Small mistakes, big data breaches

Keyboard Data

We all make mistakes, especially simple mistakes, such as a typo here and there in email or grammatical oversights in a report. And who hasn’t called or texted a wrong number?  Just this morning I tried to submit a web form, and it was rejected because I didn’t format a field input properly.

These types of mistakes, while annoying, are normal and very rarely cause any lasting harm. However, when it comes to managing data, especially data that resides on big databases and cloud systems, small mistakes (like forgetting a checkbox) can have huge repercussions.

This is one of the reasons why I wasn’t surprised to read this post from cybersecurity insurance provider Beazley. The report suggested that when it comes to data breaches, while attacks and malware capture the most attention, user error and business partners/suppliers cause nearly the same number of breaches.

According to Beazley, while hacking and malware attacks continue to (slightly) edge over other causes of breaches, at 32 percent of the 1,330 client incidents Beazley handled, breaches caused by user and third-party mishaps accounted for 30 percent of breaches.

At 42 percent, the healthcare vertical has been hit the hardest by breaches caused by internal mistakes. According to Beazley, these breaches were caused by such gaffes as misdirected faxes and emails or the improper release of regulated documentation. Interestingly, the number of breaches caused by insider mistakes remained steady year over year. The number of breaches caused by attacks and malware also remained steady, at 18 percent in the first half of this year compared to 17 percent in the same period last year.

Such internal errors, according to Beazley’s report, also caused a considerable amount of breaches in the first half of this year in both financial services and professional services. These sectors have been hit with breaches stemming from unintended disclosure at 29 percent and 14 percent, respectively. Attacks and malware, meanwhile, represented 27 percent of breaches for financial services in the first half of this year and 44 percent for professional services.

These accidental, or inadvertent, breaches can be substantial. In this story from The Hill, a company spokesman said that personal data pertaining to 2.2 million Dow Jones customers had been exposed on Amazon Cloud. The data leak was the direct result of internal error. According to the story, the data lost included customers’ names, email addresses and some financial details.

Fortunately, the data didn’t include usernames and passwords, or credit card data beyond the last four digits of the card. There was also no evidence that the data was accessed by anyone malicious.

The takeaway here? While enterprises spend a considerable amount of time and resources (for great reasons) defending against malicious and deliberate attacks conducted by outsiders, more attention needs to be spent on the system and data management basics. This would go a long way to help protect organizations from themselves and their own mistakes.

Some steps to help users from making mistakes in day-to-day business would include the utilization of data leak prevention systems (which try to find people sending things they shouldn’t), database anomaly monitoring, as well as strong access controls that keep people from getting in to places they shouldn’t. Other steps include continuous policy compliance and security policy compliance monitoring, so that a misconfigured cloud –such as the one that bit Dow Jones — could be identified relatively quickly and someone could then swiftly set the right configurations and lock the system down.

These are small steps, to be sure, and they’re largely based on common sense. But the fact remains that too many companies don’t take the right steps or make the right common-sense decisions when it comes to data security. If they did, we wouldn’t see so many small mistakes become big data security incidents.


GameStop, Scottrade suffer data breaches

To lower enterprise risk, get cyberresilient

Develop business agility by building stronger teams


  1. […] fraud is one of the biggest fears associated with data breaches involving personally identifiable information. No one wants someone to compromise their financial or credit accounts, or worse yet — have their […]


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: