Data Breach Disclosure Is Still Taking Too Long, Report Reveals as GDPR Looms

Graham Cluley

May 10, 2018

Data Breach Disclosure Is Still Taking Too Long, Report Reveals as GDPR Looms

The accepted wisdom in the field of cybersecurity is that things are getting worse, and that more businesses are losing control of more data than ever before.

What a bunch of pessimists we are… The truth, however, might be rather different.

A new study published by Risk Based Security has examined the number of data breach incidents in the first quarter of 2018, and compared it to the same time period in previous years.  And guess what?  It doesn’t look like we’re doing *that* badly.


It’s difficult to conclude with certainty quite what has caused this downturn in data breaches, but the researchers put forward the theory that one factor could be a pivot by criminals towards cryptomining and away from “traditional” revenue-generating attacks such as ransomware.

Furthermore, there appears to have been a marked reduction in the number of reports of employees’ W-2 data being stolen by hackers (Over 200 instances of such thefts were reported in Q1 2017, compared to less than 35 confirmed reports being disclosed during the first three months of this year)

Of course, the sheer number of incidents fails to give us a good indication of their severity, or indeed just how many records may have been put at risk.  But even there, according to the study, things do not appear to be *quite* as dire as one might imagine.


Yes, it appears that compared to Q1 2017 the number of exposed records has dropped from 3.4 billion records to approximately 1.4 billion.

Of course, there is still clearly significant room for improvement, and this is far from something we can all relax about.

And another area where we all definitely need to see some headway being made is in the speed of breach disclosure.

First the good news: the average number of days it takes for companies to report a breach after initially discovering it has continued to drop from year to year, according to the research.

However, it’s still taking businesses far too long to admit to a breach, and that could ultimately lead to companies getting into trouble with regulators – especially with the imminent arrival of GDPR.


According to the research it typically takes a business 37.9 days between identifying a security breach and disclosure.  That’s down from 42.7 days in the first quarter of 2017, and 68.9 days in Q1 2016.

GDPR legislation, however, expects companies to inform supervisory authorities of a data breach involving the personal information of European users within just 72 hours.

As Computer Weekly recently reported, there can be pressure on some organisations to report breaches even more quickly than that. Deloitte partner Nick Seaver told the 2018 IISP conference in London that “one financial sector regulation in Singapore requires notification within just one hour of discovery.”

That may be an extreme case, but what cannot be denied is that as the media and consumers have come to better understand the risks associated with data breaches, there is a definite shift towards speedier disclosure backed by regulations.

If your company hasn’t already put in place your “disaster plan” for how to respond quickly and appropriately to a data breach, I have to wonder what you’re waiting for…



Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

View all posts

You might also like