Each time a data breach hits the news, certain sections of the media jump on their hacking hobbyhorse in a frenzy of excitement, frothing hysterically about cyber war and desperate to pin every attack on China, North Korea or Russia – usually in spite of a manifest lack of evidence that these countries are in any way culpable.
“Was it China? I think it was China. It was definitely China.”
“No. WAIT! North Korea! It’s got to be them.”
Although the idea of a group of state-sponsored criminal hackers working in an abandoned nuclear bunker in China (all moody lighting and walls festooned with flat-screen monitors displaying code in scrolling green columns like The Matrix) makes hacking sound sexy, it’s usually just Dave in marketing’s fault for downloading a bank statement emailed to him by a bank that the company doesn’t even have an account with.
Human error is the cause of most data breaches.
It’s no secret that the largest threat to an organisation’s data is its own employees – whether deliberate or not. In fact, some of the most damaging data breaches have been caused by human error. Here are five particularly egregious examples.
Facebook reveals dates of birth of 80,000,000 users
A minor slip-up in a new website design by Facebook back in 2008 led to the dates of birth of 80 million users being publicly accessible. While it’s not the most sensitive data that’s ever been leaked, it can be very harmful if combined with other data to conduct identity theft.
Clinic leaks HIV status of patients
Last year, the 56 Dean Street clinic in London – one of Europe’s busiest sexual health clinics – mistakenly revealed the names and addresses of 780 people subscribed to a HIV newsletter, which included, but was not limited to, patients with HIV.
Recipients of an emailed newsletter were supposed to be blind-copied, but whoever sent it mistakenly copied email addresses into the “To:” field rather than “BCC:”, with the result that every recipient could see everyone else’s names and email addresses. The Guardian reported that the employee responsible was “distraught” at their error.
Pentagon suffers data breach via spear phishing attack
A spear phishing attack on the Pentagon back in August 2015, unsurprisingly assumed to have been caused by Russia, saw the theft of personal information or around 4.000 military and civilian personnel.
Rather than focus on who did it, however, the question should have been how did an employee of the PENTAGON fall victim to a phishing email?
Sony hackers used phishing emails to breach company networks
The cyber attack on Sony Pictures Entertainment in 2014, which left the organisation without computer systems for several weeks, appears to have materialised from a phishing campaign.
A security researcher has found that hackers used phishing emails to penetrate Sony Picture Entertainment’s computer networks last fall.
“We started to realize that there was constant email around Apple ID email verification, and it was in a number of inboxes,” he told POLITICO.
Ubiquiti fraud: the $46 million cyber crime
While this may not technically be a data breach, it’s a human error worthy of mention.
Last year Ubiquiti revealed in an SEC Form 8-K filing that an incident involving “employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department … resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties.”
Concerned that your staff may not be trained to avoid all of the above and more? Speak to IT Governance today about how we can provide your staff with the knowledge they need to protect themselves and your organisation from data breaches.