In 2019, there was a significant drop in the total number of security incidents notified to ANACOM by electronic communications networks and services companies (80 security incidents, 29% down on the previous year), but, on the other hand, there was an increase in the number of more serious incidents, i.e. those that had an impact on a greater number of subscribers/accesses.
In fact, in 2019, there were six incidents lasting 30 minutes or more and having an impact on half a million subscribers/accesses or more (only one incident of this magnitude had been recorded in each of the previous two years). For this reason, considering all the incidents observed in 2019, it may be concluded that they had an accumulated impact on 12.4 million subscribers/accesses, i.e. 513% more than the number observed in the previous year (2.4 million). The most serious incident occurred in October and had an impact lasting around 4 hours on around 4 million subscribers/accesses. Incidents impacting more than 2.5 million subscribers/accesses were reported in March and May.
Security incidents in terms of the total number of subscribers/accesses affected were due to hardware/software failures (63%), human error (27%) and malicious attacks (4%).
Of the 39 security incidents reported due to their impact on the number of subscribers/accesses affected, 15 involved the obligation for the companies Altice, NOS and Vodafone to publicly disclose the incidents.
Also noteworthy is the worsening of the situation in 2019 with regard to incidents that affected the possibility of users contacting emergency call centres using the 112 emergency number. In fact, 31 security incidents reported in 2019 (i.e. 39% of the total) had an impact on access to the 112 Service Centres of the Public Security Service Stations (in 2018, this impact was only found in 13 of the reported incidents, i.e. 12% of the total).
It should be noted that, in 2019, ANACOM reported to the European Commission, and to the European Union Agency for Cybersecurity (ENISA), 8 security incidents, which exceeded the EU-wide threshold, based on the duration of one incident and on the relative number of subscribers/accesses affected (in 2018, this figure was 5 security incidents).
The total of 80 notifications reported in 2019 is the lowest since 2015, as shown in graph 1, with the highest value observed in 2017 (192 incidents), associated with the wave of forest fires witnessed in that year.
Graph 1 – Annual value of security incidents reported during the 2015-2019 period.
Unit: number of notifications
Source: ANACOM
If we consider all incidents notified in 2019, it may be concluded that 56% were due to a failure in the supply of goods or services by external entities, in particular faults in the supply of electricity or failures in leased lines. Also worthy of note are hardware/software failures, which account for 23% of total reported incidents; occurrences due to accidents/natural disasters, responsible for 11% of incidents; and malicious attacks, which gave rise to 6% of the notifications. Human error caused only 4% of the incidents.
In 2019, most notifications impacted two or more publicly available electronic communications services. According to the notifications received, fixed telephony was the service most affected, with 75% of the total notifications received; this was followed by mobile telephony, with 68%; and mobile Internet, with 35% of total notifications.
During the last five years, the three services most affected were, in decreasing order (graph 2): fixed telephony (68%), mobile telephony (56%) and mobile Internet (48%). Fixed Internet, DTT and pay-TV accounted for 28%, 24% and 19% of notifications received, respectively.
Graph 2 – Percentage of security incidents reported in the period 2015 to 2019 by type of service affected.
Unit: % of security incidents
Source: ANACOM
The full version of the 2019 Report on Security Breaches or Loss of Integrity, released on the current date by ANACOM, presents and analyses, in aggregate form, the information contained in notifications of security breaches or loss of integrity with significant impact on the functioning of networks and services, which all companies offering public communications networks or publicly available electronic communications services are bound to report.
