Introduction: data Breaches how can organisations improve?


With the new focus on digital privacy and data privacy regulations, data breaches are increasingly in the news. Global data privacy regulations have outlined the types of data that are considered sensitive and the penalties for a breach. Global data protection laws, as well as the number of high-profile data breaches, have caused organizations to commit to a greater focus on privacy. Organizations are actively working to decrease their potential exposure to a data breach by enhancing their cyber-security defenses.


When trying to design and implement a strategy for protecting against data breaches, it’s useful to understand what the most common causes of these breaches are. This article looks at the data from the first quarter of 2019 and classifies breaches into several common categories.


Common causes of data breaches


Data breaches involve the release of sensitive data to unauthorized parties. While most people’s first thought when hearing of a data breach is that external attackers have gained access to the organization, data breaches can be caused by a variety of different reasons.


Here we define seven different causes of data breaches:


  1. Accidental Web/Internet Exposure:Sensitive data is accidentally placed in a location accessible from the Web. The news stories about improper usage of Amazon S3 permissions (and other cloud storage) fall into this category
  2. Data on the Move:Securing data in transit is often a challenge for companies. Using HTTP and other insecure protocols is a common cause
  3. Employee Error/Negligence/Improper Disposal/Lost:This category covers all data breaches caused by employee negligence. Data security policies that are weak and/or unenforced can lead to unintentional data breaches
  4. Hacking/Intrusion:Data breaches involving an external party (i.e., a hacker) are what most people expect when they hear of a data breach. This category includes phishing, malware/ransomware and skimming
  5. Insider Theft:This category also deals with employees, but covers cases where insiders are intentionally breaching sensitive data
  6. Physical Theft:Laptops and mobile devices commonly store sensitive or valuable data. These devices can easily be lost or stolen when brought to public areas
  7. Unauthorized Access:Poorly designed or implemented access controls can allow people to access data that they are not authorized for

Data breaches involving external parties gaining access to an organization’s network are only one of several different types of breaches.


Causes of large data breaches


Data breaches occur practically every day. According to statistics there were 264 breaches in Q1 2019, or almost three breaches per day on average.

However, we don’t hear about most of these breaches on the news. Only the “huge” breaches make the headlines. In this section, we’ll break down the major causes of breaches in two ways: based on the number of records exposed in a single breach and based on the number of records in exposed in Q1 2019 by each breach type.


Causes of the largest breaches


In Q1 2019, the ITRC recognized eight breaches that exposed at least 100,000 records. These breaches are summarized in the following table.


OrganizationPublication DateExposed RecordsRoot Cause
Centerstone Insurance and Financial Services d/b/a Benefitmall1/4/2019111,589Hacking/Intrusion
Columbia Surgical Specialist of Spokane2/18/2019400,000Hacking/Intrusion
UConn Health2/21/2019326,629Hacking/Intrusion
University of Washington Medical Center2/19/2019973,024Accidental Web/Internet Exposure
Health Alliance Plan3/7/2019120,344Hacking/Intrusion
Navicent Health3/22/2019278,016Hacking/Intrusion
Federal Emergency Management Agency (FEMA)3/15/20192,300,000Employee Error
ZOLL Services LLC3/18/2019277,319Not Disclosed


You can see that while Hacking/Intrusion may be the most common cause of data breaches, that doesn’t make it the most damaging. The FEMA breach exposed more records than all Hacking/Intrusion breaches put together, but it was caused by employee negligence. The second-largest breach (UW Medical) was also not caused by hacking.


Causes of most lost records in March 2019


In March 2019, ITRC began including additional information in their breach reports. This information included a breakdown of the number of records breached in that month, based on the cause of the breach.


Root causeExposed Records (%)
Employee Error/Negligence/Improper Disposal/Lost2,313,460 (69.6%)
Unauthorized Access427,356 (12.9%)
Accidental Web/Internet Exposure381,812 (11.5%)
Hacking/Intrusion178,038 (5.4%)
Physical Theft21,221 (0.6%)
Data on the Move2,088 (0.1%)
Insider Theft0 (0%)

As shown, employees were the cause of the majority of breached records in March 2019. While this information is skewed by the fact that 2,300,000 of the breached records were included in a single breach, the fact that the top three causes of breaches can all be considered internal errors means that organizations need to focus on fixing internal process errors as much as they need to devote time and resources to keeping attackers out.

Many Organizations  purchase generic online training materials and privacy awareness materials. Whilst these can be informative they are generalized and often do not reflect your organisations data processing operations. Bespoke training for your organization ensures your employees fully understand the importance of data privacy, enhance their data handling processes, leading to high levels of customer satisfaction

Global Data Privacy Enquiry


4 + 10 =


The Relentless  GDPR  Data Privacy  model   can be used to set benchmarks for organizations starting out can be used by organizations that have an existing privacy function and some components of a privacy program. The Relentless  GDPR  Data Privacy  model​ provides structured means to assist in identifying and documenting current privacy initiatives, determining status and assessing it against the Global privacy maturity model criteria. Complete the enquiry form for more details