83% of Data Breaches Caused by Human Error, Let’s Round-Up Last Weeks
A host of new statistics emerging as we progress through year two of GDPR are pointing to human error as being the overriding source of data breaches.
Firstly, the Irish Data Protection Commission (DPC) analysed data breach trends within its jurisdiction. It discovered that 83% of the data breaches reported to it under GDPR were classified as “unauthorised disclosure,” which included such scenarios as employees sending data to the wrong recipient, and accidental breaches of information through online customer portals and processing errors.
Then, in recent days, Infosecurity Magazine has reported on a CybSafe analysis of data from the UK Information Commissioners Office (ICO). CybSafe finds that 90% of data breaches in 2019 reported to the ICO under GDPR were caused by mistakes made by end-users. In 2017 and 2018, 61% and 87% of data breaches were due to human error. The trend points to a growing problem rather than a rescinding one.
CybSafe also found that the underlying cause of breaches, at 45% of all reports, was phishing attacks. Despite phishing attacks being initiated by cyber criminals and hackers, phishing emails only become truly dangerous if the links or files they contain are released onto systems and networks by unsuspecting recipients. Oz Alashe, CEO of CybSafe, says:
“It’s almost always human error that enables attackers to access encrypted channels and sensitive information. Staff can make a variety of mistakes that put their company’s data or systems at risk, often because they lack the knowledge or motivation to act securely, or simply because they accidentally slip up.”
Alashe says although employees are a risk to cybersecurity, this risk can be mitigated:
“Employees of course pose a certain level of cyber-risk to their employers, as seen in our findings thus far. Nevertheless, people also have an important role to play in helping to protect the companies they work for, and human cyber-risk can almost always be significantly reduced by encouraging changes in staff cyber-awareness, behavior and culture.”
– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series
Let’s take a look at some of the last week’s data breach revelations and see what we can learn from them to protect our own businesses from such incidents.
RideLondon, UK
Organisers of the RideLondon cycling event believe that up to 2,100 registered participants may have been affected by a data breach that has seen entrants receive other individual’s ballot results. The London & Surrey Cycling Partnership has apologised and the breach, as per the BBC, is being “urgently,” looked into.
The popular event usually has more applicants than places available for the ride, so a ballot system is used to select participants. The event is scheduled for August 16, 2020. The CEO of the London & Surrey Cycling Partnership, Nick Bitel, says his company is trying to establish “how many people have been affected,” but it believes it is “less than 3% of the total of more than 70,000 people who entered the ballot.” Bitel adds:
“We are working with our contractors to establish the full facts but it appears that the issue was caused by an error in the collation of the acceptance letter and the addressed envelope in the final stages of a mailing process which led to the people affected receiving the name, address and date of birth of one other person.”
The company has apologised and says it will be contacting those affected.
Altice USA Inc, 12,000 records
The provider of Optimum cable television and internet revealed in a February 5, notice that a breach occurred in November. The breach has been pinned to a phishing attack which resulted in a “unauthorized third party,” gaining access to the email account details of Altice employees. Around 12,000 current employees, some former employees and a small number of customers may have been affected as per Newsday reports.
Stolen email credentials were used to remotely access and download the contents of email mailboxes. Lisa Anselmo, a spokesperson for Altice, says:
“During our investigation, we learned in January 2020 that certain downloaded mailboxes contained password-protected reports that included personal information for current employees and some former employees.”
Anselmo says no personal financial information was breached. The company has offered identity and credit monitoring services, via Experian, to affected employees.
Fifth Third Bank, Cincinnati, US
Reports are indicating a breach that actually occurred during 2018. The Fifth Third Bank says employees passed stolen personal information outside of the company. These employees have now been dismissed. The breached information included social security numbers, addresses, and account numbers.
As per Local12 any customers who lost money because of the breach have been reimbursed and all affected customers have been provided with fraud alert services.
JustPark, UK
A new parking application, JustPark, has been subject to a data breach that may affect 4,500 individuals. JustPark has taken over the Department for Infrastructure’s parking application and it appears the information of business users was accidentally published on its website.
The breached information includes names and email addresses, mobile telephone numbers, car makes, and registrations for UK users. The information was discovered on the registration and payment section of the JustPark website and included the amount businesses had paid and their parking history.
Founder and CEO of JustPark, Anthony Eskinaziy, says it is an “isolated incident.” He has apologised for the exposure but denies a “major data breach,” as per the BBC. The CEO says the ICO has been informed.
Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.
Subscribe to the Proofpoint Blog