The Biggest Single Cause of Data Breaches Is...Ooops

"Never ascribe to conspiracy that which can best be described by stupidity." So said Napoleon Bonaparte, a guy who learned a thing or two the hard way about how stuff can go wrong.

Despite our recent obsession with cataloguing the many ways in which personal data keeps falling into the wrong hands - and our allied belief that this is part of someone's evil grand plan, research reveals that the primary cause of data breaches is what is best termed 'Miscellaneous Error.'

This is not to say that there are not people and organizations out there scheming and plotting to relieve you of your secrets, just that they are probably in the distinct minority, and that most of these releases are the result of carelessness, poor training, overwork and all of the other very human conditions that afflict most enterprises with more than zero employees. A larger problem may be the propensity of said institutions to deny or simply not reveal the aforementioned booboo, but then 40 years after Watergate why would anyone think they'd eventually get outed? JL

Leo Mirani reports in Quartz:

“Among industries, manufacturing and utility companies were the industries most likely not to disclose a breach, with 79% of respondents admitted to not telling customers, partners or other stakeholders about a compromise,”
Verizon just released its authoritative annual report on data breaches (registration required) and information security. It’s a jaunty, colorful document, packed full of interesting charts and information, if you’re into that sort of thing. (As well as plenty of gags that offer a glimpse into the life of a data-cruncher, such as endnote 11: “Note to self: stop leaving laptop in conference room when walking down to the cafeteria.”)
In its seventh annual report, Verizon used its own data and gathered more from 50 organizations worldwide, many of them big security firms or law enforcement agencies with plenty of insight into data security.
In 2013, there were at least 1,367 confirmed data breaches, according to Verizon, and over 63,000 “security incidents,” which include everything from catastrophic leaks to a breach that “compromises the integrity, confidentiality, or availability of an information asset.” Of those, governments around the world accounted for nearly

13% of confirmed breaches and a whopping 75% of “incidents.”

Where are all these breaches coming from? In a word, “oops.” Of the nine classifications of threats listed by Verizon, which account for over 90% of all incidents, one stands out in the public sector: “Miscellaneous error.”

The public sector is among the worst offenders in mistakenly leaking out data, but it is not the worst. That dubious honor goes to the administrative services across industries. But while administrative errors affect businesses and those that deal with them, the public sector’s leaks are more worrying because of the wide-ranging and personal nature of the data it holds, meaning that mistakes can affect enormous numbers of ordinary citizens.

So why does the government appear to get it wrong so often? The Verizon report explains that the numbers may be misleading, at least in the US:

According to our sample, government organizations frequently deliver non-public information to the wrong recipient…Why is that number so large? The United States federal government is the largest employer in that country, and maintains a massive volume of data on both its employees  and constituents, so one can expect a high number of  misdelivery incidents. Public data laws and mandatory reporting of security incidents also cover government agencies. Since we have more visibility into government  mistakes, it creates the impression that government mistakes happen more frequently than everyone else’s, which may not be the case. This is not unlike the way we see higher numbers of overall breaches in US states that have had disclosure laws on the books the longest.

In other words, the government may not get it wrong more often, but its willingness to admit it makes it look that way. Indeed, a recent survey-based report by ThreatTrack, an information security company, found that nearly 60% of respondents did not disclose data breaches. “Among industries, manufacturing and utility companies were the industries most likely not to disclose a breach, with 79% of respondents admitted to not telling customers, partners or other stakeholders about a compromise,” the report said. For what it’s worth, manufacturing and utilities accounted for a total of 0.6% of unconfirmed breaches recorded by Verizon.