Cyber Security Institute

Wednesday, March 14, 2007

Forget hackers; companies responsible for most data breaches, study says

That conclusion is based on a review of 550 security breaches reported in major U.S. news media outlets from 1980 to 2006.  It showed that internal foul-ups such as putting personally identifiable information accidentally online, missing equipment, lost backup tapes or other administrative errors were responsible for 61% of the incidents.

“What this shows is that a surprising number of incidents actually involve corporate mismanagement more than hackers,” said Philip Howard, assistant professor of communication at the University of Washington and co-author of the report.

A report released last week by the IT Policy Compliance Group showed that human error is the overwhelming cause of losses of sensitive data—contributing to 75% of all occurrences, while malicious hacking activity contributed to just 20% of data losses.  According to that report, the primary channels for data loss involve laptops and mobile devices as well as e-mail and instant messages.  Even in incidents that were publicly blamed on external hackers, the reality is a bit more nuanced, Howard said.

When it comes to just the volume of compromised records, though, external hackers accounted for some 45% of breached records, while 27% came from internal errors and 28% remained unattributed, Howard said.  The university study also showed that there were more reported incidents in 2005 and 2006—424—than the previous 25 years combined, when there were 126.  But that’s likely because of breach-disclosure laws in California and several other states that require companies to notify consumers of incidents involving the potential compromise of their data, he said.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9013142&source=NLT_AM&nlid=1