Monday, January 20, 2014

Employees - Why So Many Accidental Data Breaches?

According to DataLossDB, which has been tracking dataloss events since 2001, 20% of all data loss incidents are due to employee negligence and 8% were due to employee theft of data.
Why so many employee data loss incidents? To evaluate accidental data loss, let's look it the problem from the perspective of the data. In this case, let's consider data that is stored in a data warehouse. 

The data warehouse security is locked down and access is restricted to a small set of data analysts and administrators. Of course, the data exists to be used to support business decisions. To that end, a business analyst who fancies herself good at twisting data around in Microsoft Access gets the database administrator to dump a set of data for her for use in a financial product analysis. She does her primary work on her workstation, but being a high performer she stores the data on an external drive so she can work on it at home off hours. She discovers some very interesting patterns that support creation of a new financial product. She emails her analysis and the supporting data to a half-dozen people. Three of the recipients save the reports to their unencrypted laptops. One person fetches the document from home using his home computer through the company Outlook Web Access mail system. And another just forwards the email to her personal email account to read from home.

From its secure origins in the warehouse, the data quickly spread to numerous unsecure and unauthorized systems.

Here are a few real-world examples that show our hypothetical scenario isn’t so hypothetical:
·      April 3, 2009 – An Oklahoma Department of Human Services laptop containing the personal data for one million was stolen from an agency employee’s car.[1]
·      June 18, 2007 – A Texas A&M professor lost a USB flash drive containing personal identification information of 8,000 students while on vacation in Madagascar. The professor claimed he took the data so he could do work while on vacation.[2]
·      September 2008 – An ADP employee accidentally sent a spreadsheet containing the personal identification information of a client’s employees to the wrong client.[3]
·      October 2006 – The Republican National Committee inadvertently emailed names and social security numbers of top donors to a reporter.

Here is a link to the DataLossDB statistics. Good stuff there.