People do not realize how valuable their personal data is. Only when data is used by unauthorized persons/organizations do people realize that it was worth taking care of proper security. What if, despite the high level of protection, personal data is illegally acquired and used? There are many questions about how this can happen, who is responsible for it, and what the negative consequences of the situation will be.

Personal data theft and loss

According to a survey conducted by Dynamics Markets Limited UK among European countries, including Poland, the identity of 17% of adult Poles (aged 35-44) has been stolen. In addition, 46% of Poles have been unlawfully deprived of funds that were stored in their bank accounts. The average loss due to the theft of personal data in Poland amounts to PLN 35 000! People whose identity has been stolen (27%), have "taken" loans or are in possession of unwanted credit cards. In addition, another 27% of the victims had to make payments for goods/services they would never have a chance to use. Data thieves are unscrupulous and use victims’ documents to buy real estate or cars. Approximately 40% of people after some time find out that someone lives at their expense and uses their identity in transactions. What is the cause of such a situation? A great deal of negligence on the part of document owners (e.g. not using shredders, tearing paper sheets in a way that allows their reconstruction, holding important materials in publicly accessible drawers at home/work), or negligence of the protection systems of the entities that process data. It is often too late to become aware of the incident (in Poland it takes about a year to find out that the data has been illegally intercepted). Finally, helplessness sets in and numerous material/non material losses occur.

Degree of trust in data collectors

In a study conducted by Dynamics Markets Limited UK, 98% of the interviewed respondents from Poland were not able to fully believe in organizations which transfer personal data. People are not sure that personal information will be stored securely and remain inaccessible to unauthorized persons. This applies in particular to data protection systems of entities focused on offering services or goods. Bankers/financial institutions (44%), health centers (27%) and education centers (13%) enjoy a high trust level regarding data protection. Perhaps this is due to the functions they perform on the market and the way they communicate with the society (they represent themselves as professionals; as institutions that improve and organize the lives of members of society). This amount of trust is probably related to the belief that these organizations are investing heavily in technologies that allow for a comprehensive approach to database management.

Theft of personal data is not always the result of improper behavior of the owner.

It is worth asking how public or nonpublic organizations can allow data breaches. First and foremost, these disruptions are caused by the lack of education and awareness in business entities about internal or external procedures. People do not know that, for example, banks cannot update personal information and passwords, or check PIN compliance by email or telephone. The same applies to state offices or hospitals which are generally not entitled to obtain personal information in a way other than through direct contact. Currently, appropriate warning messages are posted on this subject, and then placed in brochures, in prominent places in institutions or on their websites.

Another reason for data breaches is the negligence of information management systems and their low (and sometimes zero) security levels. Without security audits and testing firewalls, data can be easily intercepted. Large institutions such as banks, hospitals or offices invest in the formation of professional security departments; they form strategies to protect their stakeholders and take preventive action. This is because they are the most common targets for criminals/cybercriminals, considering the quality and number of personal data they have. Despite their hard work, they are not always able to fully guarantee that the entrusted information will not be illegally appropriated. The following situations can serve as examples of such incidents:

  • the smuggling of several hundred thousand records from the PESEL database carried out by five execution offices from Warsaw and Lodz in 2016;
  • the leak of sensitive data of 50,000 Polish hospital patients in 2017;
  • the leak of account numbers, balances, PESEL numbers, addresses and phone numbers from four Polish banks (143 customer records of Credit Agricole, 1990 records of Idea Bank customers, 438 customer records of ING Bank Śląski and 964 customer records of mBank) in 2017;
  • the infiltration of information of 200 million US citizens by transferring them to the Amazon public server in 2017;
  • the mistake made by an employee of Australian Immigration Department who caused a leak of personal data of 31 politicians, including Barack Obama, Vladimir Putin, Angela Merkel and David Cameron, which then fell into the hands of the organizers of the AFC Asian Cup.

How to avoid unwanted interference in information management systems?

Nowadays, when criminals are constantly looking for gaps and vulnerabilities in business databases, not only the speed of preventive actions counts, but above all, the support of a partner who specializes in maintaining a high level of security. Small, medium or large players in the market should take seriously the threats in cyber- and urban spaces, and perceive data entrusted by their stakeholders as the top priority.

Lemlock ebook. Expert Guidebook: Three vievs on cybersecurity
Are you interested in a comprehensive solution
for your data security?
Consent to  data processing for contact purposes
I confirm that I have read the  information clause of Sagiton Sp. z o.o.

I hereby give consent to the processing of my personal data by the Personal Data Controller (hereinafter: "PDC") – Sagiton Sp. z o.o. ul. Fabryczna 19, 53-609 Wrocław, within the scope of: full name, e-mail address or telephone number, for the purpose of sale of products and services of Sagiton Sp. z o.o. and for the purpose of sending me feedback and making contact with me by Sagiton Sp. z o.o.

At the same time, I acknowledge that: at any time I can request the removal of my personal data from the PDC Sagiton Sp. z o.o. database, by sending an e-mail to hello@sagiton.pl, or a letter to Sagiton Sp. z o.o., ul. Fabryczna 19, 53-609 Wrocław, with a statement containing the relevant request, which shall result in the deletion of my personal data from the PDC Sagiton Sp. z o.o. database; I have the right to access my data; providing my data is voluntary, however refusal to provide it is tantamount to not receiving information regarding sale of products and services of Sagiton Sp. z o.o., as well as not receiving feedback and making contact with me by Sagiton Sp. z o.o.

In accordance with Art. 13 section 1 of the General Data Protection Regulation of 27 April 2016, (GDPR), we would like to inform you that the controller of your personal data is Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław, e-mail: hello@sagiton.pl.

Your personal data shall be processed within the scope of: full name, e-mail address and/or telephone number in order to answer your question/request for contact and send feedback – pursuant to Art. 6 section 1 (a) of the GDPR, i.e. consent to the processing of personal data.

The data controller would like to inform you that your personal data shall not be disclosed to third parties.

Your data shall not be transferred outside of the European Economic Area or to international organizations.

Your personal data shall be processed until you withdraw your consent to the processing of data, as well as if the purpose for processing this data shall no longer be applicable.

You have the right to access your personal data, rectify it, delete it, restrict its processing, the right to transfer it, as well as the right to object.

In the case of giving your consent, you have the right to withdraw it at any time. Exercising the right to withdraw the consent does not affect the processing carried out before the consent was withdrawn.

You have the right to lodge a complaint with the supervisory body, i.e. the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw.

Providing your personal data is a prerequisite for making contact with you by Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław. In the case of not providing your personal data, Sagiton Sp. z o.o., shall not be able to contact you.

The Data Controller, Sagiton Sp. z o.o., would like to inform you that they shall not use your personal data for automated decision-making, which is based solely on automated processing, including profiling, and has legal effects for you or affects you significantly in a similar way.

Let's stay in contact