Threat Intelligence

Common causes of large breaches (Q1 2019)

Howard Poston
May 1, 2019 by
Howard Poston

Introduction: What’s to be done about data breaches?

With the new focus on digital privacy and data privacy regulations, data breaches are increasingly in the news. The EU’s General Data Privacy Regulation (GDPR) has increased the types of data that are considered sensitive and the penalties for a breach. GDPR and similar regulations, as well as the number of high-profile data breaches, have caused organizations to commit to a greater focus on privacy. Organizations are actively working to decrease their potential exposure to a data breach by beefing up their cybersecurity defenses.

When trying to design and implement a strategy for protecting against data breaches, it’s useful to understand what the most common causes of these breaches are. This article looks at the data from the first quarter of 2019 and classifies breaches into several common categories.

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

Common causes of data breaches

Data breaches involve the release of sensitive data to unauthorized parties. While most people’s first thought when hearing of a data breach is that external attackers have gained access to the organization, data breaches can be caused by a variety of different reasons.

The Identity Theft Resource Center (ITRC) defines seven different causes of data breaches:

  1. Accidental Web/Internet Exposure: Sensitive data is accidentally placed in a location accessible from the Web. The news stories about improper usage of Amazon S3 permissions (and other cloud storage) fall into this category
  2. Data on the Move: Securing data in transit is often a challenge for companies. Using HTTP and other insecure protocols is a common cause
  3. Employee Error/Negligence/Improper Disposal/Lost: This category covers all data breaches caused by employee negligence. Data security policies that are weak and/or unenforced can lead to unintentional data breaches
  4. Hacking/Intrusion: Data breaches involving an external party (i.e., a hacker) are what most people expect when they hear of a data breach. This category includes phishing, malware/ransomware and skimming
  5. Insider Theft: This category also deals with employees, but covers cases where insiders are intentionally breaching sensitive data
  6. Physical Theft: Laptops and mobile devices commonly store sensitive or valuable data. These devices can easily be lost or stolen when brought to public areas
  7. Unauthorized Access: Poorly designed or implemented access controls can allow people to access data that they are not authorized for

As shown in the list from ITRC, breaches involving external parties gaining access to an organization’s network are only one of several different types of breaches. For the rest of this article, we’ll use the labels defined by the ITRC for classifying breaches.

Causes of large data breaches

Data breaches occur practically every day. According to the ITRC, there were 264 breaches in Q1 2019, or almost three breaches per day on average.

However, we don’t hear about most of these breaches on the news. Only the “huge” breaches make the headlines. In this section, we’ll break down the major causes of breaches in two ways: based on the number of records exposed in a single breach and based on the number of records in exposed in Q1 2019 by each breach type.

Causes of the largest breaches

In Q1 2019, the ITRC recognized eight breaches that exposed at least 100,000 records. These breaches are summarized in the following table.

Organization Publication Date Exposed Records Cause

Centerstone Insurance and Financial Services d/b/a Benefitmall 1/4/2019 111,589 Hacking/Intrusion

Columbia Surgical Specialist of Spokane 2/18/2019 400,000 Hacking/Intrusion

UConn Health 2/21/2019 326,629 Hacking/Intrusion

University of Washington Medical Center 2/19/2019 973,024 Accidental Web/Internet Exposure

Health Alliance Plan 3/7/2019 120,344 Hacking/Intrusion

Navicent Health 3/22/2019 278,016 Hacking/Intrusion

Federal Emergency Management Agency (FEMA) 3/15/2019 2,300,000 Employee Error

ZOLL Services LLC 3/18/2019 277,319 Not Disclosed

You can see that while Hacking/Intrusion may be the most common cause of data breaches, that doesn’t make it the most damaging. The FEMA breach exposed more records than all Hacking/Intrusion breaches put together, but it was caused by employee negligence. The second-largest breach (UW Medical) was also not caused by hacking.

Causes of most lost records in March 2019

In March 2019, ITRC began including additional information in their breach reports. This information included a breakdown of the number of records breached in that month, based on the cause of the breach.

Cause Exposed Records (%)

Employee Error/Negligence/Improper Disposal/Lost 2,313,460 (69.6%)

Unauthorized Access 427,356 (12.9%)

Accidental Web/Internet Exposure 381,812 (11.5%)

Hacking/Intrusion 178,038 (5.4%)

Physical Theft 21,221 (0.6%)

Data on the Move 2,088 (0.1%)

Insider Theft 0 (0%)

As shown, employees were the cause of the majority of breached records in March 2019. While this information is skewed by the fact that 2,300,000 of the breached records were included in a single breach, the fact that the top three causes of breaches can all be considered internal errors means that organizations need to focus on fixing internal process errors as much as they need to devote time and resources to keeping attackers out.

Preventing data breaches

Preventing data breaches from occurring is a major concern for enterprises and other organizations. With the new privacy laws that have come into effect over the last year, businesses are obliged to protect many more types of information than previously, and the penalties for failing to do so are harsher. In fact, the EU’s GDPR gives regulatory authorities the right to penalize organizations for failure to keep proper records even in the absence of a breach.

When attempting to protect sensitive data and prevent data breaches, focusing on measures designed to keep attackers out of the network is important but not sufficient. While the majority of large data breaches were caused by outside attackers, the majority of breached records were leaked due to mistakes made by employees. In addition to perimeter-based defenses against hackers, organizations should also deploy solutions for managing and monitoring access to sensitive data by internal employees.

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

 

Sources

  1. Monthly Breach Report: January 2019, Identity Theft Resource Center
  2. Monthly Breach Report: February 2019, Identity Theft Resource Center
  3. Monthly Breach Report: March 2019, Identity Theft Resource Center
  4. Centerstone Insurance and Financial Services d/b/a BenefitMall Notifies Consumers of Data Security Incident, BenefitMall
  5. Notice of Data Encryption Event, Columbia Surgical Specialists
  6. Notice of Data Security Incident, UConn Health
  7. Notice of Data Breach, UW Medicine
  8. Management Alert – FEMA Did Not Safeguard Disaster Survivors’ Sensitive Personally Identifiable Information (REDACTED), Office of Inspector General
  9. ZOLL Reports Recent Data Security Incident, PR Newswire
  10. Data Breach Reports: March 31, 2019, Identity Theft Resource Center
Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at howard@howardposton.com or via his website at https://www.howardposton.com.