, and security tools need to focus on real-time attack detection if we are to have any chance to curtail these breaches.”
In fact, a fine was issued in just one of every 395 data breach investigations by the Information Commissioner’s Office (ICO) in the past year.
The ICO closed 11,468 data breach cases between May 2018 and the end of March 2019, according to statistics released under Freedom of Information laws. This is the period during which the new GDPR laws have been in force.
Just 29 monetary penalties were issued during this period as well as an additional 13 enforcement notices.