I was playing with the site PrivacyRights.org today. This is a tremendous site where you can get valuable statistics on data breaches and compromised records. Privacy Rights collects information on all publicly available breach data, then create a simple interface where you can query that data. I did that today, with an emphasis on the human element. What I found really surprised me, humans result in far more breaches then you think.
- I selected all the types of breaches that were human related. Specifically unintended disclosure, insider threat, and lost, stolen or discarded data (Physical, Portable and Stationary). The number of records breached for 2012? 11.4 million.
- Then I reversed it and selected the three not specific to humans, specifically hacking, payment card fraud and unknown. The number of records breached? 16 million.
So out of a total of 27.4 millions records breached for 2012, we know 41.6% were human related. However, that percentage is most likely far higher. In my simple analysis above I assumed that none of the hacking related breaches were human related, but we know that is not the case. I'm assuming that at least some of the hacking breaches were caused by attacking the human, including phishing attacks, people using infected USB sticks or social engineering attacks over the phone. When you add in the human attack vector for the hacking category, the human percentage dramatically increases. By the way, if you look at number of breaches instead of number of records, the human percentage increases even more.
When you look at statistics like this, I hope people begin to realize that until we go beyond just technology and start investing in people, the bad guys will continue to have it easy.