When trying to design and implement a strategy for protecting against data breaches, it’s useful to understand what the most common causes of these breaches are. This article looks at the data from the first quarter of 2019 and classifies breaches into several common categories.
Common causes of data breaches
Data breaches involve the release of sensitive data to unauthorized parties. While most people’s first thought when hearing of a data breach is that external attackers have gained access to the organization, data breaches can be caused by a variety of different reasons. The Identity Theft Resource Center (ITRC) defines seven different causes of data breaches: As shown in the list from ITRC, breaches involving external parties gaining access to an organization’s network are only one of several different types of breaches. For the rest of this article, we’ll use the labels defined by the ITRC for classifying breaches.
Causes of large data breaches
Data breaches occur practically every day. According to the ITRC, there were 264 breaches in Q1 2019, or almost three breaches per day on average. However, we don’t hear about most of these breaches on the news. Only the “huge” breaches make the headlines. In this section, we’ll break down the major causes of breaches in two ways: based on the number of records exposed in a single breach and based on the number of records in exposed in Q1 2019 by each breach type.
Causes of the largest breaches
In Q1 2019, the ITRC recognized eight breaches that exposed at least 100,000 records. These breaches are summarized in the following table. You can see that while Hacking/Intrusion may be the most common cause of data breaches, that doesn’t make it the most damaging. The FEMA breach exposed more records than all Hacking/Intrusion breaches put together, but it was caused by employee negligence. The second-largest breach (UW Medical) was also not caused by hacking.
Causes of most lost records in March 2019
In March 2019, ITRC began including additional information in their breach reports. This information included a breakdown of the number of records breached in that month, based on the cause of the breach. As shown, employees were the cause of the majority of breached records in March 2019. While this information is skewed by the fact that 2,300,000 of the breached records were included in a single breach, the fact that the top three causes of breaches can all be considered internal errors means that organizations need to focus on fixing internal process errors as much as they need to devote time and resources to keeping attackers out.
Preventing data breaches
Preventing data breaches from occurring is a major concern for enterprises and other organizations. With the new privacy laws that have come into effect over the last year, businesses are obliged to protect many more types of information than previously, and the penalties for failing to do so are harsher. In fact, the EU’s GDPR gives regulatory authorities the right to penalize organizations for failure to keep proper records even in the absence of a breach. When attempting to protect sensitive data and prevent data breaches, focusing on measures designed to keep attackers out of the network is important but not sufficient. While the majority of large data breaches were caused by outside attackers, the majority of breached records were leaked due to mistakes made by employees. In addition to perimeter-based defenses against hackers, organizations should also deploy solutions for managing and monitoring access to sensitive data by internal employees.
Sources
Monthly Breach Report: January 2019, Identity Theft Resource Center Monthly Breach Report: February 2019, Identity Theft Resource Center Monthly Breach Report: March 2019, Identity Theft Resource Center Centerstone Insurance and Financial Services d/b/a BenefitMall Notifies Consumers of Data Security Incident, BenefitMall Notice of Data Encryption Event, Columbia Surgical Specialists Notice of Data Security Incident, UConn Health Notice of Data Breach, UW Medicine Management Alert – FEMA Did Not Safeguard Disaster Survivors’ Sensitive Personally Identifiable Information (REDACTED), Office of Inspector General ZOLL Reports Recent Data Security Incident, PR Newswire Data Breach Reports: March 31, 2019, Identity Theft Resource Center
