![\"\"](\"https:\/\/www.softwareag.com\/app\/uploads\/2025\/06\/Artboard-1-1-1024x538.jpg\")
<\/figure>\n\n\n\nNumber of incidents \u2013 EU and global (July 2023 \u2013 June 2024)<\/p>\n\n\n\n
An analysis of individual sectors reveals that the public sector is particularly hard hit, accounting for 19% of attacks, followed by the transport sector (11%) and banking and finance (9%). This is not surprising\u2014many still remember the high-profile cyberattacks targeting the German Bundestag, municipalities, university hospitals, Dutch law enforcement, and Spanish citizens and authorities.(3-8)<\/sup><\/p>\n\n\n\n Affected sectors \u2013 The public sector is the most affected! (July 2023 – June 2024)<\/p>\n\n\n\n Breaking down cyber threats by category, the direct threat to stored data\u2014primarily databases\u2014accounts for 45%, with 19% of incidents involving data breaches and 26% involving ransomware attacks (2)<\/sup>.<\/p>\n\n\n\n Analysis of threats by type<\/p>\n\n\n\n Under Article 32 of the GDPR<\/strong>(9)<\/sup> (Security of Processing), the following is required: \u201c\u2026the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.\u201d<\/p>\n\n\n\n Specifically, it highlights \u201cthe pseudonymization and encryption of personal data\u201cas an effective measure.\u00a0<\/p>\n\n\n\n Additionally, the German Federal Office for Information Security<\/strong> (BSI) recommends encryption as a key strategy to minimize the risk of IT operations in its\u00a0BSI Standards\u00a0<\/strong><\/span>(10)<\/sup> 200-1 to 200-4.<\/strong><\/p>\n\n\n\n \u00a0Under Article 33<\/strong> of the GDPR<\/strong>(9)<\/sup> (Notification of a personal data breach to the supervisory authority), companies are required to notify a personal data breach to the supervisory authority within 72 hours of becoming aware of the breach. The data controller must notify the relevant supervisory authority in accordance with Article 55 unless the breach is unlikely to pose a risk to individuals\u2019 rights. If the notification is delayed by more than 72 hours, an explanation for the delay must be provided.<\/p>\n\n\n\n Despite the clear guidelines, uncertainty remains in the IT world regarding the correct application of GDPR reporting requirements.<\/p>\n\n\n\n To clarify this, the European Data Protection Board<\/strong> (EDPB) has developed guidelines(11)<\/sup>, including case studies.<\/p>\n\n\n\n In \u201cCASE No. 01: Ransomware with proper backup and without exfiltration<\/strong>,\u201d the following scenario is described:<\/p>\n\n\n\n \u201cComputer systems of a small manufacturing company were exposed to a ransomware attack, and data stored in those systems were encrypted. The data controller used encryption at rest, so all data accessed by the ransomware was stored in encrypted form using a state-of-the-art encryption algorithm. The decryption key was not compromised in the attack, i.e. the attacker could neither access it nor use it indirectly. In consequence, the attacker only had access to encrypted personal data.\u201d<\/p>\n\n\n\n The necessary measures are set out in the table published in the guidelines:<\/p>\n\n\n\n The necessary measures are justified as follows:<\/p>\n\n\n\n \u201cIn this example, the attacker had access to personal data, and the confidentiality of the ciphertext containing personal data in encrypted form was compromised. However, any data that might have been exfiltrated cannot be read or used by the perpetrator, at least for the time being. The encryption technique used by the data controller is state-of-the-art. The decryption key was not compromised and presumably could also not be determined by other means. In consequence, the confidentiality risks to the rights and freedoms of natural persons are reduced to a minimum barring cryptanalytic progress that renders the encrypted data intelligible in the future.\u201d<\/p>\n\n\n\n Because of this, the company was not required to report the incident to authorities or affected individuals.<\/strong><\/p>\n\n\n\n When comparing the cost of implementing IT security measures with the potential loss of reputation, sales, and customer trust, the benefits of proactive investment quickly become clear.<\/p>\n\n\n\n \u00a0In today’s hyperconnected world, where news spreads instantly across online platforms and social media, organizations must not underestimate the long-term damage a cyberattack can cause.<\/p>\n\n\n\n To mitigate risks, Software AG strongly recommends that its customers implement encryption<\/strong>\u00a0<\/strong>(12) and\u00a0auditing\u00a0<\/strong>(12) for its Adabas databases to keep IT risks to<\/span> a minimum. Both measures complement each other and form the optimal technology mix to protect against attacks and unwanted internal and external data leaks.<\/p>\n\n\n\n (1) https:\/\/www.gartner.com\/reviews\/market\/intrusion-prevention-systems<\/a><\/sub>![\"\"](\"https:\/\/www.softwareag.com\/app\/uploads\/2025\/06\/Artboard-2-1024x538.jpg\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.softwareag.com\/app\/uploads\/2025\/06\/Artboard-3-1024x538.jpg\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.softwareag.com\/app\/uploads\/2025\/06\/Table_EN_1200x400-1024x342.jpg\")
<\/figure>\n\n\n\n
(2) https:\/\/www.enisa.europa.eu\/publications\/enisa-threat-landscape-2024<\/a><\/sub>
(3) https:\/\/www.auswaertiges-amt.de\/en\/newsroom\/news\/hacker-attack-bundestag-2345580<\/a><\/sub>
(4) https:\/\/www.dw.com\/en\/germany-cybercrime-by-foreign-actors-rose-by-28-in-2023\/a-69065980<\/a><\/sub>
(5) https:\/\/www.heise.de\/en\/news\/After-cyber-attack-Suedwestfalen-IT-wants-to-reform-itself-profoundly-10188167.html<\/a><\/sub>
(6) https:\/\/www.bbc.com\/news\/technology-54204356<\/a><\/sub>
(7) https:\/\/www.dutchnews.nl\/2024\/09\/police-leak-leaves-data-of-62000-officers-in-hands-of-hackers\/<\/a><\/sub>
(8) https:\/\/www.statista.com\/topics\/7011\/cyber-crime-in-spain\/#topicOverview<\/a><\/sub>
(9) https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CELEX:32016R0679<\/a><\/sub>
(10) https:\/\/www.bsi.bund.de\/EN\/Themen\/Unternehmen-und-Organisationen\/Standards-und-Zertifizierung\/IT-Grundschutz\/it-grundschutz_node.html<\/a><\/sub>
(11) https:\/\/www.edpb.europa.eu\/our-work-tools\/our-documents\/guidelines\/guidelines-012021-examples-regarding-personal-data-breach_en<\/a><\/sub>
(12) https:\/\/www.softwareag.com\/app\/uploads\/2025\/08\/ebook-adabas-maximize-security-en.pdf.sagdownload.inline.1669044425901.pdf<\/a><\/sub><\/p>\n\n\n\n
![\"\"](\"https:\/\/www.softwareag.com\/app\/uploads\/2025\/08\/blog-an-ibm-z16-03.jpg\")
\n <\/div>\n