Reporting threats to or breaches of personal data protection (data breach) and other information security issues
A personal data breach is an incident that leads to the destruction, loss, alteration or unauthorized disclosure of, or access to, personal data (Article 4 Nr. 412 GDPR). Such an incident can result in economic disadvantages (e.g. identity theft or fraud) or social disadvantages (e.g. discrimination) to the natural person concerned. Moreover, as a state university in Baden-Württemberg, the University of Konstanz is obliged – in its commitment to safeguarding the citizens and the economy of the state – to collect, store, transmit and use data in a responsible manner (cf. Ziff. 1 VwV Informationssicherheit).
In order to both prevent or limit any potential damaging and document and correlate any incidents leading to damaging effects as quickly and efficiently as possible, it is necessary to react to such threats or breaches in a timely and appropriate manner.
If you become aware of an incident involving either a threat to or breach of personal data or any other information security issue, please report it immediately.
Examples of incidents include:
- accidental transmission of confidential information to unauthorized recipients
- accidental publication of personal data on the internet
- permanent loss of data due to accidental deletion, impossible to recover a backup
- theft or loss of a data storage device (e.g. laptops, USB flash drive), when the data is not encrypted effectively
- technical failure of equipment, software or infrastructure (e.g. unexpected power failure)
- ransomeware infecting the computer (malware used for blackmailing purposes) or other malicious programmes
- hacking attack resulting in access to information on a database
- unauthorized acquisition of access rights to an email account, e.g. as a result of a phishing attack
- temporary disruption of services, e.g. as a result of a DDoS attack
Examples of threats that could potentially lead to an incident, but have not yet resulted in one, include:
- unencrypted transmission of passwords
- distributing emails with malicious attachments
- software vulnerabilities or weak points in IT systems, e.g. inadequately secured remote maintenance access
- disregarding security requirements when planning processing activities
- suspiciously high network data traffic
- unlocked offices
- using the same password for two or more account or system logins
- using a laptop on business trips without effective hard drive / data encryption