We’ll see your Advanced Persistent Threat (APT) and raise you a “bcc”, “reply all”, “fat finger”, “address typo” and wrong fax number.
A new report from the UK’s Information Commissioner’s Office (ICO) today attributed 337 data breaches in the fourth quarter of 2019 to the perennial issue of data being “emailed to incorrect recipient”.
(The figure represents more than five emails sent to the wrong person daily around the country: a genuinely persistent problem.)
See also: This Email Security Startup’s Stormed the Dutch Market – Can it do the Same in the UK?
The figure is marginally down from the 392 such incidents reported in Q4, 2018, but comes as a stark reminder that data protection involves so much more than effective firewalls — the vast majority of data breaches reported to the ICO did not involve any form of network intrusion.
Organisations are obliged to submit data breach [pdf] reports under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Failure to do so can incur a modest £1,000 fine.
Main Cause of Data Breaches
The cause of 718 data breaches was attributed to “other non-cyber incident”, with data “posted or faxed to incorrect recipient” the cause of 265 incidents. (Cyber incidents did account for a notable number of breaches: phishing was blamed for 280, “unauthorised access” for 175.)
Tony Pepper, CEO of Egress, a company that provides tools to help prevent emails being sent to the wrong people, said: “While organisations often focus on how [email] can be exploited for inbound attacks like phishing, ‘inadvertent insiders’ making mistakes are a far greater risk.
“Remote working during the COVID-19 lockdown has only amplified this. We’ve seen an average 23 percent rise in email usage, as organisations rely even more heavily on it as a critical business communication tool.
“The ICO’s figure, sadly, will only be the tip of the iceberg for the actual number of misdirected emails in the UK. These incidents traditionally require employees to notice they’ve made a mistake and self-report – and not everyone is willing to do that for fear of repercussions.