Rules Navigator

Number of people affected by personal data breaches in Lithuania almost tripled in 2024

People walk in the historic city center in Vilnius, Lithuania.
Photo: Sean Gallup/Getty Images

Martina Lindberg

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Close to half of all data subjects were affected by cyber incidents.

Personal data security breaches increased in 2024 in Lithuania, a report from Valstybinė duomenų apsaugos inspekcija (VDAI), shows.

VDAI, the State Data Protection Inspectorate, received a total of 273 notifications during the year, a slight increase from 254 in 2023, yet the total affected by breaches almost tripled with a total of 1,467,368 affected data subjects.

It is worth noting here that ‘subject’ refers to a consumer account, not to an individual person. The data of one person can feature in in more than one data breach, and one person can hold a number of consumer accounts.

Most of the breaches in 2024 were confidentiality breaches (87%), followed by integrity breaches (6%), accessibility breaches (6%), and unclassified reason (1%).

Human error

About half (52%) of the personal data security breaches (PDSB) were caused by human error, where VDAI describes the incidents as being “caused by actions taken due to negligence, lack of awareness that such actions could lead to a PDSB, or circumstances where technical and organisational measures were insufficient to prevent them.”

Second most breaches were connected to cyber incidents (33%) – yet almost half of all data subjects (49%) were affected by them, of which:

  • 66% resulted from unauthorized access to IT systems;
  • 18% from social engineering methods;
  • 11% from ransomware attacks; and
  • 5% from credential-stuffing attacks.
Graphic: Martina Lindberg

As stipulated by the GDPR, a breach must be notified to the authority within 72 hours if it poses risks to an individual’s rights and freedoms. During 2024, 79% of the data controllers reported breaches within the time limit, up 2% from 2023.

€9,000 fine on Municipality

From the investigations of 2024’s data breaches, the VDAI imposed one fine of €9,000 ($9,831) on a Vilnius Region Municipality’s Administration for violating GDPR by improperly processing personal data.

According to the VDAI, the Municipality failed to ensure the safety of personal data after a PDSB, a breach which affected many individuals as it disturbed the Municipality’s activity for a certain time where it could not provide some of its services. This included not being able to pay out social benefits on time.

“After the hacker encoded the personal data being processed on the Municipality’s servers, the confidentiality of data was infringed as well,” the authority said.

With the failures, the municipality was found to be violating principles of integrity and confidentiality in GDPR Article 5 part 1 point f, and the provisions indicated in Article 32 part 1 points b, c and d, and Article 32 part 2.

The amount of breaches has increased steady since 2018, with a peak of personal data security breaches in 2022, when there were 304 notifications and 1,955,382 affected subjects. Yet, it is notable that Lithuania went against the worldwide trend in 2023, where the number of people affected by data breaches instead decreased by 70% compared to 2022.

Another notable point was that breaches due to human error went down 20% in 2024 compared to 2023, yet breaches due to cyber incidents went up almost 20%.

Graphic: Martina Lindberg
, , , , ,

You may also like