Every time a data breach hits the news, certain sections of the media jump on the story, frothing hysterically about cyber war and desperately pinning the attack on a foreign government – even though they usually know nothing about how the attack took place.
“No, wait! North Korea. It’s got to be them!”
Although the idea of a group of state-sponsored criminal hackers working in an abandoned nuclear bunker in Moscow makes hacking sound sexy, data breaches are usually caused by Dave in accounting, who downloaded a bank statement emailed to him by a company his organisation doesn’t even have an account with.
Of course, it’s not always Dave’s fault, but human error is the cause of most data breaches.
Breaches caused by human error are rarely on the same scale as elaborate cyber attacks, but the embarrassment caused by employees’ mistakes makes them almost as damaging. Here are four particularly bad examples.
1. Health clinic leaks patients’ HIV statuses
In 2015, the 56 Dean Street clinic in London sent out a newsletter disclosing the names and email addresses of approximately 780 HIV patients. Subscribers to the newsletter were supposed to be blind copied into it, but the sender mistakenly copied the email addresses into the “to” field. As a result, recipients could see the contact details of other subscribers.
Elliot Herman, a subscriber to the newsletter, told the Evening Standard that he knew some of the people whose HIV status had been disclosed.
“I’m obviously very disappointed, I just think it’s a massive breach of data protection.”
He added: “There were lots of people on there and not all of them have revealed their HIV status to people.”
2. Facebook reveals 80 million users’ dates of birth
When Facebook was redesigning its website in 2008, a minor error exposed 80 million users’ dates of birth to the public. Fortunately, there wasn’t much that criminals could do with users’ names and birthdates alone, but it’s a dangerous precedent. Facebook stores vast amounts of information on people, so another mistake could be devastating.
3. Pentagon breached via social engineering attack
In July 2015, criminals launched a spear-phishing attack targeting Joint Staff at the Pentagon. The breach affected about 4,000 military and civilian personnel, and was credited to Russian hackers.
Perhaps less important than who conducted the attack is how an employee of the US Department of Defense fell for a phishing scam. Pengaton staff protect military secrets and other classified information, and yet someone was tricked by a relatively simple attack.
4. Boeing employee emails sensitive information to his spouse
In January 2016, Boeing discovered that an employee had emailed a spreadsheet containing sensitive information of 36,000 colleagues to his spouse.
He sent the spreadsheet to his spouse – who doesn’t work at Boeing – to help with a “formatting issue”, according to the aerospace firm. It contained employees’ full names, places of birth, employee IDs, and, in hidden columns, Social Security numbers and dates of birth.
According to Boeing’s deputy chief privacy officer, Marie E. Olson, the employee “did not realize the spreadsheet included sensitive information because that information was contained in hidden columns”.
Getting cyber secure doesn’t have to be difficult
As these examples show, sometimes all it takes to prevent a data breach is for staff to be more aware of their security obligations. Anyone who has access to personal or confidential information is a potential weakness, so all organisations should commit to regular staff awareness training to help employees keep data secure and avoid cyber attacks.
Our Information Security Staff Awareness E-learning Course uses clear, non-technical language to familiarise your employees with the basics of security awareness policies and procedures. It covers digital and physical threats, including phishing emails, network vulnerabilities and securing data in transit and at rest.