A data breach occurs when sensitive data is copied, transmitted, viewed, stolen, or accessed by an unauthorized individual. For a security incident to constitute a data breach, the exposure of sensitive data must be intentional. The presence of intent differentiates a data breach from a data leak, where exposure is accidental.
A data leak occurs when data is accidentally exposed through a vulnerability, such as weak passwords. Data leaks and cloud leaks can also cause a data breach if a cybercriminal exploits these vulnerabilities to gain unauthorized access to sensitive information.
The types of data exposed in a security breach include highly confidential information, such as:
- Financial information, such as credit card numbers and bank account numbers
- Personally identifiable information (PII), such as driver’s license numbers, social security numbers, phone numbers, and other contact information
- Protected health information (PHI)
- Trade secrets
- Intellectual property
Data breaches are prevalent in industries that deal with large amounts of personal data, such as the healthcare and financial sectors. Cybercriminals exploit this information to commit lucrative cybercrimes, such as identity theft and health insurance fraud.
How Do Data Breaches Happen?
Examples of security incidents that lead to data breaches include:
- Malware infections
- Ransomware attacks
- Cyber attacks, such as denial-of-service attacks (DoS) and brute force attacks
- Social engineering schemes, such as phishing
- Insecure endpoints, such as lost or stolen hard drives or smartphones
- System vulnerabilities
- Exfiltrated data posted in dark web forums
- Insecure passwords
- Cloud misconfigurations, such as excessive permissions
- Third-party breaches
What to Do if a Data Breach Occurs
Data breaches are increasingly common for organizations of all sizes - from small businesses to multinational corporations. Having a comprehensive incident response plan ensures your organization knows how to identify, contain, and quantify the impact of a data breach.
Follow the steps below to respond effectively and efficiently following a data breach.
1. Isolate Breached Systems
You must ensure the breach has stopped before taking any further action. Identify the affected parts of your system, log all data, and isolate these parts to prevent further compromise. Keeping a data log is crucial to identify what data has been compromised.
2. Perform an Audit
Once you have isolated the source of the breach, you’ll need to perform an audit to determine which data was accessed and when. The scope of the breach depends on which information was accessed or modified.
Having audit logs and backups readily available helps you compare what changes have occurred in affected systems. Otherwise, a data expert can check to validate the accuracy of the audit.
3. Inform Affected Customers
You must inform all affected individuals as soon as possible. Data breach notification laws mandate this process, such as the European Union General Data Protection Regulations (GDPR), and US state laws, such as the California Consumer Privacy Act (CCPA) and the New York SHIELD Act.
Prompt communication can also help minimize the reputational damage caused by a breach. Provide your customers with instructions on how to secure their accounts and personal data.
4. Implement Data Breach Prevention Strategies
Implementing effective data security processes and information security procedures is essential to prevent data breaches in the future. Effective prevention strategies include:
- Following the SANS institute security guidelines
- Managing cyber risk with the NIST Cybersecurity Framework
- Implementing the principle of least privilege
- Improving password security
- Implementing two-factor authentication (2FA) or multi-factor authentication (MFA)
- Deploying an attack surface management solution
Examples of Data Breaches
Below are examples of recent well-known data breaches.
In January 2021, Microsoft Exchange’s email servers were involved in one of the US’ most significant cyberattacks to date. More than 60,000 companies were affected worldwide, 30,000 of which were US-based. The attackers were able to gain access to emails containing sensitive data by exploiting four zero-day vulnerabilities.
The email accounts were connected to various organizations, including small businesses and local governments. The software flaw allowed the hackers to remain active in the vulnerable systems for three months.
In April 2021, hackers performed an illegal data scrape of LinkedIn’s user base, revealing the personal details of over 700 million users. This exposure enabled additional cybercriminals to take advantage of the breached data. One threat actor reportedly tried selling a set of LinkedIn data on a public forum for $7000 in Bitcoin.
Between 2013 and 2016, Yahoo was hit by several cyber attacks. A team of Russian hackers exploited Yahoo’s database, stealing records containing personal information from about 3 billion user accounts in total. Yahoo’s delayed reaction to the attack and failure to disclose one of the security incidents to its users resulted in a $35 million fine and 41 class-action lawsuits.
In September 2017, primary credit reporting agency Equifax reported a significant data breach that compromised the publicly identifiable information (PII) of 148 million US citizens. The breach also affected many financial institutions that used Equifax as a third-party vendor. Due to their poor network security, Equifax eventually faced penalties to the tune of $575 million to be paid to numerous authorities, states, and territories.