Cock-ups, rather than conspiracies, top self-reported data breaches

Ah, the old bcc blunder, classic

Data breaches at organisations that 'fess up to the UK's data protection watchdog are about seven times more likely to be caused by human error than hackers.

According to data released under the Freedom of Information Act, 2,124 incidents reported by organisations in 2017-18 could be pinned on mistakes or incompetence. Only 292 were classed as having a cyber element.

The figures, obtained by security biz Kroll, are on self-reported incidents from organisations to the Information Commissioner's Office, combined with data from annual reports.

Overall, the ICO has said (PDF) there were 3,156 self-reported data breaches in 2017-18 – up 29 per cent on the previous year and up 19.3 per cent on 2015-16.

The increase is due to a mix of greater awareness of what constitutes a data breach, and the fact that, since May this year, organisations are required to report serious data leaks under the General Data Protection Regulation.

The largest number of reports came from the healthcare sector, where breach reporting was already mandatory, with Kroll revealing there were some 1,214 reports made during 2017-18.

This was followed by general business (362), education and childcare (354) and local government (328).

In addition to self-reported incidents, the ICO also has to probe complaints from elsewhere. In 2017-18, it received 21,019 data protection concerns.

After investigating, the ICO can fine to organisations, and an analysis by The Register earlier this year found that the mode and median values were £70,000 and £85,000 respectively for breaches of the Data Protection Act.

The highest penalty awarded for a DPA breach to date is £400,000, however the ICO has threatened to fine Facebook £500,000 for its part in the Cambridge Analytica saga, although the charge has yet to transpire.

According to the Kroll analysis, the most common cock-ups were people sending data to the wrong recipient by email (447 reports) or snail mail (441 reports), followed by the loss or theft of paperwork, which accounted for 438 incidents.

Failing to redact data resulted in 256 mea culpas, while leaving data in an insecure location was reported 164 times.

Everyone's favourite technical hitch – staffers' inability to use the bcc function in emails – was responsible for 147 breaches, closely followed by the 133 equally facepalm-inducing incidents where an unencrypted device was lost or stolen.

Cyber break-ins were smaller than all of these, with unauthorised access resulting in 102 breach reports. Malware and phishing accounted for 53 and 51 breaches respectively, while 33 reports were attributed to ransomware, 20 to brute-forcing and two denial-of-service attacks. ®

Similar topics

Other stories you might like

  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading

Biting the hand that feeds IT © 1998–2022