eDiscovery Daily Blog

Almost Thirty Percent of Data Security Incidents are Due to Human Error: eDiscovery Trends

Last year, the term “data breach” became part of the broader public vernacular with The New York Times devoting more than 700 articles related to data breaches, versus fewer than 125 the previous year. And, as we’ve discussed recently, data breaches are on the rise. However, according to a new report, almost thirty percent of data security incidents are due to human error.

According to Verizon’s 2015 Data Breach Investigations Report released last week, the single biggest cause of data security incidents in 2014 was “miscellaneous errors”. These “miscellaneous errors” comprised 29.4% of data security incidents in 2014 (up from 25% in 2013), according to the report.

As Verizon notes in its report, if you take the top four causes of data security incidents – two through four respectively are crimeware (25.1%), insider misuse (20.6%) and physical theft/loss (15.3%) – “the common denominator across the top four patterns – accounting for nearly 90% of all incidents – is people. Whether it’s goofing up, getting infected, behaving badly, or losing stuff, most incidents fall in the PEBKAC (problem exists between keyboard and chair) and ID-10T (get it?) über-patterns.” As they somewhat playfully observe, “At this point, take your index finger, place it on your chest, and repeat ‘I am the problem,’ as long as it takes to believe it. Good – the first step to recovery is admitting the problem.”

While some of the errors are due to issues such as a computer malfunction or a misconfigured system, nearly 60% of the time, they’re due to a relatively simple user mistake (especially system administrators who were the “prime actors in over 60% of incidents”). Verizon breaks these down as:

  • “D’oh!”: Sensitive information sent to incorrect recipients (usually via email) comprised 30% of the miscellaneous errors that led to a data breach;
  • “My bad!”: Publishing non-public data to public web servers comprised 17%; and
  • “Oops!”: Insecure disposal of personal and medical data accounted for 12% of miscellaneous errors.

Overall, the report identifies 79,790 reported security incidents (with 2,122 confirmed data breaches) affecting at least 20 industries in 61 countries (not surprisingly, no breakout for legal). In terms of volume, two-thirds of incidents occurred in the U.S., but as Verizon notes, “that’s more reflective of our contributor base (which continues to expand geographically) than a measure of relative threat/vulnerability.”

The 70 page report covers topics ranging from victim demographics and breach trends to specific types of breach causes, including phishing and malware. It also breaks down incident types, including point-of-sale intrusions (the number one cause of confirmed data breaches at 28.5%), denial-of-service attacks and cyber-espionage. It even provides a “year in review” chronology of notable breaches (in case you missed them). The report is very informative and, at times, wryly written, which makes me forget – almost! – that Verizon dinged me for several hundred dollars of roaming charges in Europe during my honeymoon last fall (don’t get me started!).

Anyway, you can get a copy of the report here. You can register and download the report or just choose to download the report (which I did). An interesting read.

So, what do you think? Has your organization experienced any data security incidents due to human error? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.