Latest News

What is Fat Finger Error and How to Prevent It

Written by Kevin Tunison, Data Protection Officer, Egress

Whoever said “To err is human” was right (actually, it was the English poet, Alexander Pope). Just like in our private lives, we all make mistakes in business too, no matter how diligent or professional we are. The trouble is, some human errors, however small, can have disastrous consequences. Like the fat-finger error that can cost an organization millions.

A fat finger error is a keyboard input mistake that results in the wrong information being transmitted. The term originated in financial trading markets and is now used more broadly in the security industry to describe data breaches that are caused by human error, particularly when the breach is attributed to mistyped information, like an email address.

There are few people who have not experienced the sinking feeling after making a fat finger error. Haste or inattention can result in sending incorrect information to recipients or sending sensitive information to the wrong people; it can happen in seconds, but the consequences can be serious.

Data breaches caused by fat finger errors have the potential to cost an organization millions from the resulting customer churn and regulatory fines, as well as the time involved in remediation and ongoing brand damage. According to the 2023 Egress Email Risk Report as a result of a data breach, 54% of organizations experienced reputational damage and 48% of incidents resulted in the employee exiting the organization. Additionally, when a fat finger error leads to a breach of information 68% of organizations had to cease operations.

What does fat finger error look like?

The ubiquity of email as a communication tool, the pressure under which many employees now work, and the introduction of productivity tools like Outlook autocomplete increase the risk that mistakes will be made when choosing email recipients or selecting files to be attached and shared.

Egress research found that over 91% of organizations have experienced an email data breach with misdirected emails being the biggest contributor to this percentage. Errors that lead to misdirected emails include:

  • Selecting the wrong recipient with autocomplete
  • Choosing the wrong file attachment
  • Failing to use the “Bcc” field
  • Adding someone to an email chain previous content displayed
  • Replying to all recipients inappropriately

All these risks are exacerbated when employees are rushing, distracted, or stressed. For example, concentration is easily disrupted when employees are working from home or in open offices, while the small screens of mobile devices can increase the likelihood of a fat finger error.

The impacts of fat finger error

Although a fat finger error is a genuine mistake, the consequences of resulting data breaches are severe and long-lasting.

When a data subject’s personally identifiable information (PII) is lost or exposed to third parties, their right to privacy under regulations such as HIPAA, CCPA and GDPR has been breached. As a result, the data subject may decide to launch litigation against the offending organization. In cases where numerous peoples PII has been compromised, class action lawsuits may result.

In addition to the compensation paid to data breach victims following lawsuits, organizations also face fines issued by regulators as a penalty for non-compliance. These can reach many millions, depending on the nature and extent of the breach, the impact on data subjects, and what steps were taken by the organization before and after the incident occurred.

Direct monetary factors are not the only consideration; the negative impact on corporate reputations for businesses that are responsible for data breaches is considerable. Unfavorable media headlines can choose to highlight a company’s apparent disregard for customer data protection. This can have a significant impact on the bottom line, as customers involved in the breach start to churn. New potential customers are also discouraged, meaning a data breach can have a long-term impact on revenues.

We have seen examples of these errors recently with the millions of emails intended for Pentagon employees were in inadvertently sent to email accounts in Mali over the last decade due to typos caused by the similarity of the US email address and the domain for the West African Country.

The effects of a data breach can extend for many years, causing significant tangible and intangible damage to an organization.

How to prevent fat finger error

Fat finger error poses a particular challenge for IT security because it is rooted in human behavior. The chance of someone misdirecting an email varies depending on how rushed, stressed, or distracted they are, what device they are using, and where they are using it. This means most of the contributing risk factors are outside the control of security teams.

Attempts have been made to control the risk of employees causing email data breaches through traditional Data Loss Prevention (DLP) tools. However, these use static rule-based approaches to decide what content can be sent by email and to whom. They do not understand the user’s relationships with different recipients and groups and cannot detect when the user’s behavior deviates from the norm.

An intelligent DLP solution is needed that uses contextual machine learning to identify typical user behavior and understands the relationships between the user, their email recipients, and the contents of emails and files that are sent to those recipients.  Even more importantly, a feature that alerts the user to the fact that the recipient does not usually receive this type of content is essential, allowing  the user to stop the mistake before it happens.

It is possible to recall a misdirected email, only if the email has been encrypted at message-level before being sent. This is not an automatic security feature of many email clients, meaning there is no option to retrieve messages sent in error. A solution is needed that encrypts email messages and attachments in transit and at rest but also provides total control over shared information, including the ability to revoke access to emails when needed. When deployed together, these solutions combine to strengthen the human layer of data security and mitigate the risk of fat finger error.

Once made, a fat finger error is difficult to reverse. By preventing human-activated data breaches, organizations significantly reduce their exposure to the serious financial, regulatory, and reputational repercussions that accompany them.