Employees accidentally causing data leaks was Lithuania’s biggest security problem in early 2025. That’s the main finding from the country’s data protection watchdog.
The Lithuanian State Data Protection Inspectorate (VDAI) studied breaches from January to June 2025. They found 57% of incidents happened because of human error. Only 32% came from cyberattacks. IT system failures caused 11%.
“People made mistakes,” the report states plainly. Workers sent data to wrong recipients. Others fell for phishing scams. Some misconfigured systems. Standard security tools often couldn’t stop these errors.
By the Numbers
- 116 breaches reported
- 168,822 people affected
- 86% involved confidential data exposure
- 10% were failures to provide required information
Cyberattacks hurt more people overall though. A full 81% of affected individuals – 136,330 people – had data compromised in hacking incidents. Just 19% (32,492 people) were impacted by human slips or tech failures.
The VDAI counted these cyber incidents:
- 10 cases of hackers accessing systems illegally
- 10 social engineering attacks (like phishing)
- 8 ransomware attacks
- 3 brute-force login attacks
- 2 SQL injection attacks
- 2 system disruption cases
Reporting Problems Persist
GDPR rules require breach reports within 72 hours. Most Lithuanian organizations did this right. About 78% reported on time. But 22% still missed the deadline. That’s illegal.
The VDAI fined two public institutions earlier this year. One paid €9,000 in January after a breach investigation found GDPR violations. Another got a €3,529 fine in February for weak security measures. The agency also gave 4 formal orders and 14 recommendations to fix security gaps.
Why Humans Fail
Security experts say this isn’t just Lithuania’s problem. IBM’s 2024 breach report noted human error played some role in 95% of global incidents. Verizon’s 2024 DBIR found 74% of breaches involved human actions – mistakes or misuse.
“People get tired. They rush. They trust shady emails,” says cybersecurity analyst Janina Petrauskaitė. “Hackers know this. They attack human weaknesses first.”
What Organizations Should Do
The VDAI suggests practical steps:
- Train staff constantly on phishing and data handling. Use real examples.
- Make two-factor authentication mandatory everywhere.
- Check who can access sensitive data. Limit unnecessary access.
- Encrypt everything – on devices, in emails, during transfers.
- Create simple breach reporting steps so employees aren’t scared to speak up.
A VDAI spokesperson added: “Report serious breaches within 72 hours. Every time. It’s not optional.”
The Big Picture
Yes, ransomware makes headlines. But Lithuania’s data shows everyday errors cause most leaks. Fixing this requires constant effort – not flashy tech. Train people. Simplify processes. Build a culture where security feels like everyone’s job.
As one Vilnius IT manager put it: “We bought expensive firewall upgrades last year. Then an accountant emailed a client list to a scammer. Fancy tools can’t fix that. Only better habits can.”
