ENISA Data Breach Severity Calculator

Compute severity based on Data Processing Context (DPC), Ease of Identification (EI), and Circumstances of the Breach (CB).
1) Data Processing Context (DPC)
Examples and guidance for DPC categories
  • Simple data (base 1): biographical/contact details and similar (e.g., full name, postal address, phone, education, family life, professional experience). Example cases: customer list of a supermarket (1); list from a luxury goods seller (2: implies higher financial status); delivery addresses of an adult book store (3: sexual preferences); undercover officers list (4: critical safety). Credentials that only access low-impact stores (e.g., music store) also map here (1).
  • Behavioural data (base 2): location, traffic data, personal preferences and habits. Example cases: ISP helpdesk incoming calls (1); one week call history (2); one year call history (3: detailed profile); calls to a psychological support centre (4: infers health). Loyalty/supermarket monthly purchases (2); transport card location for a year (3); pharmacy purchases (4).
  • Financial data (base 3): income, transactions, balances, bank statements, credit cards, invoices, investments, social welfare. Example cases: mere bank customer letter (1); one-day transactions without details (2); one-month balances (3); one-year detailed statements (4). Credit cards: very old/invalid (1); partial card info (2/3 depending details); full details enabling transactions (4).
  • Sensitive data (base 4): health, political affiliation/opinions, sexual life. Example cases: “performed general blood tests” (1); ER blood test fact (2); test for a specific disease (3); actual test results (4). Political opinions in a closed forum (4). Dating site with declared sexual orientation (4).
  • Note: If multiple categories apply, score each; use the highest value for DPC. Credentials inherit the category of what they can access (e.g., online banking credentials → financial 4 if they enable fraud).
Adjust the base category score to reflect volume, controller/individuals’ characteristics, invalidity, public availability, or the nature of data. Final DPC is clamped to [1..4].
When to adjust DPC (examples)
  • Increase for higher volume/time span (e.g., one year of calls vs one week), controller context revealing more (e.g., online pharmacy vs stationery shop), or individuals with special characteristics (e.g., minors, public figures).
  • Decrease for known invalid/inaccurate data, data already publicly available, or data whose nature is benign (e.g., medical certificate stating “good health” only).
1.00
2) Ease of Identification (EI)
Choose how easily individuals can be identified from the breached data and context.
Examples for EI levels and identifiers
  • Full name: 0.25 in a country with many duplicates; 0.5 where few share the name; 0.75 in a small city with few/no duplicates; 1 if combined with DOB/email.
  • ID/passport/SSN: 0.25 if no link to reference database; 0.75 if reveals extra info and linked to other data; 1 if reference data present (e.g., ID + name/photo).
  • Telephone/Home address: 0.25 if unlisted nationally; 0.5 if unlisted in a small city but contactable; 1 if listed in public registers.
  • Email: 0.25 if not revealing name and not commonly used publicly; 0.75 if searchable/used widely; 1 if reveals name and is the primary public address.
  • Pictures: 0.25 unclear CCTV; 0.5 unclear but context/location helps; 0.75 clear image; 1 clear + linked context (e.g., membership/home address).
  • Codes/Aliases/Initials: 0.25 if cannot link to other data without access; 0.75 if reveals some info (e.g., first name) and linked; 1 if alias reveals full name or reference data available.
  • Note: Combining identifiers increases EI—consider real-world cross-matching reasonably likely to be used.
3) Circumstances of the breach (CB)
Examples for CB choices
  • Confidentiality: 0 lost laptop/paper with no evidence of access; +0.25 email to known wrong recipients or cross-customer account views; +0.5 posted to public forum/P2P, sold on media, misconfigured public website.
  • Integrity: 0 altered but original recovered before use; +0.25 possibly used incorrectly but recoverable (e.g., change requires reprocessing); +0.5 possibly used and not recoverable (original lost).
  • Availability: 0 copies exist or easy reconstruction; +0.25 temporarily unavailable but reconstructable with effort; +0.5 not recoverable (no backup and cannot be re-provided).
  • Malicious intent: +0.5 if intentional (e.g., theft/hacking to harm, selling data, deliberate posting/sharing).
0.00
4) Flags
Flags do not change score, but inform the assessment.
Flag is shown if count exceeds 100.
What these flags mean
  • Individuals > 100: higher overall scale and disclosure risk for any given person in larger incidents; inform notification decision-making.
  • Unintelligible data: strong encryption without key compromise substantially reduces impact likelihood even if data were accessed.
Formula: SE = DPC × EI + CB
Low: SE < 2 | Medium: 2 ≤ SE < 3 | High: 3 ≤ SE < 4 | Very High: 4 ≤ SE
1.00
Severity level
Low
DPC × EI
1.00
CB total
0.00
This tool implements ENISA’s data breach severity approach: DPC (1–4, adjusted by context), EI (0.25/0.5/0.75/1), CB additive (0/0.25/0.5 per element; +0.5 malicious), with SE bands Low/Medium/High/Very High. Flags: >100 individuals; data unintelligible. See ENISA Recommendations for severity methodology (2013).