Work at home or office, human error still top reason for data breaches

Many predicted that the work-from-home model imposed to combat COVID-19 would create a hacker’s haven, but it turns out that human error is by far the top cause of data breaches and it doesn’t seem to matter where they sit to do their work.

A recent McKinsey report found that almost 60% of Americans work remotely at least one day per week, and 35% are able to work from home five days per week. Despite the trend toward remote work, 26% of IT leaders report having no comprehensive remote work security management solution, according to a Keeper Security, Inc. Cybersecurity Census report. Regardless of the existence of security systems, humans were the root cause for the vast majority – 82% – of data breaches last year, according to Verizon’s 2022 Data Breach Investigations Report (DBIR).

The DBIR analyzed 23,896 incidents where sensitive data was compromised, which resulted in 5,212 cases of confirmed data theft. Human error accounted for 70% of the incidents. The top method used by cyber criminals was phishing – those crazy emails announcing the good news that you’ve won $50 million in a foreign lottery that you never entered if only you provide your banking data so the lottery “officials” can deposit the prize into your account.

The other 30% were pre-texting attacks in which the hacker masquerades as a trusted person using what looks like a legitimate corporate email address. Examples include emails that appear to be from a corporation’s human resources department asking for personal information, or from a vendor asking to update payment information. Pre-texting can yield big pay corporate offs for cybercriminals. McEwan University in Canada paid $9.8 million U.S. dollars to a fake vendor payment request in 2017.

The remaining types of breaches caused by human error include misdelivery – meaning documents or information to the wrong recipient – and misconfiguration of technology systems. One of the worst data breaches in history fell in this category. In 2017, hackers broke into credit bureau Equifax’s databases, which led to the exposure of 145.5 million U.S. consumers’ credit files and cost the company $617 million to settle. Hackers apparently exploited a known flaw in Equifax’s software from May through July that year even though a patch existed in March, but Equifax hadn’t installed it. Even more disturbing, Wired magazine reported that the hack was accomplished through a web portal for handling credit-report disputes from customers in Argentina, which used the amateurish credentials of “admin/admin.” Data disclosed included individuals’ names, credit card numbers, Social Security numbers, birth dates, addresses and driver’s license numbers.

A small number of breaches reported in the DBIR (216) were carried out by insiders with legitimate credentials. Almost 80% of these internal attacks resulted in successful theft of personal data that could be sold on the dark web.

While the steady rise in the number of cyber attacks is familiar, the target of the attacks is somewhat surprising. The largest number of attacks associated with a specific industry were launched against professional organizations such as law firms (3,566), not the financial industry (2,527) as might be expected. About 20% (681) of the attacks against professional organizations resulted in data theft and were perpetrated through system intrusion, typically a complex attack using hacking or malware to breach the system. But the second and third most common reasons were social engineering and miscellaneous errors.

The DBIR concluded that the public sector, including agencies, courts, police departments and prisons, was a popular target. It was the third most frequent target of cyber attacks (2,792) with about 20% resulting in data theft. Similar to the professional sector, the most common attack method was system intrusion, but the second largest reason was human errors followed closely by social engineering.

This data suggests that legislators and regulators who are charged with protecting the public’s sensitive data have been overlooking a huge security vulnerability and it’s right under their noses. The government has a special responsibility to protect citizens’ data since it stores virtually every type of highly sensitive and personal data that crosses almost all commercial sectors – financial data in tax returns, health care information in Medicare and Medicaid records, passport numbers and travel information, demographic information, non-public investigations, etc. Much of this information is collected involuntarily by the government and citizens have little insight into how long the data is retained or how it is used.

Legislation at the federal and state level has given citizens greater rights over the collection and storage of personal data by corporations. Some states have enacted privacy statues or other legislation giving citizens greater ability to sue for damage caused by commercial data breaches. Good luck trying to sue the government for losing control of highly sensitive personal information.

The federal government has made strides in creating new departments focused on cyber crimes, such as the Federal Bureau of Investigations, Homeland Security and the Secret Service’s Cyber Division. Much of the focus by the federal government, however, is directed toward high-profile cyberattacks from state-sponsored actors or foreign governments themselves.

The conclusions in the 2022 DBIR should be a wake-up call to federal and state legislators. Now is the time to prioritize better training for public sector employees and improving security processes for government data systems before the problem gets worse.