You just know that data privacy has become a big deal when even Facebook is claiming to be pivoting to a more “privacy focused” approach. And you just know the current state of user privacy protections when the same company has had at least one major breach in the month and a half since making that statement.
In the modern world, “data breach” has become a phrase that we see on the news almost every day. At least once a week, some company has a major breach where it’s discovered that they did something stupid and your personal data is stolen as a result. We’ve all accepted that companies routinely sell our personal information to each other, but you would think that they’d at least protect it from data breaches to protect their source of revenue even if they don’t care about their customers’ privacy.
When most people think of a data breach, they think of a hacker breaking through an organization’s cyber defenses to get at the data inside. But what really causes most data breaches? The truth would probably surprise you (unless you didn’t miss the title, that is).
What counts as a data breach?
Before getting into the details of what causes data breaches, it’s useful to define what counts as a data breach. A good definition is “the unauthorized disclosure of sensitive or valuable information by an organization”.
Breaking this down, the first component is that the disclosure of information outside of the company has to be unauthorized. As much as we’d prefer that they didn’t, companies routinely authorize the sale of our data to third parties. While this means that our data goes somewhere without our permission, it’s still not a data breach. Second, the information breached has to be sensitive or valuable. While most data breach headlines are about the loss of customer data, that’s not the only option. The Sony breach of 2014 was primarily focused on intellectual property (films, etc.) but it still counts as a breach.
Finally, an organization needs to have been the one to lose the data. If you lose your cell phone with all your contacts on it, you don’t need to report it under the GDPR or similar data privacy regulations.
Common reasons for leaked data
Now that we’ve defined what a data breach is, let’s look at the main causes of data breaches. For this, there are two possible ways to define the size of a breach: breach-level and record-level.
Analysis at the breach-level means looking at the most common causes of data breaches regardless of the size of the breach. This shows what causes the most breaches, without considering the number of records breached. Looking at the record-level means taking the size of the breach into consideration. A single, massive breach may leak more records than all other breaches put together. This type of analysis will help you know which way your data is most likely to be leaked.
For this analysis, we’ll be looking at March breach data provided by the Identity Theft Resource Center (ITRC). This data is useful since it provides both methods of analyzing breaches, making it possible to cross-compare without worrying that some breaches are included in one data set an ignored in others.
The ITRC defines seven different causes of breaches:
- Accidental Web/Internet Exposure
- Data on the Move
- Employee Error/Negligence/Improper Disposal/Lost
- Hacking/Intrusion (includes Phishing, Ransomware/Malware and Skimming)
- Insider Theft
- Physical Theft
- Unauthorized Access
The category names are pretty self-explanatory and cover all possible causes of breaches.
ITRC recorded 79 different data breaches in the month of March (more than two a day!). The breakdown by cause is as follows:
- Unauthorized Access: 29 (36.7%)
- Hacking/Intrusion: 28 (35.4%)
- Employee-Caused: 10 (12.7%)
- Accidental Web/Internet Exposure: 5 (6.3%)
- Physical Theft: 4 (5.1%)
- Data on the Move: 3 (3.8%)
- Insider Theft: 0 (0%)
Contrary to popular belief, hacking/intrusion is neither the cause of most data breaches nor even the most common cause of data breaches. The majority of data breaches that occurred in March 2019 were caused by unauthorized access to sensitive data, followed by hacking and breaches caused by employee negligence.
At the record level, the data tells a very different story. Based upon the number of records breached, the breakdown of causes is as follows:
- Employee-Caused: 2,313,460 records (69.6%)
- Unauthorized Access: 427,356 records (12.9%)
- Accidental Web/Internet Exposure: 381,812 records (11.5%)
- Hacking/Intrusion: 178,038 records (5.4%)
- Physical Theft: 21,221 records (0.6%)
- Data on the Move: 2,088 records (0.1%)
- Insider Theft: 0 records (0%)
“It was an accident!” is the most common explanation for breached records in March 2019 with over two-thirds of records being breached due to employee negligence. On the bright side, at least no-one did it on purpose, right?
Improving organizational data security
The increase in data privacy laws make data breaches a significant threat to organizations. Most organizations take an “outward-facing” approach to cyber defense, attempting to protect their data by keeping the bad guys out. However, the majority of data breaches are actually caused by mistakes made within the organization. While strong perimeter defenses are important, a focus on data security through managing access to valuable data and performing behavioral analysis to identify and act on potentially harmful behaviors may be what is necessary to prevent your next data breach.