Common Data Breaches Caused By Human Error
By Simukai Nehonde, on 24 September 2021
The mandatory Data Protection awareness training has proved to be effective over the past couple of years. UCL members are now more aware than ever, of the issues that data breaches can cause; but what are some of the most common causes of data breaches UCL members should look out for?
Data breaches are not only caused by someone acting maliciously. Verizon, one of the world’s largest IT solutions providers, found that more than 1 in 5 incidents resulted from a mistake made by a member of the organisation.
Within UCL the most common data breach incidents are caused by human error: usually involving personally identifiable information (PII) that been sent to the wrong recipient via email, or through the post or giving access to an unauthorised individual to information on IT systems.
In this blog piece I will discuss what UCL members should think about and do when sharing personal data via email.
It is everyone’s responsibility to adopt, maintain and follow information security and data protection best practices when processing information.
Avoiding Human Error When Sending Emails
When sharing personal information via emails, it is the responsibility of the sender to ensure the following:
- Ask yourself what type of information are you sharing? – Any personal or sensitive data should be shared in a secure manner.
- Who are the intended recipients? – Before sending the data, users are advised to exercise due diligence and double-check that the recipients ‘email addresses are correct.
- Are there multiple recipients? – When sending emails to multiple recipients, ask yourself whether the recipients are known to each other and whether their email addresses can be disclosed to the other recipients. If not, always use the “BCC” option in your email client which hides email addresses not the “CC” option. Recently the BBC reported that more than 250 people’s lives were put at risk after the MoD mistakenly disclosed email addresses containing names of individuals who were Afghan interpreters. The data breach occurred when the 250 individuals were “CC’d” in an email sent to them, instead of “BCC” meaning they could see each other’s personal information.
Human error accounted for 88% of incidents reported to the Information Commissioner’s Office (ICO) in year 2017/2018.
During the 1st Quarter of Year 2021/2022, the Information Commissioner’s Office (ICO) received a total number of 405 data breach incident reports which were caused by emails being sent to the wrong recipients
Human errors leading to data breaches can cause serious reputational damage and financial implications to organisations. In 2016 the BBC reported that an NHS trust was fined £180,000 after a Sexual Health Centre leaked the details of almost 800 patients who had attended the clinic. The disclosure was caused by a human error when a member of staff emailed the patients, entering their email addresses in the “To” field instead of the “BCC” meaning their addresses were visible to all the other recipients.
DATA BREACH INVESTIGATIONS REPORT (Data Breach Investigations Report) Verizon Business. Data Breach Investigations Report. [online] Available at: https://www.verizon.com/business/en-gb/resources/reports/dbir/
AFGHANISTAN: MOD SHARED MORE THAN 250 AFGHAN INTERPRETERS’ DETAILS ON EMAIL: BBC News. 2021. Afghanistan: MoD shared more than 250 Afghan interpreters’ details on email. [online] Available at: https://www.bbc.co.uk/news/uk-58629592
INFORMATION COMMISSIONER’S OFFICE (ICO) (Previous reports, 2021) Ico.org.uk. Previous reports. [online] Available at: https://ico.org.uk/action-weve-taken/data-security-incident-trends/previous-reports/
INFORMATION COMMISSIONER’S OFFICE (ICO) ico.org.uk. [online] Available at: https://ico.org.uk/media/action-weve-taken/csvs/2620168/data-security-incident-trends-q1-202122.csv
NHS TRUST FINED FOR 56 DEAN STREET HIV STATUS LEAK (NHS trust fined for 56 Dean Street HIV status leak) BBC News. NHS trust fined for 56 Dean Street HIV status leak. [online] Available at: https://www.bbc.co.uk/news/technology-36247186