Miscellaneous Errors

Please provide the information below to view the online Verizon Data Breach Investigations Report.

Submit View only

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

2024

Summary

Errors have increased substantially this year, possibly indicating a rise in Carelessness, although it may also reflect increased data visibility with new contributors. More than 50% of errors were the result of Misdelivery, continuing last year’s trend, while other errors, such as Disposal, are declining. End-users now account for 87% of errors, emphasizing the need for universal error-catching controls across industries.

What is the same?

We can always count on people making mistakes. The categories of mistakes they make are consistent year over year, and while some Error varieties have been decreasing, the ranking of frequency remains the same.

Frequency		2,679 incidents, 2,671 with confirmed data disclosure
Threat actors		Internal (100%) (breaches)
Data compromised		Personal (94%), Internal (34%), Bank (14%), Other (12%) (breaches)

Data Breach Investigation Report figure 46

I know exactly what I’m doing.

In our fast-paced and hectic world, it is easy to make the occasional mistake. The key is to make sure that those errors remain occasional and do not become habitual. Employees might be inching toward the latter state given the fact that we saw approximately five times as many Error-related breaches this year as we did in last year’s report. Does this substantial increase mean that incompetence and inattention to detail are booming?⁸⁴ Possibly, but it is also, as stated earlier in this report, indicative of the generosity of our data-sharing partners. The greater the number of breaches that we examine, the higher these percentages become. More than 50% of errors in 2023 resulted from Misdelivery (sending something to the wrong recipient), as shown in Figure 46. This was also the No. 1 category in last year’s report.

Misconfiguration is the next most common error and was seen in approximately 10% of breaches. Misconfiguration has been on a downward trend⁸⁵ for the last three years. There are a few possible explanations for this. Chief among them is that (thankfully) many systems are becoming more secure by default, making the practice of standing up new tech without reading the manual a less risky proposal. Other factors may include that security researchers are not spending as much time on finding these systems with their screen doors flapping in the wind, and, lastly, criminals may be using the same tools historically utilized by researchers to discover these errors and exploiting them to steal data, which would result in the attack showing up with a Hacking action rather than Error.

Classification errors, Publishing errors and Gaffes (verbal slips) are all relatively tightly packed in order of mention. Disposal errors continue to decline ever so slightly (as has been the general trend for the last several years) and accounted for just over 1% of the cases in this pattern. It is unclear whether more attention has been paid to this matter or employees have simply gotten better at burning records in a barrel in the parking lot.

Figure 47 shows one rather drastic change in this pattern related to actors: End-user accounted for 87% of errors as opposed to 20% in last year’s report, while System administrators dropped to only 11% (from 46% last year). This drop is in large part the result of the corresponding rise in Misdelivery—it takes a System administrator to misconfigure, but any old End-user can misdeliver. Power to the people!

Data Breach Investigation Report figure 47

Data Breach Investigation Report figure 48

Lastly, the Miscellaneous Errors pattern shows a relative diverse array of industry types (Figure 48), with Healthcare and Public Administration at the top (understandably, given reporting requirements) and a good showing from other industries such as Financial and Insurance; Education; and Professional, Scientific and Technical Services. This illustrates the important fact that carelessness is somewhat of a universal trait, so employers in any vertical should ensure that their controls will catch these kinds of errors early.

CIS Controls for consideration

Control data

Data Protection [3]
– Establish and Maintain a Data Management Process [3.1]
– Establish and Maintain a Data Inventory [3.2]
– Configure Data Access Control Lists [3.3]
– Enforce Data Retention [3.4]
– Securely Dispose of Data [3.5]
– Segment Data Processing and Storage Based on Sensitivity [3.12]
– Deploy a Data Loss Prevention Solution [3.13]

Secure infrastructure

Continuous Vulnerability Management [7]
– Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets [7.6]
Application Software Security [16]
– Use Standard Hardening Configuration Templates for Application Infrastructure [16.7]
– Apply Secure Design Principles in Application Architectures [16.10]

Train employees

Security Awareness and Skills Training [14]
– Train Workforce on Data Handling Best Practices [14.4]
– Train Workforce Members on Causes of Unintentional Data Exposure [14.5]
Application Software Security [16]
– Train Developers in Application Security Concepts and Secure Coding [16.9]

⁸⁴ Look around at your coworkers, and use your best judgment to answer that question.

⁸⁵ Not unlike most of civilization