What is fat finger error and how to prevent it

Egress | 13th Jul 2023

A fat finger error is a keyboard input mistake that results in the wrong information being transmitted. The term originated in financial trading markets and is now used more broadly in the security industry to describe data breaches that are caused by human error, particularly when the breach is attributed to mistyped information, like an email address.

There are few people who have not experienced the sinking feeling caused by making a fat finger error. Haste or inattention can result in sending incorrect information to recipients or sending sensitive information to the wrong people. It can happen in seconds, but the consequences can be serious.

Data breaches caused by fat finger errors have the potential to cost an organization millions from the resulting customer churn and regulatory fines, as well as the time involved in remediation and ongoing brand damage. According to the 2023 Egress Email Risk Report as a result of a data breach, 54% of organizations experienced reputational damage and 48% of incidents resulted in the employee exiting the organization. Additionally, when a fat finger error leads to a breach of information barriers 68% of organizations had to cease operations.

We explore what fat finger error looks like, the consequences of it, and how to prevent it below.

What does fat finger error look like?

The ubiquity of email as a communication tool, the pressure under which many employees now work, and the introduction of productivity tools like Outlook autocomplete increase the risk that mistakes will be made when choosing email recipients or selecting files to be attached and shared.

Egress research found that over 91% of organizations have experienced an email data breach with misdirected emails being the biggest contributor to this percentage. Errors that lead to misdirected emails include:

  • Selecting the wrong recipient with autocomplete
  • Choosing the wrong file attachment
  • Failing to use the “Bcc” field
  • Adding someone to an email chain previous content displayed
  • Replying to all recipients inappropriately

All these risks are exacerbated when employees are rushing, distracted, or stressed. For example, concentration is easily disrupted when employees are working from home or in open offices, while the small screens of mobile devices can increase the likelihood of a fat finger error.

The impacts of fat finger error

Although a fat finger error is a genuine mistake, the consequences of resulting data breaches are severe and long-lasting.

When a data subject’s personally identifiable information (PII) is lost or exposed to third parties, their right to privacy under regulations such as HIPAACCPA and GDPR has been breached. As a result, the data subject may decide to launch litigation against the offending organization. In cases where numerous peoples PII has been compromised, class action lawsuits may result.

In addition to the compensation paid to data breach victims following lawsuits, organizations also face fines issued by regulators as a penalty for non-compliance. These can reach many millions, depending on the nature and extent of the breach, the impact on data subjects, and what steps were taken by the organization before and after the incident occurred.

Direct monetary factors are not the only consideration. The negative impact on corporate reputations for businesses that are responsible for data breaches is considerable. Unfavorable media headlines can choose to highlight a company’s apparent disregard for customer data protection. This can have a significant impact on the bottom line, as customers involved in the breach start to churn. New potential customers are also discouraged, meaning a data breach can have a long-term impact on revenues.

The effects of a data breach can extend for many years, causing significant tangible and intangible damage to an organization.

How to prevent fat finger error

Fat finger error poses a particular challenge for IT security because it is rooted in human behavior. The chance of someone misdirecting an email varies depending on how rushed, stressed, or distracted they are, what device they are using, and where they are using it. This means most of the contributing risk factors are outside the control of security teams.

Attempts have been made to control the risk of employees causing email data breaches through traditional Data Loss Prevention (DLP) tools. However, these use static rule-based approaches to decide what content can be sent by email and to whom. They do not understand the user’s relationships with different recipients and groups, and cannot detect when the user’s behavior deviates from the norm.

The intelligent DLP employed by Egress Prevent uses contextual machine learning to identify typical user behavior and understand the relationships between the user, their email recipients, and the contents of emails and files that are sent to those recipients. Due to Prevent’s advanced capabilities it can detect when users add the wrong recipient to an email that would lead to a security incident. Prevent will then alert the user to the fact that the recipient does not usually receive this type of content, allowing them to stop the mistake before it happens.

It is possible to recall a misdirected email, only if the email has been encrypted at message-level before being sent. This is not an automatic security feature of many email clients, meaning there is no option to retrieve messages sent in error. Egress Protect encrypts email messages and attachments in transit and at rest. It provides total control over shared information, including the ability to revoke access to emails when needed. When deployed together, Prevent and Protect can be used to automatically apply the appropriate protection to emails based on keyword policies and the real-time risk to data as it is shared. Consequently, Prevent and Protect combine to strengthen the human layer of data security and mitigate the risk of fat finger error.

Once made, a fat finger error is difficult to reverse. By preventing human-activated data breaches, organizations significantly reduce their exposure to the serious financial, regulatory, and reputational repercussions that accompany them.