Miscellaneous Errors

Please provide the information below to view the online Verizon Data Breach Investigations Report.

The information provided will be used in accordance with our terms set out in our Privacy Notice. Please confirm you have read and understood this Notice.

By submitting the form, you are agreeing to receive insights, reports and other information from Verizon and affiliated companies in accordance with our Privacy Policy. California residents can view our California Privacy Notice.

Verizon may wish to contact you in the future concerning its products and/or services. If you would like to receive these communications from Verizon, indicate by selecting from the dropdown menu below. Please note that you can unsubscribe or update your preferences at any time.

Indicates a required field. The content access link will be emailed to you.

View only

Thank You.

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

Summary

Misdelivery, Misconfiguration and Publishing errors continue to be the headliners, and the errors that lead to breaches are most often committed by System admins and Developers.
 

What is the same?

Employees continue to make mistakes, and sometimes they result in considerable damage to their organizations.

Frequency

 

602 incidents, 512 with confirmed data disclosure

Threat actors

 

Internal (99%), Partner (2%), Multiple (1%), External (1%) (breaches)

Data compromised

 

Personal (89%), Medical (19%), Other (10%), Bank (10%) (breaches)

2023 Data Breach Investigations Report

You can’t find good help these days.

The great English poet and essayist, Alexander Pope once quipped, “It is hard to hire people who don’t screw things up.” Well, it was something more or less along those lines—just take our word for it. Regardless of who said (or did not say) what, the Miscellaneous Errors pattern continues to comprise a decent chunk of our breach data. If you are a “glass half full” kind of reader, you may take comfort in the fact that this year, error-related breaches are down to 9% as opposed to 13% last year. If you are a “glass half empty” reader, you may simply attribute it to reporting since last year we had 715 error incidents and 708 with confirmed data disclosure as opposed to 602 incidents, with 512 confirmed breaches this year.

It’s my favorite mistake.

Perhaps “favorite” is too strong a word. Misdelivery (sending something to the wrong recipient) accounts for 43% of breach-related errors in our dataset (Figure 41). Publishing errors (showing something to the wrong audience) is in second place at 23%. Finally, Misconfiguration, the much-loved action type of the lazy person, comes in third and accounts for 21% of error-related breaches. This might tempt us to think that people are unreliable—perish the thought. However, you can rely on them to at least keep things interesting by switching up their mistakes to help keep you on your toes.

In fact, as Figure 41 illustrates, Misconfiguration and Misdelivery have ebbed and flowed over the last few years as if they were part of the choreographed dance of celestial bodies. In last year’s report, Misdelivery and Misconfiguration converged, but this year Misdelivery is in the ascendancy,42 whereas our old faithful dog, the Publishing error, is once again meeting Misconfiguration on its downward slope.

2023 Data Breach Investigations Report

If we drill down a little deeper (Figure 42), it’s easy to see that these three Error types have won the popularity contest by a wide margin. However, the team is saddened to see that Gaffe is always at or near the bottom (considering how many of those we make ourselves).

As illustrated in Figure 43, the majority of errors that lead to breaches are committed by Developers and System admins, along with a sprinkling of End-users. Given the Error action types that are most often found in breaches, it is hardly surprising that those who have more responsibility for maintaining the data and the upkeep of the environment are also those who are most frequently responsible. Speaking of responsibility, the error vector of Carelessness appeared in 98% of cases. Yikes! Maybe Pope was on to something.

2023 Data Breach Investigations Report

CIS Controls for consideration

 

Control data

Data Protection [3]
      — Establish and Maintain a Data Management Process [3.1]
      — Establish and Maintain a Data Inventory [3.2]
      — Configure Data Access Control Lists [3.3]
      — Enforce Data Retention [3.4]
      — Securely Dispose of Data [3.5]
      — Segment Data Processing and Storage Based on Sensitivity [3.12]
      — Deploy a Data Loss Prevention Solution [3.13]

Secure infrastructure

Continuous Vulnerability Management [7]
      — Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets [7.6]

Application Software Security [16]
      — Use Standard Hardening Configuration Templates for Application Infrastructure [16.7]
      — Apply Secure Design Principles in Application Architectures [16.10]

Train employees

Security Awareness and Skills Training [14]
      — Train Workforce on Data Handling Best Practices [14.4]
      — Train Workforce Members on Causes of Unintentional Data Exposure [14.5]

Application Software Security [16]
      — Train Developers in Application Security Concepts and Secure Coding [16.9]

42 If you were born under the sign of Misdelivery you should expect good news soon. 3, 9, 13 and 33 are your lucky numbers.

Let's get started.