Hacking Surpassing Human Error For Data Breaches?

from the is-that-good-or-bad? dept

A couple years ago, we noted that the old claim that "insiders" were the biggest data breach threat was no longer true, as other threats were becoming a much bigger deal. While that study seemed to use very different methodology, a new study is out that agrees that insiders are a much smaller threat, but notes that outside hacking surpassed "human error" as the cause of data breaches in 2009. While it's good that human error issues are decreasing as a percentage, is it worrisome that outside hack attacks are now becoming such a major problem? The good news in the data is that there were supposedly fewer reported attacks in 2009 (by a pretty large amount) compared to 2008 -- so one possible reading of the data is that people have been effective in preventing things like human error breaches much more often, which is what allowed outside hack attacks to take the lead on a percentage basis. However, with recent stories of things like China's hack attack on Google it seems like we'll be hearing more and more stories about these sorts of attacks for one important reason: in many (certainly not all) cases, they can be quite effective.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data breaches, hacking, human error, insiders


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Falvour, 19 Jan 2010 @ 11:08pm

    Straw man?

    "Insiders" != "human error", and it's pretty disingenuous to act as though those are equivalent. Take the TJX data breach, for example -- insider info could have been used, and that's no "human error".

    Retail stores know very well that their own employees are the greatest security risk for shoplifting or malfeasance, and a survey last year apparently indicated that a fair number of IT pros will grab confidential data on the way out of the company, even if they don't use it. Didn't anybody here read Halting State?

    link to this | view in thread ]

  2. icon
    Mike Masnick (profile), 20 Jan 2010 @ 1:47am

    Re: Straw man?

    "Insiders" != "human error", and it's pretty disingenuous to act as though those are equivalent.

    Sorry, I wasn't saying they were the same. I was just comparing the results from two different studies.

    link to this | view in thread ]

  3. icon
    Chargone (profile), 20 Jan 2010 @ 2:34am

    you know, I'm always wary of claims that 'reports of X have reduced' is a good thing. while it can represent that the issues have reduced, and thus the problem is being solved, it can also very often mean that the people who would report things have so lost faith in the system that they no longer see it as worth the effort (that's happened here with a lot of lesser crimes. people just don't bother reporting them much.) alternatively, for many businesses it's in their interest to appear more secure than they acutally are, so they may simply under report such.

    of course, there's no Other way to know how much of such a thing is happening, i suppose, but the automatic assumption that less reports = less issues isn't always the right one.

    'course, this may be simple paranoia speaking. hehe.

    link to this | view in thread ]

  4. identicon
    Simon, 20 Jan 2010 @ 3:42am

    Insider Attacks

    Keep in mind that insider attacks are often quietly dealt with to avoid embarrassment to all parties. If some rogue employee is found lifting data, then it may be mutually agreeable for that person to leave the company. That way the company doesn't have to deal with admitting to their customers that there was (and still is) a risk to their digital assists, and the employee has an improved chance of finding another job or maybe even avoiding a criminal prosecution.

    link to this | view in thread ]

  5. identicon
    Not a Perv, 20 Jan 2010 @ 4:58am

    Re: Straw man?

    "Retail stores know very well that their own employees are the greatest security risk for shoplifting or malfeasance"

    Interesting, because they act like their customers are thieves and use that as an excuse to spy upon them as they try on clothes in the "privacy" of those little rooms.

    link to this | view in thread ]

  6. identicon
    Bad Security Dept, 20 Jan 2010 @ 5:03am

    Re: Straw man?

    "Take the TJX data breach, for example -- insider info could have been used, and that's no "human error"."

    What are you saying?
    The root cause of the TJX breach was not due to human error?
    That's laughable.

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 20 Jan 2010 @ 5:59am

    Re: Re: Straw man?

    Only if you consider a catastrophic failure to implement and follow known (and incessantly repeated by data security folks) best practices a human error. And I mean that's crazy talk. Or maybe if you consider a tight focus on passing a security systems audit that you know about in advance and that only happens once a year--while ignoring it the rest of the year--to be a human error. Most likely, though, it's just a stunning coincidence that the data crime attacks become more sophisticated as the defenses fall out of use. Right?

    link to this | view in thread ]

  8. identicon
    united hackers association, 20 Jan 2010 @ 6:01am

    GOVT SPONSORED vs me the hacker

    iv about had it with the media lies and bullshit
    ive about had it with misleading stories painting real hackers as the bad guys when its these fucktard politicians and there lil spy agencies doing all the bad shit on earth

    link to this | view in thread ]

  9. identicon
    Janice Taylor Gaines, 20 Jan 2010 @ 8:06am

    Most Orgs and Individuals Enjoy "Security" as a Matter or Luck

    I'd be curious to know if anyone else here is reading “I.T. WARS”? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors – as well as system failures. Even when considering hacking; it can only happen due to poor systems and security design, or poor practice within the org. The book has great chapters on security, as well as risk, content management, project management, acceptable use, various plans and policies, and so on. Just Google “IT WARS” – check out a couple links down and read the interview with the author David Scott. (Full title is “I.T. WARS: Managing the Business-Technology Weave in the New Millennium”).

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.