“This is the largest investigation of privacy breaches in Europe ever undertaken,” said Philip Howard, CEU Professor of Global Media and Communication and director of CMDS. “We looked 350 incidents over a 10-year period, with a very focused look at the 229 incidents that directly involved the privacy of people living in Europe.”
The total population of the countries covered in this study is 524 million, and the total population of internet users in these countries is 409 million. Expressed in ratios, this means that for every 100 people in the study countries, 43 personal records have been compromised. For every 100 internet users in the study countries, 56 records have been compromised.
Howard oversaw a team of multilingual 12 students at the CEU School of Public Policy (SPP) who reviewed news stories by citizen and professional journalists describing privacy breaches around Europe. Six months of research and refining brought the total down to 229 well-verified cases representing almost every country in the EU, plus Norway and Switzerland. Germany, Greece, Netherlands, and Norway are all countries with unusually high levels of privacy breaches.
One of the team's main findings is that the loss of private information seems to involve organizational insiders – the people who work for the organization – more than malicious hackers. According to Howard, 57 percent of the incidents involved organizational errors, insider abuse, or other internal mismanagement (2 percent unspecified).
“In the news we hear a lot of news stories about hackers who break into systems and steal our personal information.” Howard said. “But that was the minority of incidents – far and away, most of the cases organizational errors, insider abuse, or other internal mismanagement.
Howard said the next move for public policy is mandatory reporting. “When personal records are compromised, both companies and government offices should be required to report the possible privacy breaches both to the victims and a privacy commissioner. Most people don’t know who has legitimate access to their personal records, and they deserve to know when those records have been compromised.