What is a Data Breach? Why They Happen And How to Prevent Them
Data: It’s the lifeblood that runs through the veins of every type of business. It educates you and informs you, and it comes in a myriad of forms. You monitor it, collect it, analyse it, all so that you can get better insights into every aspect of your business.
However, as Peter Parker’s uncle once said: “With great power comes great responsibility”. Much of the data you hold and use is your own and is essential for many reasons. It informs metrics and KPIs such as conversion rates, sales figures, and others.
But there is also other data which falls into an area where confidentiality and privacy rule. Your customer records are usually highly sensitive and may contain personally identifiable information, credit card numbers, dates of birth, social security numbers, phone numbers, and more.
When you handle so much sensitive data, there is one phrase guaranteed to grab your attention immediately: Data breach.
Just what is a data breach? Are there different types? What steps can you take to prevent one and to protect that confidential data?
What is a Data Breach?
A data breach is when an unauthorised party accesses the data held by any organisation, whether corporations or small businesses. There are several types, but the end result is often the same: Confidential information either being released into the public domain or used maliciously for cybercrime.
With an increase in online activity due to the pandemic, came an increase in cyberattacks and data breaches. In the first three quarters of 2020, there were 2,953 data breaches publicly reported. That figure represents a 51% increase on the same period in 2019. By October 2020, a staggering 36 billion records had been breached.
What Are The Types of Data Breaches?
Stolen Information
1. Insider Leaks
There are two types of insider threats; malicious and accidental. 62% of all insider leaks in 2020 were caused by negligence. 23% came from malicious acts (an employee deliberately leaking info or selling it) and 14% came from people posing as insiders.
COVID made the problem worse, with 85% of employees more likely to leak data now than they were pre-pandemic. A lot of this is due to the shift to working from anywhere and companies failing to implement adequate security protocols.
2. Physical Skimming
Physical skimming is a type of scam where cybercriminals use a device to obtain information about debit and credit cards. These can be placed on ATM machines or on POS devices. They can read a customer’s information just as the legitimate machines would.
There is also a digital version of skimming, usually called e-skimming. In this version, hackers collect your data in real time and from a remote location (that may even be in another part of the world).
Recorded Keystrokes
Everyone has received emails with what looks like a tempting attachment. They may even come from email addresses you recognise, if the cybercriminals have hacked those. If you open one, there is a good chance you will download malware to your device that contains something called a “keylogger”. That keylogger then records everything you type.
That means they now have sensitive info such as passwords, bank account details, or other financial information, or data they may be able to use for identity theft.
Phishing
Phishing is a cyberattack when you access a fake site designed to look like the genuine article. This will usually be a website you have used before (Inland Revenue/tax is a common one in the UK).
If you believe the site to be genuine, you will enter any info they ask for, thus giving them the authentication to access your accounts on the genuine site as well as other info.
Ransomware
Ransomware is a cybercrime most often targeted at companies. It involves the cybercriminals hacking your computer or system then sending an email/message demanding “ransom” to prevent them releasing info or doing further damage.
These ransoms can range from nominal amounts to hundreds of thousands of dollars. The biggest ransomware attack of all time, WannaCry, caused damage estimated to be billions of dollars.
Brute-Force Attack
As the name suggests, this is a less sophisticated attack that can still be damaging if successful. It usually uses a trial and error method to guess your credentials, such as password or login info. The hacker does this by using a series of guesses and combinations (usually aided by a dedicated program) so they can access your data .
Malware or Virus
As well as keyloggers, malicious emails may contain other types of malware or even viruses. In some cases, these are designed to wipe all the info on a computer or system, something that can be extremely damaging to a business (or devastating to a healthcare provider).
Denial-of-Service
Whereas most data breaches seek financial gain, DDoS (distributed denial of service) are often a form of protest, for example, against a big pharma company whose business the hackers perceive as unethical or harmful. This type of attack does not actually steal any data but it can force a company to close their site till the issue is fixed.
Unintended Disclosure
As mentioned earlier, negligence is the biggest cause of insider leaks. This happens when an employee (or a subcontractor) accidentally or negligently reveals sensitive info or data. This could be by copying an unauthorised person into an email with such data or through sharing it on a social media platform outside the company.
Causes of Data Breaches
Weaknesses in Technology
A major cause of data breaches are weaknesses or vulnerabilities in your tech system. These can occur for a number of reasons:
- Lack of any cybersecurity strategy.
- Unsecured networks.
- Unsecured communication channels, including email or messaging apps.
- Bugs. Software can often have bugs or flaws.
- Outdated systems.
- Lack of monitoring of your systems and traffic.
User Vulnerability
61% of breaches are due to stolen (or poorly protected) credentials. This can happen if employees have not been trained in cybersecurity risks and they use simple or obvious passwords. They may also be duped into giving those credentials away or leave them on display where other people can see them.
