Key Findings from 2015 Client Data Breaches from Kroll
■ Non-malicious mistakes lead to majority of losses Human errors — accidental
exposure, lost devices and other non-malicious forms of data loss — were at the root of
60% of cases.
■ Insiders cause almost three in four data breaches Current and former employees
along with related third parties accounted for almost 70% of data breaches.
■ Malicious breaches often very low-tech Hacking gets the headlines, but 58% of
breaches considered malicious or non-accidental resulted from stolen data, such as
from laptop thefts.
■ Paper records are still a big risk In the age of digital hype, the threat of a breach via
paper records was still surprisingly strong at 32% of the cases. Four industries
accounted for the majority of our clients’ breaches in 2015. In particular, we found:
■ Healthcare organizations report the most small breaches Some 62% of our healthcare
clients experienced a small breach (fewer than 500 affected individuals). Accidents and
mistakes were overall leading causes, but thefts of electronic devices accounted for
78% of malicious breaches.
■ Financial services saw most risk from careless employees Not only did current
employees account for 54% of breaches for these clients, but in three out of four cases,
the loss was accidental in nature.
■ Retail breaches caused 100% by outside perpetrators Fully 100% of the cases that
we handled for retail clients were caused by an outside perpetrator and were malicious
in nature. Even more surprising, 44% of cases involved paper records.
■ Educational institutions targeted for “prized triad” of personally identifying information
Thieves that targeted educational institutions managed to steal the most highly sought-
after data set — name, Social Security number and date of birth — 56% of the time