What is a Data Breach?
A data breach refers to an incident in which secure, sensitive, and confidential information is accessed and exposed to an unauthorized and untrusted environment. The breach can be intentional or accidental. Technically, a data breach is a violation of security protocol for an organization or individual in which confidential information is copied, transmitted, viewed, and stolen by an unauthorized person.
Data breaches involve theft or loss of private information, such as:
- Financial data (credit card, banking details)
- Personal medical data history
- Personal identification information (passwords, PIN (personal identification number), Social Security number)
- Trade secrets
- Contact details (names, physical addresses, e-mails)
- Intellectual information
Data breaches are a common occurrence due to technological advancement and the sheer amount of information in digital form. They are largely carried out by cybercriminals or hackers for financial gain, espionage, terrorism, politics, or other reasons. Data breaches can potentially ruin the reputation of prominent organizations, destroy lives, and can be costly to remedy through costs of investigation, redress, victim compensation, fines, etc.
How Data Breaches Occur
Data breaches, in general, occur due to weaknesses in systems and user behavior. Hackers are always looking to exploit the deficiencies. The rise of smartphones and social media led to the interconnectedness of devices, and constant technology upgrades are happening faster than the protection against them. In essence, more value is being placed on convenience rather than security, and it inevitably leads to more incidences of data breaches. The following are some of the ways in which data breaches occur:
- Accidental internal breach: Where an employee can gain access to information from another colleague at the workplace or view information on the manager’s computer without authorization. The employee may not share the information with anyone, but because they accessed and viewed the information without authorization, it is classified as a data breach.
- Intentional internal breach: Where an employee accesses and views company data with or without authorization but with intent to share it with unauthorized outsiders or other employees to cause harm and profit from the breach action.
- Physical loss or theft of devices: Where devices with sensitive unencrypted information are lost or stolen, risking exposure to unintended parties.
- Cybercrime: Where cybercriminals or hackers take time to study and gather intel about an organization’s information system before launching an attack to breach and steal information for nefarious reasons.
According to the 2020 Verizon Data Investigations Report (DBIR 2020), external actors were the major perpetrators behind 70% of data breaches. The chart below summarizes threat actors in 2020:
Targeted Cyber Attacks
Targeted data breaches carried out by cybercriminals and hackers continue to increase despite the implementation of measures to counter them. Their ultimate goal is to steal personal identification information and compromise identities for financial gain by selling information on the dark web. The following are the main ways in which targeted attacks can happen:
- Weak passwords: It is easy to detect weak passwords to gain access to important sensitive information. They are commonly simple passwords that contain whole words that are common or known personal information, such as date of birth or that of a close relative. People generally want simple passwords that are easy to remember, and hackers know that and exploit them.
- System vulnerabilities: Obsolete firewalls and out-of-date software create vulnerabilities in the system, which open up opportunities for hackers to sneak malware into the system to steal data.
- Malware attack: Targeted malware attacks make use of spam and phishing emails to mislead users to reveal their network credentials. Users can be forced to download attachments with malware or redirected to a malicious website through spam. Malware exploits weaknesses in hardware and software security. Spyware is a type of malware used to steal data while remaining undetected.
- Drive-by download: Involves misleading users to unintentionally download malware by visiting compromised websites. It happens through exploiting out-of-date browsers, applications, and operating systems.
- Phishing: Attacks are aimed at deceiving users to hand over credentials or data by pretending to be bona fide people or organizations.
- Brute force attacks: Software tools used by hackers to guess user passwords. It can take time to guess it correctly depending on the password strength, but with higher processing speeds and malware infections, the process can be speeded up.
Current Data Breach Methods
The DBIR 2020 lists nine core clusters of incidence classification patterns, which account for about 88% of data breaches. They are the common ways in which data breach incidences were occurring in 2020. However, these actions remain fairly consistent year over year, with slight deviations depending on technology. The nine common clusters include:
- Crimeware – Includes all malware not classified under other patterns. Crimeware methods often tend to be opportunistic and financially motivated. Malware is a form of social engineering which uses malicious software. It includes the following sub-units:
- Ransomware – As the name suggests, the method holds the target files hostage with a promise to unlock them if the victim pays. The challenge for the victim is that files might not get unlocked even after paying the ransom.
- SQL injection – A hacker places a code into an online web user form which can corrupt the website if the form is not handled properly when it passes through the backend database.
- Phishing – The hacker poses as a trusted source to the intended victim, normally through email, text, chat, or direct phone call. Once the victim accepts the mode of contact, they will be literally installing malware or sharing personal information without realizing it.
- Cyber espionage – Data breach incidents involving unauthorized system access of state secrets on countries and states.