What Happens in a Data Breach?
Research
When a cybercriminal decides to target a company, the first thing they’ll do is look for weaknesses they can exploit. Those weaknesses could be in your company’s staff, in your systems, or in your network. They are basically looking for the easiest way to gain entry and access your data.
Attack
Once they’ve identified the easiest way in, they’ll then start their attack. Network attacks are via your tech infrastructure (system, apps, or other routes) to get inside your databases. A social attack will look for human weaknesses, and finding a way to get employees to reveal login and password info.
Exfiltration
Once the hacker has gained access to one computer or terminal, they then look for ways to access the confidential info held on that computer or your network as a whole. As soon as they have found and extracted the data they wanted, their attack has been successful.
The Top 3 Biggest Data Breaches
Yahoo
Yahoo has suffered two major data breaches. The biggest of those occurred in 2013 and affected three billion Yahoo accounts. The breach investigation ended up costing Yahoo a lot. Verizon slashed $350 million from the price they were paying to buy Yahoo. It then cost them a further $117.5 million in 2019 in a legal settlement.
Alibaba
Chinese ecommerce retailer Alibaba was the victim of a massive data breach involving more than 1.1 billion items of user data between 2019 and 2020. A software developer used web crawling software to collect information from the company’s Taobao website. The data was used by the developer’s employer to target users for marketing purposes.
In June of 2021, a hacker used data-scraping techniques to obtain information on more than 90% (700 million) of the networking platform’s users. While LinkedIn dismissed the attack as a breach of terms of service rather than a data leak, the info obtained, which was published on the dark web, would have given cybercriminals the ability to create social engineering attacks.
How to Prevent Data Breaches
This is one of the most FAQs regarding cybersecurity. Here are some simple tips:
Implementing Basic Cybersecurity Measures
Even the most basic security measures offer you some level of protection. These can include auditing your current assets, ensuring any data is backed up in a remote cloud-based location, and only storing data that you need. You should also ensure safe disposal or destruction of any data (hard drives or paper files).
Employee Education And Training
With human error and negligence being behind so many data breaches, you need to educate your staff on the importance of using strong passwords, changing those passwords on a regular basis, and spotting potential malware or phishing scams. You should also put in place policies restricting the use of work computers for personal purposes.
Deploying Proven Security Frameworks
There is a wealth of tried and tested security solutions available. Depending on your needs, you can purchase systems that fit the bill. For bigger companies, you may want to employ specialists to set up a framework for you. Make sure you have all the usual safeguards such as firewalls, anti-virus software, and anti-spyware tools.
Continuous Vulnerability Assessment And Correction
Just because you’ve solved today’s risk doesn’t mean you’re protected tomorrow. Just as the technology you use is constantly evolving, so are the methods and tools used by cybercriminals.
You should be carrying out ongoing and continuous assessments of your vulnerability and current risks, and taking steps to protect against new threats.
Patching And Updating Software
Tech companies are constantly looking for ways to improve their products (it’s why Microsoft-driven devices are always asking you to install updates). It may be that a flaw wasn’t noticed in development, or they may make improvements to certain features.
This is especially true with security software, where they’re constantly looking to counter new threats. Ensure you check for patches and updates on a regular basis.
What to do in a Data Breach
It is not only a case of data breaches affecting your business or costing you money directly. Failure to provide information security for sensitive information may break specific laws and regulations.
Regulations
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is a US federal law designed to protect sensitive information about patients receiving healthcare. If a breach occurs involving such info, the provider involved must send a data breach notification to all affected individuals, the Secretary of Health, and in some circumstances, the media.
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is a set of rules and regulations applying to any company in the US that processes or stores data relating to customers’ payment cards. In the event of a security incident, there are a number of steps to follow, including notifying any affected parties and ensuring that exposure of any data is as limited as possible.
Laws
General Data Protection Regulation (GDPR)
GDPR is an EU law that applies to any organisation operating or doing business in the EU. As the toughest privacy law in the world, it seeks to protect the personal data of all EU citizens, no matter who is using or collecting that data.
In the event of a breach, the organisation must notify the supervising authority within 72 hours of discovery. You must also notify all affected individuals if there is significant risk.
Information Commissioner’s Office (ICO)
As the UK has now left the EU, the ICO carries out a similar role to the GDPR. One of its primary roles is to protect the data privacy of everyone living in the UK. Depending on the nature of the security breach that has occurred, there are different requirements for reporting these incidents to the ICO.
Conclusion
Cybersecurity is like an ongoing battle, with cybercriminals constantly seeking ways to steal info and security experts trying to stop them. Each and every business has responsibilities to protect data.
You need to consider protecting information at every level of your business. That includes communication platforms and any external traffic into or out of your network. Data breach prevention is not just a matter of good business practice, it could avoid the impacts and ongoing cost of a data breach, which could last years.
Originally published Oct 27, 2021