back to article Cock-ups, rather than conspiracies, top self-reported data breaches

Data breaches at organisations that 'fess up to the UK's data protection watchdog are about seven times more likely to be caused by human error than hackers. According to data released under the Freedom of Information Act, 2,124 incidents reported by organisations in 2017-18 could be pinned on mistakes or incompetence. Only …

  1. Little Mouse

    It's hard not to notice a bcc blunder. It can be less clear if you've been the victim of a hacker / cyber break-in, especially if the miscreant is trying to cover their tracks.

    I wonder how many such intrusions simply go undetected?

    1. Anonymous Coward
      Anonymous Coward

      “I wonder how many such intrusions simply go undetected”

      This!

      I worked as IT director at a PLC cloud SAAS provider. The COO one day instructed me to cease all intrusion monitoring because it wasn’t in the shareholders best interests. I assume that the reason for this is that we can’t report an intrusion we aren’t looking for. I resigned that day after handing in a 5 page resignation letter delivered by a 3rd party solicitor who kept a copy, and refused to work a notice period on the basis that they were asking me to pre-emptively ensure that there was little-to-no evidence of future illegal action. They still paid me 3 months notice anyway, but I think this was just to make me go away quietly.

      There is legislation and then there’s the corporate reality of ignoring legislation unless you get caught, at which point you plead ignorance or successfully blame a junior.

      1. Locky

        plead ignorance or successfully blame the previous COO

        FTFY

      2. Anonymous Coward
        Anonymous Coward

        "They still paid me 3 months notice anyway, but I think this was just to make me go away quietly."

        So what will you do if they are involved in a data breach? Pretend you don't know, or actively point out to the ICO that they really didn't give a shit?

        1. Mark 85 Silver badge

          From the post, a copy of his resignation with apparently the damning evidence is in the hands of a solicitor. That should help with any CYA issues.

          1. Alan Brown Silver badge

            "a copy of his resignation with apparently the damning evidence is in the hands of a solicitor. "

            Which means that not only the ICO would have fun, but the company will find that its liability insurers can (and WILL) wash their hands of the whole damned mess and the main insurer may cite fraudulent misrepresentation as a reason for dropping them as a customer.

            You don't need to get regulators involved to fuck up companies (and executives) that put their necks on the block like this. A quiet word to the insurers can be far more effective,

      3. Doctor Syntax Silver badge

        "There is legislation and then there’s the corporate reality of ignoring legislation unless you get caught, at which point you plead ignorance or successfully blame a junior."

        You don't say how long ago this was but if it was recent the COO should have been aware that the legislators who put together GDPR are wise to such tricks. That's why there there's a higher tier of fines for for this sort of thing. A plea of ignorance wouldn't help and they'd have to pay a junior a hell of a lot to take the blame for that. Realistically a proper investigation by a regulator is going to show that they did monitor and then stopped. There'll probably be a paper trail for costs of monitoring S/W.

    2. Amos1

      We looked at a year's worth of outbound emails for the number of recipients. For business-related emails the max number of recipients was 7 so we set a limit of 10 maximum recipients per email. Others to church memberships, soccer leagues, baseball leagues and the like had dozens to hundreds. Those can't get sent using company email systems any more. All advertising, customer communications, etc. must go through a third-party mass-spammer and those are triple-inspected for format and content so there will be multiple, documented people to blame.

      1. Doctor Syntax Silver badge

        "All advertising, customer communications, etc. must go through a third-party mass-spammer"

        And did those customers give explicit consent for their PII, i.e. email address, to be sent to a mass-spammer?

  2. Jeffrey Nonken

    So... Hanlon's Razor alive and well, I see.

  3. Claptrap314 Silver badge

    Worse than useless data --> worse than useless reporting

    That some government agency would churn out garbage data is par for the course. That El Reg would recycle it as if it were somehow meaningful is dereliction.

    This data is like saying paper cuts are more likely than stabbings. Okay, but the loss of blood in one case averages (at most) one drop, while the other is often life-threatening.

    I've worked at a health care company. A data breach happens anytime anyone gets access to data that they do not have an operational need to have. Okay, but the mean number of individuals affected is single digit. A single cyber intrusion will change that number, as typically, they manage all the records of some class or another.

    If the point of this data is "don't forget the manual failure path", sure. But the tone suggests that this path is a greater threat in practice than cyber intrusions. It is most certainly not.

    1. veti Silver badge

      Re: Worse than useless data --> worse than useless reporting

      To be fair, that's not worse than useless. It's clearly a story that's thrown together very quickly on the basis of a pretty unexciting press release - but those press releases, and stories, are often the necessary building blocks of serious analysis.

  4. Anonymous Coward
    Anonymous Coward

    where's the link to the Kroll report?

    Where it is then, or are we not allowed to see the primary source?

  5. Cuddles Silver badge

    Seems unlikely

    "Cyber break-ins were smaller than all of these"

    Smaller, or less frequent? Leaving a folder full of patient notes on the bus exposes a small amount of information to a small number of people. IT screw-ups, on the other hand, routinely expose billions of records to the entire world.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020