The Root Cause of Data Breaches
Investigating security misconfigurations as the root cause of data breaches
More Info
expand_more
Abstract
In the past decade, the world has experienced numerous severe and impactful data breaches, without indications of this development slowing down. Even worse, research has shown data breaches are still waiting to happen. The occurrence of a data breach has consequences for several involved parties and for society in general. It is therefore only natural that there exists a pursuit to prevent data breaches from happening. Research claims that data breaches happen because of simple and preventable errors made by human, also known as security misconfigurations. This study aims to investigate whether the root causes of severe data breaches are frequently related to security misconfigurations, which would make most data breaches preventable. No such structured research had been done before. We conducted a multiple case study, wherein a number of data breaches was analysed based on publicly available case literature. Assessing the data breaches with the help of our developed framework was part of that analysis, resulting in a systematic characterization of each data breach. The results indicate that in breaches the data are mostly subject to unauthorized access by outsiders, which frequently is made possible by poor security. The organizations directly responsible for that data are large organizations which get breached especially in their storage facilities. Next to the organization which got breached, these sizeable data breaches always affect individuals since at least part of the compromised data is about them or linkable to them. Usually this is not even discovered by the breached organization itself and sometimes only after a long period of time. Ultimately, it can be concluded that data are frequently caused by security misconfigurations and therefore are mostly preventable. On this basis, it is recommended that organizations responsible for sensitive data should be more incentivized to thoroughly combat security misconfigurations, instead of treating IT security as only a technical endeavor.