Full Report
Mimecast found that insider threats, credential misuse and user-driven errors were involved in most security incidents last year
Analysis Summary
# Incident Report: Pervasive Human Error Driving Data Breaches in 2024
## Executive Summary
A Mimecast study released in March 2025 highlights that 95% of data breaches in 2024 were attributed to human error, including insider threats, credential misuse, and user negligence. A small subset of users (8%) were responsible for 80% of these incidents, with the Change Healthcare attack serving as a key example of credential compromise via phishing. While organizations are increasing budgets and employing AI for defense, significant concerns remain regarding employee vigilance, preparedness for AI-driven threats, and the security risks introduced by collaboration tools.
## Incident Details
- **Discovery Date:** Findings released March 11, 2025 (based on 2024 data study).
- **Incident Date:** Spanning the 2024 calendar year.
- **Affected Organization:** Multiple organizations surveyed (Change Healthcare cited as example).
- **Sector:** Broad industry impact emphasized across surveyed organizations.
- **Geography:** Not explicitly stated, but reflects findings from surveyed organizations.
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing throughout 2024.
- **Vector:** Phishing emails leading to compromised credentials (e.g., Change Healthcare example). Insider threats (compromised, careless, or negligent employees).
- **Details:** Compromised credentials were the primary vector highlighted in a major example incident.
### Lateral Movement
- Not detailed in the scope of the report, but implied as a necessary step following initial access via compromised credentials.
### Data Exfiltration/Impact
- **Details:** Insider-driven data exposure and theft were significant issues, costing surveyed organizations an average of \$13.9 million.
### Detection & Response
- **How it was discovered:** Analysis based on organizational incident reports compiled for the Mimecast study.
- **Response actions taken:** 87% of organizations conduct human training at least quarterly, indicating awareness and ongoing defense efforts. However, 33% still fear employee mistakes with email threats.
## Attack Methodology
This report focuses on the *source* of attacks (human factors) rather than a specific TTP sequence for a single threat actor.
- **Initial Access:** Credential Misuse (phishing), Negligent User Actions, Careless Employee Actions.
- **Persistence:** Not detailed, but implied for insider threat scenarios.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Compromise via phishing emails (explicitly named in the Change Healthcare example).
- **Discovery:** Not detailed.
- **Lateral Movement:** Not detailed.
- **Collection:** Insider-driven data leaks and theft.
- **Exfiltration:** Data leaks and theft by insiders.
- **Impact:** Significant financial loss (\$13.9M average cost for insider-driven events).
## Impact Assessment
- **Financial:** Insider-driven data exposure and theft cost surveyed organizations an average of **\$13.9 million**.
- **Data Breach:** Insider threats (compromised, careless, or negligent employees) accounted for 43% of reported increases in security incidents.
- **Operational:** Predicted to increase, with 66% expecting data loss from insiders to grow in the coming year.
- **Reputational:** Not directly quantified, but high-profile industry breaches linked to human error (like Change Healthcare) suggest significant reputational damage.
## Indicators of Compromise
The nature of the report is statistical, focusing on causes rather than specific IoCs from a single attack.
- **Network indicators:** N/A (Focus is thematic)
- **File indicators:** N/A
- **Behavioral indicators:** Careless handling of email threats, lapses in vigilance due to fatigue, unauthorized use of GenAI tools for sensitive data.
## Response Actions
- **Containment measures:** Not detailed for specific incidents, but general responses include increased training.
- **Eradication steps:** Not applicable in a general study summary.
- **Recovery actions:** Not detailed.
## Lessons Learned
- Human error remains the single largest contributor (95%) to complex data breaches.
- A very small percentage of employees (8%) contribute disproportionately (80%) to security incidents.
- Despite training frequency (87% train quarterly), training is not fully mitigating the risk posed by employee fatigue and email threats (33% fear lapses).
- Collaboration tools (like Slack, Zoom) are expanding the attack surface, with 79% acknowledging new threats and loopholes.
## Recommendations
- **Prevention measures for similar incidents:**
1. Enhance training specifically targeting employee fatigue and common email threat vectors, recognizing current quarterly training may be insufficient.
2. Implement stricter security controls around collaboration tools, as these are increasingly identified as points of failure and expansion of the attack surface.
3. Develop specific organizational strategies to address potential data leaks via Generative AI (GenAI) tools, as 55% of organizations lack specific preparedness for AI-driven threats.
4. Focus greater security investment on email security (cited by 47% as an area needing more budget) and insider threat monitoring, given the disproportionate impact of insider and credential-based incidents.