More data loss comes from sloppy organisations than hackers, says study

Over half of data breaches come from organisational errors and internal mismanagement rather than malicious acts by hackers

Over half of data breaches result from organisational errors and internal mismanagement rather than malicious acts by hackers, according to a study by the Center for Media, Data and Society (CMDS).

The report into European data breaches looked at 350 incidents over ten years and found that, where personal records had been compromised, 57% were due to organisational error, while 41% involved clear acts of theft by hackers.

The CMDS is calling for organisations to own up to these breaches when they happen in the future.

Philip Howard, CEU Professor of global media and communication and director of CMDS, said organisations should be required to report the privacy breaches both to the victims and a privacy commissioner.

“Most people don’t know who has legitimate access to their personal records, and they deserve to know when those records have been compromised,” he said.

“In the news we hear a lot of news stories about hackers who break into systems and steal our personal information,” said Howard. “But that was the minority of incidents – far and away, most of the cases organisational errors, insider abuse, or other internal mismanagement.

The report also concluded that 24% of the Europe-specific breaches were the result of breach attacks launched from the UK, while, for every 100 people living in the UK, 200 personal records have been compromised.

In September, US retailer Home Depot came under fire for delays in notifying customers that their payment card details may have been compromised.

A suspected breach that has been under investigation since early September 2014 was publicly confirmed on 18 September, but affected customers are unhappy about the company's delay in notifying them.

Customers say they should have been notified sooner than three days after the retailer confirmed that a cyber attack compromised about 56 million payment cards.

The email confirmed news of the breach, but said there was no evidence that debit PIN numbers were compromised or cheques affected. It also said there was no evidence the breach had affected stores in Mexico or customers who shopped online at

Read more on Data breach incident management and recovery