Half of all the privacy breaches affecting people in Europe are inside jobs according to new research from Central European University.

The findings come from a report released by the Center for Media, Data and Society directed by Phil Howard, CEU Professor of Global Media and Communication. The project applies rigorous empirical social science methods to the study of digital media and society.

“This is the largest investigation of privacy breaches in Europe ever undertaken,” Howard said. “We looked 350 incidents over a 10-year period, with a very focused look at the 229 incidents that directly involved the privacy of people living in Europe.”

Howard oversaw a team of multilingual 12 students at the CEU School of Public Policy who reviewed news stories by citizen and professional journalists describing privacy breaches around Europe. Six months of research and refining brought the total down to 229 well-verified cases representing about every country in the EU, plus Norway and Switzerland.

Howard said that one of their main findings is that the loss of private information seems to involve organizational insiders – the people who work for the organization—more than malicious hackers.

“In the news we hear a lot of news stories about hackers who break into systems and steal our personal information.” Howard said. “But that was the minority of incidents. Most of the cases involve organizational errors, insider abuse, or other internal mismanagement.

According to Howard, 57 percent of the incidents involved organizational errors, insider abuse, or other internal mismanagement. External attacks by hackers involved 41 percent of incidents (2 percent unspecified). Other findings include:

89 percent of all the records from all the breaches that compromised the privacy of people in Europe were lost by corporations, rather than governments or other kinds of organizations.

226 million personal records about people living in Europe have been compromised in the last 10 years.

24 percent of the Europe-specific breaches were the result of breach attacks launched from the UK, and for every 100 people living in the UK, 200 personal records have been compromised.

Germany, Greece, Netherlands, and Norway are the other countries with unusually high levels of privacy breaches.

Howard said first step next move for public policy is mandatory reporting. “When personal records get compromised, both companies and government offices should be required to report the possible privacy breaches both to the victims and a privacy commissioner. Most people don’t know who has legitimate access to their personal records, and they deserve to know when those records have been compromised.

The complete report is available here.