Underreporting Small Data Leaks Leads to Big Consequences

Canada’s privacy commissioner’s office says systemic underreporting of data loss in federal agencies likely means more citizens and businesses are at risk than previously calculated.

Specifically, the House of Commons says federal departments and agencies have failed to protect 144,000 Canadians’ personal information over the past two years. Further, not everyone affected was informed. The underreporting of incidents is largely associated with small breaches.

“Most reports on data breaches only cover incidents that reach a threshold of people affected, which only allows us to see big breaches of, say, five hundred records or more,” said Paul Bischoff, privacy advocate with Comparitech. “The CBC’s report is interesting because it shows just how often smaller data incidents occur. Eight thousand incidents in two years is more than 10 breaches per day!”

Comparitech’s Paul Bischoff

Small breaches can appear of little consequence at first because they appear to affect only a few people.

“The report is a good example of how most data breaches are caused by human error and not by hackers overcoming cybersecurity measures. Even the most well-equipped organizations can do little to stop employees from accidentally emailing the wrong person,” said Bischoff.

But as the House of Commons’ new calculations proved, small breaches add up to big consequences. In this case, 144,000 people in all were affected.

Even so, Canada appears to be making strong headway in improving data-breach reporting. In the first year after Canada’s privacy law came into effect on Nov. 1, 2018, the Office of the Privacy Commissioner of Canada received six times the number of reports than the previous year — 680 security breach reports from November 2018 to November 2019.

Those reported breaches, however, were larger and due to problems commonly encountered in other countries.

NuData Security’s Lisa Baergen

“With Canadian companies now compelled to report data breaches, the number of breaches and personal information exposed is still alarming and underscores the reality: Relying on credentials is outdated,” said Lisa Baergen, VP of marketing at NuData Security, a Mastercard Company, last November when the uptick in reports first surfaced.

“Most static data like name, birthday, social security numbers and more are on the dark web for sale making such things as passwords and other credentials ineffective for truly identifying friend from foe,” Baergen added.

Because the small breaches affected so few people and were often attributable to human error, not everyone affected was notified and not every offender was aware of the offense at the time.

In the U.S., data breach notification laws vary by state. This creates a quagmire for breached companies to wade through and increases the potential for error and other compliance failures.

Given so many potential reporting gaps, especially in terms of smaller data breaches and leaks, MSSPs might want to consider offering audits and other services specifically designed to find and address these smaller vulnerabilities before they create big problems for their clients. It could very well be another important and lucrative revenue stream too.