Report information security incidents and personal data breaches at Karolinska Institutet
Karolinska Institutet is obliged to promptly report if an incident occurs. According to the General Data Protection Regulation (GDPR), for instance, personal data breaches must be reported within 72 hours from discovery.
An incident involving IT, information and/or personal data can take many forms. The following are some examples of common types of incidents that must be reported.
Information leakage through unauthorized disclosure of, or access to, information may involve:
- mistakenly sending unauthorized recipients information via e-mail/letter/text message (SMS),
- due to a flaw in a technical system, large amounts of personal data being disclosed to unauthorized persons (regardless of whether those persons are tied to KI or not).
Information loss caused by, for instance, theft, loss, destruction or alteration if e.g.:
- information has been lost due to a computer/telephone/USB memory/tablet/document or other equipment containing information having been stolen, lost or destroyed.
Information tampering, if e.g.:
- information has been altered by an authorized or unauthorized individual, which in turn has jeopardized the correctness of the information.
IT attacks such as:
- malware or malicious code,
- availability attacks (e.g. Denial-of-service attacks),
- intrusions or intrusion attempts,
- attempts to get hold of information or money, e.g. through phishing or social engineering,
- hijacked, or suspected hijacking of, KI login credentials.