While the global statistics surrounding the mounting problems of cybersecurity paint an alarming picture, what is sometimes lost in those numbers is the grim reality that victims face as a result of the relentless attacks on computer networks of all sizes. To get a better sense of the daily combat over sensitive personal and business digital data, all one has to do is peruse the website of California’s Attorney General.
That’s just what the folks at San Jose-based Dtex Systems have done. In an analysis released today of the Data Security Breaches reported to the state AG office, the cybersecurity company has delved into some of the details behind the nonstop attacks. And for all the sophisticated tools being developed on both sides of the trench warfare, the depressing reality, according to the report, is that negligent employees and individuals remain one of the most vulnerable parts of the security equation.
“The most effective way to target a company is to target their employees,” said Dtex CEO Christy Wyatt. “I do think it is not a pure sort of perimeter attack any more. It’s not just take down the firewall and then you have free access to a network. These are targeting that squishy middle. Someone is specifically trolling, looking for those human errors.”
Founded in 2002, Dtex has raised almost $40 million in venture capital over the years. Its security focus is squarely on the human element, offering a service that monitors user behavior on networks and across devices to detect unusual behavior. The look at the AG data reinforces the notion that human foibles remain a big part of the security problem.
According to Dtex’s analysis, employees were the fourth largest source of “culprits” reported as being responsible for breaches. Phishing and “files sent to wrong destination” were in the top four contributing factors for breaches; human error and physical theft were the second and third largest causes of breaches respectively, according to the report.
If there is one bit of good news, it’s that for reasons unknown, the number of breach reports dropped significantly from the 149 notification letters filed in the second half of 2017 to the 62 filed in the first half of 2018. That 58 percent drop is big, though it may just be a quirk of the reporting requirements. California requires any company that has sent a breach notice to more than 500 residents to file a copy publicly with the AG’s office.
Reading through those letters offers perhaps an even more desperate view into the cybersecurity war.
In some cases, the breaches are not discovered until years later, as was the case for Massive Media Match, which notified users this month that their data may have been compromised back in 2012. The company was the U.S. subsidiary for Netlog, a social networking platform operated by a Belgium‐based company. Though Netlog closed in 2015, the company just discovered the break recently.
While that case may be on the smaller side, there are big names on the list, such as Discover, which last year reported a major breach nationally, but only just filed the notice letters with the AG’s office.
Mixed into the list are just about every conceivable target: universities, government agencies, hospitals, local businesses.
That includes even the less probable, like Hair Free Forever, a Ventura-based hair removal company that informed its clients: “Unfortunately, one of our former employees … stole personal and confidential information from our patient’s files and data base, which is a violation of HIPAA and other privacy laws. She has been using this stolen information to contact our patients and we have received several complaints that she is soliciting customers with this protected information.”
Most of them are rather bland, such as the letter TaskRabbit sent to it users after its data breach back in April. Alas, for those users, such letters remind them to change passwords and continue to monitor their credit card accounts and credit agency ratings.
Doing so once is a pain. But together, for such consumers, they serve as a reminder of just how vulnerable you may be if you shopped at Best Buy, Sears, or used a Discover card; bought tickets on Delta, or Southwest, or Orbitz; or bought a yoga mat from Mandukao or sausages from Usinger’s Famous Sausages of Milwaukee in just the past few months. The reality is that obsessively monitoring passwords and credit cards ought to be a daily habit.
Even the poor employees of Ohio-based Autism Learning Services can’t catch a break:
Autism Learning Partners, and its subsidiary, A is for Apple, is committed to maintaining the privacy of our current and former employees’ personal information … On March 15, 2018, A is for Apple sent an email to a former employee in response to her request for a copy of her 2017 IRS Form W-2. Instead of sending only the former employee’s W-2, the response inadvertently included an attachment with the W-2 forms for all current and former employees, including yours. The former employee quickly reported this error to us and stated that she immediately deleted the file from her account.
Most problematic is that in many cases, companies, employees, and clients are not aware of the breaches until months or years later. Often, it comes from a customer discovering someone misusing their personal data and tracing it back to a company, which then launches an investigation and only after informs customers of the breach. And by then, the thieves have had ample time to abuse the data.
Wyatt said she is optimistic that this battle can eventually be won, or at least better contained. But at the moment, security remains a big blind spot for too many companies and consumers.
“The ability to see these things are not necessarily happening in real time,” she said. “We come in, and run trials, and see things in progress, and these business didn’t see them because they just didn’t have the right tools to see them.”