- Denial of service – Involves criminals sending junk network traffic to overwhelm systems and networks. It results in services being denied and disrupted as the system cannot differentiate or handle both incoming illicit and authentic traffic.
- Privilege misuse – Intentional actions carried out by company insiders or employees. Employees will likely know the value of the data and trade it for profit clandestinely.
- Miscellaneous errors – Unintentional actions that result in a data breach. It can happen by accident or through the loss of devices containing sensitive, confidential data.
- Payment card skimmers – Incidents where a skimmer or skimming device is used to acquire payment data from a credit card reader or any terminal, e.g., ATM and gas pump terminals.
- Point of Sale (PoS) – Involves hacking and remote intrusions into PoS servers and terminals to steal payment card details. It mostly targets small businesses and retail customers.
- Lost and stolen assets – Intentional or accidental theft or loss of devices containing sensitive information. It can involve losing physical devices, such as laptops, cell phones, or paper documents.
- Web applications – Includes any attack that involves using web applications where personal details are shared. Cyber-criminals attack the code of the web application, e.g., code-based vulnerabilities. The purpose is to steal personal details and credentials for use elsewhere.
- Everything else – All other methods not contained in the above categories. It normally includes phishing, compromised email accounts with the intention to commit fraud for financial reasons.
Data Breach Prevention
It is said that the security of a network is only as strong as its weakest link. Hence, it is crucial that individuals and organizations put in place inclusive preventative measures to close all potential system vulnerabilities from IT systems to end-users. Methods to prevent and minimize data breach impact include:
- Regularly patching and updating software
- Conducting regular vulnerability and penetration testing
- Encryption of sensitive data on the local onsite network, as well as third-party cloud services. This ensures that even in the event of network penetration, threat actors will not be able to decrypt or access the actual data.
- Use of strong antivirus protection, which should be regularly updated.
- Enforcing strong credentials and multi-factor authentication.
- Ensuring all devices use business-grade VPN services.
- Formulation and circulation of data security policy for all employees
- Continuous education and refresher training of staff on cybersecurity best practices, as well as the promotion of data security policy
- Establishing Principle of Least Privilege (POLP) where employees are given the least possible permission and rights to undertake their work.
- Formulating an Incident Response Plan (IRP) to be implemented in the event of a data breach incident. The IRP contains processes to be followed from identification, controlling, and quantifying a security incident.
Data Breach Incident Cases
There are several data breaches that have taken place since the turn of the century, and many more keep being reported. As indicated earlier, the migration of world economies and corporations to the digital age creates exposed flaws in security systems. The large volume of government and corporation data appeals to criminals to benefit financially and for espionage purposes.
According to the DBIR 2020, there were 3,950 data breaches in 2020, up from 2,013 in 2019, an increase of almost 95%. Data were collected from 81 countries that cover four world regions. Most data breaches occurred in healthcare and finance. Manufacturing, information services, public sector, and professional services follow closely behind.
Below is a brief rundown of notable data breaches in the 21st century:
A massive data breach was reported that involved the exposure of user data of almost three billion email accounts – the exposed data involved names, emails, and passwords. The breach started in 2013 and was only realized in 2016. Threat actors managed to access the Yahoo corporate network and minted authentication cookies that allowed them to access email accounts without using passwords. An investigation into the breach resulted in the indictment of four individuals, who included two Russian security agents.
LinkedIn, a social media platform, experienced a data breach in 2012 that affected 167 million user accounts in which credentials were stolen. The data was reported to be up for sale on the dark web (a Russian hacker forum, to be specific). The breach was a result of a weak user password and failure by LinkedIn to salt the data. LinkedIn undertook to reset the passwords of the affected accounts.
Adobe Systems reported that their database was hacked, and about 153 million user records were stolen. The attack targeted the authentication system of a backup system that was pending decommissioning. The attack exposed customer names, IDs, passwords, and debit card and credit card records. In August 2014, through an agreement, Adobe promised to pay $1.1 million in legal fees together with an undisclosed amount to settle claims of violating the Customer Records Act.
In 2018, Marriott reported that they suffered an attack from hackers that stole about 500 million customer’s data. The breach initially targeted Starwood Hotels systems from 2014 (before Marriot acquired the hotel brand) and remained hidden until 2018. The hackers obtained customer contact details, travel, and personal information. The incident was allegedly linked to a Chinese intelligence group.
Sina Weibo, a Chinese social media app with over 538 million accounts, reported a breach in March 2020 where 172 million user accounts were compromised. The data stolen included phone numbers, location, gender, names, and other details. However, passwords were not included. The data was reported to be on sale for a mere $250. The matter went for investigation by the Chinese Cyber Security agency.
To keep learning and advance your career, the following resources will be helpful: