The intensification of cyberattacks in France has entered the daily life of the personal data policeman. As yet another symptom of the wave of ransomware that has affected all kinds of organizations lately, the CNIL recorded 5,037 data breach notifications in 2021, an increase of 79% year-on-year.
Obliged for four years by the General Data Protection Regulation (GDPR) to notify the regulator when they have lost control of the personal data for which they are responsible, companies are certainly increasingly familiar with the procedure for executing. But the CNIL also mentions “a very strong growth in computer attacks” over the period.
At least 2,200 ransomware in 2021
The numbers speak for themselves. Nearly 6 out of 10 data breach notifications in 2021 were linked to a cyber attack and not to a banal computer accident. In 43% of cases, it was even a ransomware attack, the scourge that has already traumatized many bosses.
The CNIL has therefore heard, just for the year 2021, of nearly 2,200 attacks crippling the victim’s computer and demanding a ransom against the return of the data. This is much more than the 1,500 to 1,800 complaints related to this type of attack recorded by the police and the gendarmerie in four years (2016-2020) and which served as an indicator – far from perfect until then. 14,000 complaints received, 12,500 closed
“Our measures probably remain below reality,” said Marie-Laure Denis, president of the CNIL, on Wednesday during the presentation of the institution’s annual report. In fact, some data breaches may still go unreported, although GDPR violators face heavy financial penalties. During its checks, the CNIL often finds obsolete encryption techniques making websites vulnerable, passwords that are too weak and, more generally, insufficient resources given the scale of the threat.
Not to be confused with notifications, the number of complaints received by the CNIL has remained almost stable compared to last year. Out of 14,143 complaints, the services managed to close 12,522. Despite the 20 job creations recorded last year and the 25 recruitments planned for 2022, the CNIL is still overwhelmed with work. Its leaders are implementing a new procedure for the accelerated processing of complaints and are even in the process of outsourcing the administrative correspondence linked to the simplest complaints.
In addition to 135 formal notices, of which only two were public, the CNIL also pronounced 18 sanctions in 2021. Fifteen fines were drawn up for a record amount of 214 million euros, including 150 million euros against Google and 60 million euros against Facebook.