In some fields, such as medical data entry, hackers have actually surpassed accidental data disclosure, or data spillage, in terms of responsibility for data lost. However, this is a fairly new trend. By and large, more data has been lost due to accidental leaks than due to cybercrime. Here are some of the more well-known cases in recent memory.
Uber
In late 2015, Uber accidentally dropped the personal data for hundreds of their drivers. The leak included social security numbers, copies of drivers' licenses, vehicle registration numbers and much, much more. Even drivers who had never actually taken a job from the service, but simply signed up, saw their taxi certification forms and W-9s being spread across the internet; 674 drivers in total were affected by the leak.
The good news is that damage was minimal, and the company's security team took only a half-hour to patch the leak. Organizations that handle sensitive data often evaluate their exposure and related services such as Information Technology (IT) Insurance when they review their incident response plans.
Google
Here's an interesting statistic: in the UK, less than five percent of around 220,000 requests made to Google for the removal of online information come from criminals, politicians or public figures. Ninety-five percent of the requests for the removal of sensitive information come from private citizens who just want to keep their private information private.
Of course, Google reveals personal data about people by nature of being a search engine; the notable problem here is that Google accidentally leaked the intel on their "right to be forgotten" requests. Rather than this information simply vanishing without a trace, Google released information on individuals making these removal requests. Companies that index or manage personal records should consider protections like On-line Database Information Retrieval Service Insurance when assessing risk.
Menulog
Menulog is an Australian food and beverage ordering service where users can log in and book their meal for delivery. They suffered a major leak in which customers were able to see what other customers had ordered through their phone app. Users logged in only to see other people's histories and data, rather than their own.
Menulog quickly shut down their website and patched the security flaw, but not before the email addresses and names of over one million users had been exposed. Businesses that process customer data should review breach response plans and exposures that might be covered by products such as Data Breach Insurance.
If your organization handles personal data, review your security practices and incident response plan, and if you need help reviewing coverage options, talk to an agent.
Frequently Asked Questions
What is accidental data disclosure?
Accidental data disclosure happens when personal or sensitive information is exposed unintentionally, for example through misconfigured systems, user error, or software bugs.
How can individuals protect their personal information after a leak?
Individuals should change passwords, enable two-factor authentication where available, monitor financial accounts, and consider credit monitoring if financial identifiers were exposed.
Can businesses reduce the risk of accidental leaks?
Yes. Best practices include regular access reviews, secure development testing, least-privilege permissions, logging and monitoring, and an incident response plan.