In the report, the President of the Office for Personal Data Protection indicated the following situations as the most frequent and typical breaches:
- Incorrect addressing or packaging of correspondence (in traditional or electronic form) – the consequence of these breaches entails personal data being made available to unauthorised persons. This sort of breach was most often caused by an error of the data controller’s employee. The source of the breach also involved errors as early as the stage of collecting address data, when would-be recipients of parcels communicated to controllers incorrect correspondence addresses. It was often the case where the disclosure of personal data to the wrong addressees was caused by sending mass electronic correspondence without concealing other e-mail addresses (BCC).
- Incorrect anonymisation of data or unintentional publication of data – such breaches were the case in the public sector, including in the Public Information Bulletin and official journals.
- Disclosure of data to the wrong person – this type of breach was the case, including but not limited to, as a consequence of issuing documents (e.g. certificates and tax returns) to persons without the right to receive them or by the mistaken posting of transfers.
- Losing the correspondence by the postal operator or opening the correspondence before returning it to the sender – in the era marked by a global pandemic, such breaches were also caused by correspondence being stored “in quarantine”, which rendered it impossible to submit a complaint to the postal operator on time and effectively determine the stage at which the correspondence was opened or destroyed.
- Unauthorised access to databases – these breaches occurred as a result of software errors that emerged after the update, lack of regular security tests aimed at detecting system vulnerabilities and improper granting of permissions.
- Losing, theft or leaving paper documentation in an unsecured location – these sorts of breaches were usually caused by the employees’ sluggishness, and they were usually one-off incidents. There were also cases of leaving documents in generally accessible locations in order to reduce the epidemiological threat. It is about the practice of displaying makeshift, unsecured containers serving as inbox boxes for the submission of documents containing personal data.
- Losing or theft of a data carrier – this sorts of breaches were caused by the loss of laptop or USB flash drives, which were often unencrypted at the time of the event.
- Using malicious software that interferes with the confidentiality, integrity or availability of personal data – this sort of breach was caused by the exploitation of vulnerabilities and security penetrations. In many cases, system vulnerabilities were caused by the controller failing to update the software.
Some statistics: in 2021, the Personal Data Protection Office received 12,946 reports of breaches, while in the case of the private sector, the largest number of reports came from entities representing the following sectors: telecommunication – 1,890, insurance – 1,929, banking and finances – 1,113 and non-public health care – 257.