Personal Data Security Breaches in Lithuania in 2025

The State Data Protection Inspectorate (SDPI) received 223 reports of personal data security breaches (PDSBs) in 2025, affecting 1,249,409 data subjects in Lithuania.

Compared to previous years, the number of PDSB reports received by SDPI in 2025 decreased compared to 2024 (when 273 reports were received), and the number of affected data subjects decreased (1,467,368 affected individuals in 2024).

Statistically, confidentiality breaches accounted for the majority of PDSBs in Lithuania, making up 83% of all cases in 2025. Integrity breaches accounted for 6% of cases, accessibility breaches for 10%, and in 1% of cases, the incident was not classified as a PDSB (as it did not meet the definition).

After analysing the PDSB reports received in 2025, SPDI determined that 58% of breaches resulted from human error. These incidents were caused by actions taken due to negligence, lack of awareness that such actions could lead to a PDSB, or circumstances where technical and organizational measures were insufficient to prevent them. PDSBs caused by other factors accounted for 13% of cases. These included various IT system failures, such as system errors that prevented timely data updates, leading to disruptions in service provision by data controllers. Additionally, programming errors resulted in unauthorised individuals gaining access to personal data.

SDPI also identified that 29% of PDSBs were the result of cyber incidents. Among these, 16% were due to ransomware attacks, 45% resulted from unauthorised access to IT systems, 26% involved social engineering methods, and 7% were caused by credential-stuffing attacks. 3% of PDSBs were reported for SQL injection and denial of service attacks.

Notably, cyber incidents impacted 57% (713,644) of all affected data subjects in 2025, while breaches caused by other factors affected 43% (535,765) of data subjects.

SDPI emphasises that data controllers must notify the authority without undue delay-and no later than 72 hours after becoming aware of a PDSB-if the breach poses a risk to individuals' rights and freedoms, as stipulated by the GDPR. In 2025, 63% of data controllers reported PDSBs within the required 72-hour period, while 37% submitted their reports late.

In 2025, the SDPI adopted decisions to imposed 5 fines on a public and private legal entities, the total amount of which is 27,529 EUR. for identified violations of the GDPR provisions. Additionally, based on its review of 2025 PDSB reports and identifying inadequate personal data security measures, SDPI issued 9 instructions and 22 recommendations to help ensure compliance with GDPR requirements in personal data processing.