Fat finger error: What is it, and how to prevent it

Email security

What is a fat finger error

A fat finger error is a keyboard input mistake that results in the wrong information being transmitted. The term originated in financial trading markets to describe an incident where an order to buy or sell is placed at a much greater size than intended, or for the wrong stock, because of human error when typing. Fat finger errors have cost companies millions.

The phrase “fat finger error” is now used more broadly in the security industry to describe data breaches that have been caused by human error, particularly when the breach is attributed to mistyped information, like an email address.

There are few people who have not experienced the sinking feeling caused by making a fat finger error. Haste or inattention can result in sending incorrect information to recipients or sending sensitive information to the wrong people. It can happen in seconds, but the consequences can be serious. Data breaches caused by fat finger errors also have the potential to cost millions in customer churn and regulatory fines, plus time to remediate and ongoing brand damage.

What does fat finger error look like?

The most common form of fat finger error that puts sensitive data at risk is a misdirected email. The ubiquity of email as a communication tool, the pressure under which many employees now work, and the introduction of productivity tools like Outlook autocomplete increases the risk that mistakes will be made when choosing email recipients or selecting files to be attached and shared.

It is a scenario familiar to anyone who uses email. When typing an email address in the “To” field of your email client, the autocomplete function suggests an address based on the first few letters. With a brief glance at the screen, you hit the Enter key and the address is completed automatically. It is a time-saving feature designed to improve productivity.

However, what if instead of choosing Julie@yourcorp.com, the Company Secretary to whom you are sending the board meeting agenda and accompanying materials, autocomplete suggests Julie@yopagroup.com, a contact at a supplier company whose contract is subject to board review? You don’t spot the error and the company’s sensitive board meeting agenda and details is now in the hands of an unauthorized third party. An embarrassing and potentially costly data breach incident has occurred.

Misdirected emails are a primary cause of data breaches. Egress research found that over 80% of organizations have experienced email data breaches caused by users unintentionally selecting the wrong recipient. Other common causes include choosing the wrong file attachment, failing to use the “Bcc” field, adding someone to an email chain with all contents displayed below, and replying to all recipients inappropriately.

All these risks are exacerbated when employees are rushing, distracted or stressed. A fat finger error is also easily made when employees are working from home or using mobile devices, as concentration is easily disrupted and smaller screens provide less visibility over email recipients.

Unintentional fat finger errors and misdirected emails are not the only human-activated breach risk residing in email systems. Phishing campaigns conducted by cybercriminals rely on the same vulnerabilities for success. By using email addresses that closely resemble genuine employee contacts, criminals gamble that busy employees will not check that the request to transfer funds or send confidential information has come from the proper authority.

The implications of fat finger error

Although a fat finger error is a genuine mistake, the consequences of resulting data breaches are severe and long-lasting.

When a data subject’s personally identifiable information (PII) is lost or exposed to third parties their right to privacy under regulations such as the HIPAA, CCPA and GDPR has been breached. As a result, the data subject may decide to launch litigation against the offending organization. In cases where numerous have been compromised, class action lawsuits may result.

In addition to the compensation paid to data breach victims following lawsuits, organizations also face fines issued by regulators as a penalty for non-compliance. These can reach many millions, depending on the nature and extent of the breach, the impact on data subjects, and what steps were taken by the organization before and after the incident occurred.

Direct monetary factors are not the only consideration. The negative impact on corporate reputations for businesses that are responsible for data breaches is considerable. Unfavorable media headlines that highlight a company’s apparent disregard for customer data protection, and that also emphasize the risks of personal data theft, all contribute to loss of reputation and customer trust. This can have a significant impact on the bottom line, as customers involved in the breach decide to take their business elsewhere. New potential customers are also discouraged, meaning a data breach can have a long-term impact on revenues.

The effects of a data breach can extend for many years, causing significant tangible and intangible damage to the organization.

How to prevent fat finger error

Fat finger error poses a particular challenge for IT security because it is rooted in human behavior. The chance of someone misdirecting an email varies depending on how rushed, stressed or distracted they are, what device they are using, and where they are using it. This means most of the contributing risk factors are outside the control of security teams.

Attempts have been made to control the risk of employees causing email data breaches through Data Loss Prevention (DLP) tools. However, these use static rules based on policies to decide what content may be sent by email. They do not understand the user’s relationships with different recipients and groups. They cannot detect when the user’s behavior deviates from the norm.

The intelligent DLP employed by Egress Prevent uses contextual machine learning to identify typical user behavior and understand the relationships between the user, their email recipients, and the contents of emails and files that are sent to those recipients. This means the tool can detect when the user adds an unexpected recipient to an email and is about to cause a security incident. So, before the user can actually send the board meeting agenda, or customers’ personally identifiable information, to Julie@yopagroup.com, Egress Prevent alerts them to the fact that this recipient does not usually receive this type of content. This allows them to stop the mistake before it happens.

It is possible to recall a misdirected email but only if the email has been encrypted at message-level before being sent. This is not an automatic security feature of many email clients, meaning there is no option to retrieve messages sent in error. Egress Protect encrypts email messages and attachments in transit and at rest. It provides total control over shared information, including the facility to recall emails when needed.

Egress Prevent and Egress Protect combine to strengthen the human layer of data security and mitigate the risk of fat finger error.

What to do if you’ve made a fat finger error

If you believe you may have caused a breach, the first thing to do is report the incident to your IT Security team. This will allow them to take the necessary steps to mitigate the situation. If you have received an email or file in error, you should alert the originating organization or sender immediately.

When an organization is alerted to a breach incident, they must act rapidly to meet the regulatory requirements regarding breach notifications. They will need to report the breach to one or more regulators, and notify the data subjects affected within the designated time periods.

Every organization should have a data breach incident response plan in place that is activated when a breach occurs. A wide range of departments will need to coordinate the response, from legal and compliance teams handling regulatory issues to the customer account managers needed to liaise with concerned data breach victims. Public relations and communications professionals must be on hand to manage media interest and try to minimize the reputational impact of the breach.

Once made, a fat finger error is difficult to reverse. By preventing human-activated data breaches, organizations significantly reduce their exposure to the serious financial, regulatory and reputational repercussions that accompany them.