CEO DailyCFO DailyBroadsheetData SheetTerm Sheet

Blame dumb mistakes for more and more of data breaches

May 20, 2020, 3:57 PM UTC

This is the web version of Data Sheet, Fortune’s daily newsletter on the top tech news. To get it delivered daily to your in-box, sign up here.

In the cybersecurity industry, good data is hard to come by.

My email inbox is littered with exaggerated claims and dubious survey results. They purport to reveal frequency of hacks, the prevalence of unaddressed vulnerabilities, or the amount of money businesses lose to cybercriminals. I treat most of these as I do expired milk: with a wrinkled nose and a visit to the trash bin.

There’s an exception to the rule. I always make time for a briefing that covers one particular report. Each year, Verizon publishes a compendium that is among the industry’s finest. I consider the “data breach investigations report,” or DBIR, as it’s known, to be like an annual visit to the doctor for a physical examination; it sets a baseline and gives an overview of one’s health.

This year’s report, Verizon’s 13th edition, is as colorfully written as always (the introduction quotes Oscar Wilde) and equally rigorous. Sourcing data from 81 government and industry partners, the report reviewed a record total of 157,525 security incidents and confirmed 3,950 data breaches across 16 industries. The eye-popping number of incidents—which includes Denial of Service, ransomware, and phishing—far exceed the number of breaches, because the latter requires confirmed exposure of data.

The finding that caught my eye the most this year was the indomitable rise of human “error” as a cause of breaches. It is the only factor that has consistently increased year-over-year since 2015. Other data breach causes, like hacking and malware, are dropping. “If we said last year that humans are the weakest link in the chain and the easiest way into computer networks these days, that’s more true now than it ever has been before,” Bryan Sartin, Verizon’s executive director of global security services, told me.

But don’t lose faith in humanity. Humans are imperfect—but they may be getting better, not worse, despite what the data shows.

“Misdelivery,” like sending sensitive emails to the wrong people, and “misconfiguration,” like putting improperly secured databases online, are among the top five breach causes this year. But as the report’s authors note, that may be because of stricter privacy laws being adopted around the world. New regulations are forcing people to disclose more often when such mishaps happen; the behavior is getting “normalized.”

Internal threat actors, or a company’s own employees, have climbed over the years as a cause of breaches. But this too could simply be a result of more people reporting their mistakes.

“People can, and frequently do, make mistakes and many of them probably work for you,” the report warns. But a deeper analysis suggests, hopefully, that recent regulatory changes appear to be working, leading to more visibility and better data.

“We are getting better at admitting our mistakes rather than trying to simply sweep them under the rug,” the authors write.

Robert Hackett

Twitter: @rhhackett

Email: robert.hackett@fortune.com

THREATS

Sunless skies. Big companies like Cigna, Raytheon Technologies, and FedEx are pushing for uniform cybersecurity and data handling practices to be adopted by cloud computing providers like Amazon Web Services, Microsoft Azure, and Google Cloud, the Wall Street Journal reports. A lack of standardization means more work and unnecessary complication for businesses, the corporate customers say. 

Heck, no, we won't go. Anti-lockdown protestors flagrantly defying stay-at-home orders may be spreading coronavirus contagions far and wide, the Guardian reports. Location data from cellphones associated with protestors were seen traveling hundreds of miles and crossing between states. Epidemiologists have warned that such behavior could lead to a surge in infections.

Desert dust-up. A traffic-crippling cyberattack on an Iranian shipping port, Shahid Rajaee, is said to have been the work of Israeli spies, the Washington Post reports. The strike may have been retaliation for an earlier attempted hack of an Israeli water utility, according to intelligence officials. Meanwhile, a new report says that while civilian hacking activity has decreased 90% out of Iran since the onset of pandemic, the country's military hacking escapades have abated less, about 30% to 50%. 

Please remain seated until the seat belt light is off. European budget airline EasyJet disclosed a data breach affecting as many as 9 million customers. An unauthorized person or group purloined people's email addresses and travel details. More than 2,200 people also had their credit card information accessed. The airline, which learned of the breach in January, said it plans to notify victims by May 26.

Star-crossed lovers. People are hacking the Nintendo video game Animal Crossing in order to plant trees bearing "star fragments," a hot in-game commodity. The Washington Post warns that engaging in such rogue activity "not only puts you at risk for a potential ban...but could destabilize your game." Meanwhile, someone is hacking supercomputers in Europe to mine virtual currency.

Is the head of U.S. Army Cyber Command trying to flirt with me?

ACCESS GRANTED

Why did Facebook recently buy GIPHY, the ubiquitous search engine for gifs? Owen Williams at tech blog OneZero says the acquisition provides a way for Facebook to peer across the Internet, linking people's devices to the non-Facebook apps they use. Wherever GIPHY has a foothold—from Apple's iOS keyboard to Twitter—Facebook may be able to glean data useful for to its advertising business.

Adam Mosseri, head of Instagram, disputed this idea, saying Facebook is primarily interested in knowing what's trending online—data of another sort. Here's Williams:

Acquiring Giphy is a smart play by Facebook, which has become increasingly unavoidable in life online. While you may successfully block trackers like the Facebook ad pixel following you around online, or even delete your Facebook account, the majority of us wouldn’t suspect we’re being monitored when we’re sending funny images to friends.

FORTUNE RECON

Spotify shares soar on news of Joe Rogan’s exclusive podcast deal by Lucas Shaw

Facebook makes a bigger push into shopping with new online storefronts for businesses by Jeremy Kahn

Walmart’s online sales surge during the pandemic, bolstering its place as a strong No. 2 to Amazon by Phil Wahba

As reopening becomes polarized, businesses need to use common-ground language by Michal Lev-Ram

What will Uber look like after the coronavirus? by Lucinda Shen

How Honeywell’s CEO plans to survive—and thrive—through pandemic by Robert Hackett

ONE MORE THING

A couple years ago, the social fitness app Strava came under fire for exposing the locations of secret U.S. military bases by logging the jogging routes of soldiers. Now Untappd, the social beer-drinking app, is catching heat for enabling military and intelligence personnel to be tracked around the world, a researcher at the investigative site Bellingcat found

Great, now everyone is gonna learn about my secret martini haunt.