Hacking Surpassing Human Error For Data Breaches?

from the is-that-good-or-bad? dept

Tue, Jan 19th 2010 10:04pm — Mike Masnick

A couple years ago, we noted that the old claim that "insiders" were the biggest data breach threat was no longer true, as other threats were becoming a much bigger deal. While that study seemed to use very different methodology, a new study is out that agrees that insiders are a much smaller threat, but notes that outside hacking surpassed "human error" as the cause of data breaches in 2009. While it's good that human error issues are decreasing as a percentage, is it worrisome that outside hack attacks are now becoming such a major problem? The good news in the data is that there were supposedly fewer reported attacks in 2009 (by a pretty large amount) compared to 2008 -- so one possible reading of the data is that people have been effective in preventing things like human error breaches much more often, which is what allowed outside hack attacks to take the lead on a percentage basis. However, with recent stories of things like China's hack attack on Google it seems like we'll be hearing more and more stories about these sorts of attacks for one important reason: in many (certainly not all) cases, they can be quite effective.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data breaches, hacking, human error, insiders

9 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Falvour, 19 Jan 2010 @ 11:08pm

Straw man?
"Insiders" != "human error", and it's pretty disingenuous to act as though those are equivalent. Take the TJX data breach, for example -- insider info could have been used, and that's no "human error".

Retail stores know very well that their own employees are the greatest security risk for shoplifting or malfeasance, and a survey last year apparently indicated that a fair number of IT pros will grab confidential data on the way out of the company, even if they don't use it. Didn't anybody here read Halting State?
[ link to this | view in chronology ]
- Mike Masnick (profile), 20 Jan 2010 @ 1:47am
  
  Re: Straw man?
  "Insiders" != "human error", and it's pretty disingenuous to act as though those are equivalent.
  
  Sorry, I wasn't saying they were the same. I was just comparing the results from two different studies.
  [ link to this | view in chronology ]
- Not a Perv, 20 Jan 2010 @ 4:58am
  
  Re: Straw man?
  "Retail stores know very well that their own employees are the greatest security risk for shoplifting or malfeasance"
  
  Interesting, because they act like their customers are thieves and use that as an excuse to spy upon them as they try on clothes in the "privacy" of those little rooms.
  [ link to this | view in chronology ]
- Bad Security Dept, 20 Jan 2010 @ 5:03am
  
  Re: Straw man?
  "Take the TJX data breach, for example -- insider info could have been used, and that's no "human error"."
  
  What are you saying?
  The root cause of the TJX breach was not due to human error?
  That's laughable.
  [ link to this | view in chronology ]
  - Anonymous Coward, 20 Jan 2010 @ 5:59am
    
    Re: Re: Straw man?
    Only if you consider a catastrophic failure to implement and follow known (and incessantly repeated by data security folks) best practices a human error. And I mean that's crazy talk. Or maybe if you consider a tight focus on passing a security systems audit that you know about in advance and that only happens once a year--while ignoring it the rest of the year--to be a human error. Most likely, though, it's just a stunning coincidence that the data crime attacks become more sophisticated as the defenses fall out of use. Right?
    [ link to this | view in chronology ]
Chargone (profile), 20 Jan 2010 @ 2:34am

you know, I'm always wary of claims that 'reports of X have reduced' is a good thing. while it can represent that the issues have reduced, and thus the problem is being solved, it can also very often mean that the people who would report things have so lost faith in the system that they no longer see it as worth the effort (that's happened here with a lot of lesser crimes. people just don't bother reporting them much.) alternatively, for many businesses it's in their interest to appear more secure than they acutally are, so they may simply under report such.

of course, there's no Other way to know how much of such a thing is happening, i suppose, but the automatic assumption that less reports = less issues isn't always the right one.

'course, this may be simple paranoia speaking. hehe.
[ link to this | view in chronology ]
Simon, 20 Jan 2010 @ 3:42am

Insider Attacks
Keep in mind that insider attacks are often quietly dealt with to avoid embarrassment to all parties. If some rogue employee is found lifting data, then it may be mutually agreeable for that person to leave the company. That way the company doesn't have to deal with admitting to their customers that there was (and still is) a risk to their digital assists, and the employee has an improved chance of finding another job or maybe even avoiding a criminal prosecution.
[ link to this | view in chronology ]
united hackers association, 20 Jan 2010 @ 6:01am

GOVT SPONSORED vs me the hacker
iv about had it with the media lies and bullshit
ive about had it with misleading stories painting real hackers as the bad guys when its these fucktard politicians and there lil spy agencies doing all the bad shit on earth
[ link to this | view in chronology ]
Janice Taylor Gaines, 20 Jan 2010 @ 8:06am

Most Orgs and Individuals Enjoy "Security" as a Matter or Luck
I'd be curious to know if anyone else here is reading “I.T. WARS”? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors – as well as system failures. Even when considering hacking; it can only happen due to poor systems and security design, or poor practice within the org. The book has great chapters on security, as well as risk, content management, project management, acceptable use, various plans and policies, and so on. Just Google “IT WARS” – check out a couple links down and read the interview with the author David Scott. (Full title is “I.T. WARS: Managing the Business-Technology Weave in the New Millennium”).
[ link to this | view in chronology ]