Five top causes of data breaches

October 2024

And how to mitigate the risks

Data breaches are like booby traps in movies; some are like the huge stone ball that chases Indiana Jones down a tunnel. Some are sneaky, like the poisoned darts Indie dodges (before he gets chased by a big stone ball!). Nonetheless, like booby traps in Hollywood movies, there are common themes when it comes to data breaches. None of them, to my knowledge, involve being chased by a giant stone ball. And, unlike Indiana Jones, you don’t have to rely on supernatural luck and a sympathetic screenwriter to prevent these breaches occurring.

Back to the real world. While the threat of cyber-attacks continues to loom large, here’s an interesting fact; 75% of breaches reported to the Information Commissioner’s Office (ICO) are non-cyber related – caused by ‘human error’. Or, to put it another way, they’re often attributable to a lack of training and robust procedures to prevent someone making a mistake.

We’ve delved into ICO reporting figures, and put together a top five of the most common causes of data breaches, together with some top tips on how to mitigate the risk of these occurring in your organisation.

Our data breach countdown…

Number 5: Ransomware

Ransomware is a malicious software used by bad actors to encrypt an organisation’s system folders or files. Sometimes the data may be exfiltrated (exported) too. A ransom demand often follows, asking for payment. The attacker will say this can be paid in exchange for the decryption key and an assurance the data they claim to have will be deleted. In other words, it will not be published on the dark web or shared with others. But there are no guarantees even if you choose to pay the ransom. It’s worth noting the ICO and National Cyber Security Centre discourage paying ransoms.

Ransomware attacks can cause a personal data breach, but this may be only one of a number of risks to the business, such as financial, legal, commercial and reputational. These attacks are becoming increasingly sophisticated. It’s now possible for a bad actor to buy an ‘off the shelf’ cyber-attack via the dark web, or tailor a package to suit their needs.

How to mitigate ransomware risks

Appropriate steps need to be taken to protect systems from these types of attacks. Often this will mean investing more time and money into security measures. Here are just some of the ways to try and prevent attacks:

 Implementing Multifactor Authentication (MFA)
Installing antivirus software and firewalls
Use of complex passwords
Keeping all systems and software updated
Running regular cyber security and penetration testing
Monitoring logs to identify threats
Cyber awareness training

Also, crucially making sure you have up-to-date and separate backups is the most effective way of recovering quickly from a ransomware attack.

Number 4: Postal errors

This is a simple administrative error, which can have minor or significant consequences. An item containing personal data is posted to the wrong person. This could be an invoice sent to the incorrect person, exam results put in the wrong envelope or medical information sent to the wrong patient. Breaches of this nature can happen by:

using incorrect addresses
using old addresses
mistakenly including more than 1 letter in the same envelope
mistakenly attaching documents relating to another person to a letter

How to mitigate post breach risks

Robust training and regular reminders!
Using a check list e.g. Step 1) Check the address is correct when drafting a letter. Step 2) Check again after printing. Step 3) Check again before it does in the envelope.

Number 3: Unauthorised access

As the name suggests this is someone gaining access to personal information they shouldn’t have access to. This can be an external or internal threat. To give some examples;

Exploiting software vulnerabilities: Attackers can exploit software vulnerabilities to gain unauthorised access to applications, networks, and operating systems.
Password guessing: Cybercriminals can use special software to automate the guessing process, targeting details such as usernames, passwords and PINs.
Internal threats: Unauthorised access and use of personal data by employees or ex-employees.

Here are some real-life cases:

2022 – a former staff advisor for an NHS Foundation was found guilty of accessing patient records without a valid reason.
2023 – a former 111 call centre advisor was found guilty and fined for illegally accessing the medical records of a child and his family.
2024 – a former management trainee at a car rental company was found guilty and fined for illegally obtaining customer records. Accessing this data fell outside his role at the time.

How to mitigate unauthorised access risks

Here are just some of the ways of reducing your vulnerability to these types of breaches:

Applying the ‘principle of least privilege’ – this sets a rule that employees should have only the minimum access rights needed to perform their roles.
Strong password management e.g. make sure systems insist on complex passwords and prevent users sharing their access credentials.
Monitoring user activity

Number 2: Phishing attacks

Phishing is when attackers send scam emails or text messages containing links to malicious website. Often they try to trick users into revealing sensitive information (such as login credentials) or transferring money.

Any size of organisation is a potential target for phishing attacks. A mass campaign could indiscriminately target thousands of inboxes, an attack could specifically target your company or an individual employee.

Attacks are becoming increasingly sophisticated, and scam messages are made to look very realistic. Sometimes they will know who you do business with, and change just one letter in an email address, so you think it’s from an organisation you know.

Mitigating phishing attack risks

Here are a few tips for some of the ways you can reduce the risk of falling victim to a phishing attack.

Training and awareness to help employees identify spoof emails and texts
Setting up DMARC (Domain-based Message Authentication, Reporting and Conformance) to prevent bad actors spoofing your website domain

Also see NCSC phishing guidance

Number One: Email Errors

Yup, the top cause of data breaches is still email. Emails sent to the wrong recipient(s) or accidentally using CC for multiple recipients (thereby revealing their details to all recipients). A breach of this nature can be embarrassing, and/or can have serious consequences. To give an example:

The Central YMCA sent emails to individuals participating in a programme for people living with HIV. The CC field was used by accident, thereby revealing the email addresses to all recipients. People on the list could be identified or potentially identified from their email addresses and it could be inferred they were likely to be living with HIV.

Mitigating email breach risks

Here are some of the ways you can try and prevent email errors occurring:

Don’t broadcast to multiple people using BCC (it is too easy to make a mistake).Instead use alternative more secure bulk email solutions.
Set rules to provide alerts to warn employees when they us the CC field.
Turn off the auto-complete function to prevent the system suggesting recipients’ email addresses.
Set a delay, to allow time for errors to be corrected before the email is sent.
Make sure staff are trained about security measures when sending bulk communications

One of the biggest weapons in the data protection arsenal is training and awareness. We recently worked with a client who was using an excellent cyber-security training module, which staff had to complete not once, but twice a year. However, training on its own is unlikely to be enough. Regular reminders and updates are needed too. Near-misses and high-profile cases in the media can be used to get the message through.

Here’s a real-life example of a genuine disaster, one I would definitely share. You can just imagine how this happened. The Police Service of Northern Ireland (PSNI) experienced a horrendous, life-changing data breach entirely of its own making. Hidden fields in a spreadsheet disclosed in a Freedom of Information Request revealed the personal details of their entire workforce, including their job description and places of work. It was assumed the list subsequently fell into the hands of paramilitary organisations, leading to an enormously disruptive and expensive personal security review. ICO PSNI fine

The PSNI case also illustrates how some of the worst data protection hazards are those we set for ourselves. Not a big stone ball or poison darts. Simply a human error on a spreadsheet, an error adequate in-house procedures failed to prevent or identify.

How many such hazards are spread across your organisation?

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.