Why internal data breaches happen and how to reduce the risk of one

Apr 9, 2020 12:00:00 AM | EU Why internal data breaches happen and how to reduce the risk of one

While the news media today is often reporting on security incidents and data breaches that happen due to external threats such as cyberattacks, internal data breaches can pose just as big of a risk for organisations. As it’s common practice that several internal stakeholders hold access to various personal data handled by their organisation, the risk of a potential internal incident is quite high. So, how can you reduce the risks? 

Why_Do_Internal_Data_Breaches_Happen_PrivacyPerfect_Blog-1Data breaches are on the rise, and so are internal security incidents 

Since the enforcement of the GDPR on 25 May 2018, over 160,000 data breaches have been reported across the 28 EU member states. In the Netherlands alone, the Dutch Data Protection Authority (AP) received almost 27,000 data breach reports in 2019, an incredible 29% increase compared to the year before.


While hacking, phishing, or malware incidents saw an increase, so did the number of internal data breaches. As per the latest figures, in the Netherlands, in 2018, an astonishing 63% of data breaches reported were due to data being sent to the wrong recipient.

Internal data breaches will happen

With the huge amounts of personal data processed by organisations, even with strict access controls in place, staff needs to be highly aware of the sensitive data they work with, and have the necessary resources and knowledge to be able to safeguard it. If that’s not the case, the risk of an internal data breach becomes high. 

Let’s take a look at some of the common causes of internal security incidents. 


Human error

Based on the data from ICO, the UK’s Data Protection Authority, a staggering 90% of data breaches in 2019 were caused by human error

Internal security incidents can happen from small and large accidents alike. From misplacing a USB stick with personal data on it, to sending customer newsletters without putting all customer email addresses in the BCC section. Studies show that IT leaders believe that the biggest impact of an internal data breach is reputation damage, followed by financial impact.

Many are not aware though, just how easily internal data breaches can happen. A recent survey of over 500 IT leaders and 5000 employees across the UK, US and Benelux regions demonstrated this very well. 

As much as 97% of IT leaders said that insider data breach risk is a massive concern of theirs, and 78% of them believe that employees had put important company data at risk accidentally within the past months. What is most interesting, is that 92% of employees say they haven’t accidentally broken company policy when sharing information. 

Meanwhile, the analysis conducted by Egress on the different data breaches reported to the ICO between January - June 2019, showed that 43% of breaches were a result of incorrect disclosure, and 18% of them were caused by emails sent to the wrong recipient.

A mix of external threat and human error
An internal data breach can also be the result of a mix of both an external threat and a human error. Phishing attacks are typically carried out by sending an email to an individual, tricking them into opening it, and clicking on the link within the email, or downloading an attachment. Once the recipient does that, a vulnerability opens up, that can lead to sensitive information being leaked and stolen. Of the data breaches reported to the ICO between January - June 2019, 5% had been a result from providing data in a response to external threats, mainly phishing attacks.

One could argue that internal data breaches are inevitable. With the extensive amounts of personal data organisations work with, there’s clearly room for human error, especially if combined with the growing number of external threats. It’s therefore crucial that your organisation sets appropriate measures in place to reduce the risk of an internal data breach, and makes sure that if one does happen, it’s appropriately handled.
Putting the necessary safeguards in place
Luckily, there are several practical steps that can help reduce the risk of an internal data breach, and therefore contribute to avoiding a potential costly fine and reputation damage. 

Identify and mitigate risks ahead

Identifying areas in your organisation’s processes that could result in a breach is one of these key steps. Data mapping can directly help with this through providing an overview of all the personal data your organisation handles, why, and how the data is handled, and which key internal and external stakeholders are involved. Additionally, carrying out Data Protection Impact Assessments (DPIAs) is also highly recommended. Through DPIAs risks can be identified ahead, and the necessary mitigating measures put in place.

Spread awareness

Investing in company-wide staff training for data protection can have a huge impact on creating a privacy-conscious culture, which in return can contribute to both reducing the risk of an internal data breach, and to ensuring that staff is aware what to do in case a breach does happen. Make sure that not only the processes but the reason behind procedures are explained also, in a clear and straightforward manner. Next to that, allocate responsibilities and tasks in case of a data breach, and document the procedure.
Strengthen authentication procedures

Having a secure IT infrastructure in place is crucial for data protection as well. 

Multi-factor authentication can be a great tool to strengthen data security within an organisation. Activating multi-factor authentication for applications used by employees can add another layer of security to the organisation’s systems, as it requires an additional form of identifications from users to get access to applications. 

Additionally, while it may seem rather straightforward, communicating on the importance of password hygiene is also an important step that should not be overlooked. Regularly remind employees to use various passwords throughout applications and to update them often.

Put procedures in place for a potential data breach

If a data breach does happen, once the institution that processes personal data becomes aware of it, they must notify the respective data protection authority within 72 hours about it (in accordance with GDPR Article 33) unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Given the very tight time-frame of 72 hours and the complexity of the GDPR, the process can quickly become difficult and chaotic unless there are appropriate procedures in place already. As the first step, take a look at what actions are required for handling data breach notifications, and then start mapping out the procedure.

Make sure

Despite the growing external threats of attacks and hacks that make headline news, the potential of an internal breach is something to take into serious account. Even though an act such as sending an email to the wrong recipient may be considered a mild mistake for some, there should be a strong sense of understanding the potential implications it could have. Taking the appropriate steps to educate and remind everyone internally on the importance of practical data security steps will pay off greatly for your GDPR compliance.