Introduction: data Breaches how can organisations improve?
With the new focus on digital privacy and data privacy regulations, data breaches are increasingly in the news. Global data privacy regulations have outlined the types of data that are considered sensitive and the penalties for a breach. Global data protection laws, as well as the number of high-profile data breaches, have caused organizations to commit to a greater focus on privacy. Organizations are actively working to decrease their potential exposure to a data breach by enhancing their cyber-security defenses.
When trying to design and implement a strategy for protecting against data breaches, it’s useful to understand what the most common causes of these breaches are. This article looks at the data from the first quarter of 2019 and classifies breaches into several common categories.
Common causes of data breaches
Data breaches involve the release of sensitive data to unauthorized parties. While most people’s first thought when hearing of a data breach is that external attackers have gained access to the organization, data breaches can be caused by a variety of different reasons.
Here we define seven different causes of data breaches:
- Accidental Web/Internet Exposure:Sensitive data is accidentally placed in a location accessible from the Web. The news stories about improper usage of Amazon S3 permissions (and other cloud storage) fall into this category
- Data on the Move:Securing data in transit is often a challenge for companies. Using HTTP and other insecure protocols is a common cause
- Employee Error/Negligence/Improper Disposal/Lost:This category covers all data breaches caused by employee negligence. Data security policies that are weak and/or unenforced can lead to unintentional data breaches
- Hacking/Intrusion:Data breaches involving an external party (i.e., a hacker) are what most people expect when they hear of a data breach. This category includes phishing, malware/ransomware and skimming
- Insider Theft:This category also deals with employees, but covers cases where insiders are intentionally breaching sensitive data
- Physical Theft:Laptops and mobile devices commonly store sensitive or valuable data. These devices can easily be lost or stolen when brought to public areas
- Unauthorized Access:Poorly designed or implemented access controls can allow people to access data that they are not authorized for
Data breaches involving external parties gaining access to an organization’s network are only one of several different types of breaches.
Causes of large data breaches
Data breaches occur practically every day. According to statistics there were 264 breaches in Q1 2019, or almost three breaches per day on average.
However, we don’t hear about most of these breaches on the news. Only the “huge” breaches make the headlines. In this section, we’ll break down the major causes of breaches in two ways: based on the number of records exposed in a single breach and based on the number of records in exposed in Q1 2019 by each breach type.
Causes of the largest breaches
In Q1 2019, the ITRC recognized eight breaches that exposed at least 100,000 records. These breaches are summarized in the following table.
|Organization||Publication Date||Exposed Records||Root Cause|
|Centerstone Insurance and Financial Services d/b/a Benefitmall||1/4/2019||111,589||Hacking/Intrusion|
|Columbia Surgical Specialist of Spokane||2/18/2019||400,000||Hacking/Intrusion|
|University of Washington Medical Center||2/19/2019||973,024||Accidental Web/Internet Exposure|
|Health Alliance Plan||3/7/2019||120,344||Hacking/Intrusion|
|Federal Emergency Management Agency (FEMA)||3/15/2019||2,300,000||Employee Error|
|ZOLL Services LLC||3/18/2019||277,319||Not Disclosed|
You can see that while Hacking/Intrusion may be the most common cause of data breaches, that doesn’t make it the most damaging. The FEMA breach exposed more records than all Hacking/Intrusion breaches put together, but it was caused by employee negligence. The second-largest breach (UW Medical) was also not caused by hacking.
Causes of most lost records in March 2019
In March 2019, ITRC began including additional information in their breach reports. This information included a breakdown of the number of records breached in that month, based on the cause of the breach.
|Root cause||Exposed Records (%)|
|Employee Error/Negligence/Improper Disposal/Lost||2,313,460 (69.6%)|
|Unauthorized Access||427,356 (12.9%)|
|Accidental Web/Internet Exposure||381,812 (11.5%)|
|Physical Theft||21,221 (0.6%)|
|Data on the Move||2,088 (0.1%)|
|Insider Theft||0 (0%)|
As shown, employees were the cause of the majority of breached records in March 2019. While this information is skewed by the fact that 2,300,000 of the breached records were included in a single breach, the fact that the top three causes of breaches can all be considered internal errors means that organizations need to focus on fixing internal process errors as much as they need to devote time and resources to keeping attackers out.
Many Organizations purchase generic online training materials and privacy awareness materials. Whilst these can be informative they are generalized and often do not reflect your organisations data processing operations. Bespoke training for your organization ensures your employees fully understand the importance of data privacy, enhance their data handling processes, leading to high levels of customer satisfaction
Global Data Privacy Enquiry
The Relentless GDPR Data Privacy model can be used to set benchmarks for organizations starting out can be used by organizations that have an existing privacy function and some components of a privacy program. The Relentless GDPR Data Privacy model provides structured means to assist in identifying and documenting current privacy initiatives, determining status and assessing it against the Global privacy maturity model criteria. Complete the enquiry form for more details