Data Breach
A data breach is an incident where information is stolen or taken from a system without the knowledge or authorization of the system’s owner. A small company or large organization may suffer a data breach. Stolen data may involve sensitive, proprietary, or confidential information such as credit card numbers, customer data, trade secrets, or matters of national security.
The effects brought on by a data breach can come in the form of damage to the target company’s reputation due to a perceived ‘betrayal of trust.’ Victims and their customers may also suffer financial losses should related records be part of the information stolen.
Based on the number of data breach incidents recorded between January 2005 and April 2015, personally identifiable information (PII) was the most stolen record type while financial data came in second.
Breach methods observed across industries
Most data breaches are attributed to hacking or malware attacks. Other frequently observed breach methods include the following:
- Insider leak: A trusted individual or person of authority with access privileges steals data.
- Payment card fraud: Payment card data is stolen using physical skimming devices.
- Loss or theft: Portable drives, laptops, office computers, files, and other physical properties are lost or stolen.
- Unintended disclosure: Through mistakes or negligence, sensitive data is exposed.
- Unknown: In a small of number of cases, the actual breach method is unknown or undisclosed
Phases of a Data Breach
- Research
- Attack
Having scoped a target’s weaknesses, the attacker makes initial contact either through a network-based or social attack.
In a network-based attack, the attacker exploits weaknesses in the target’s infrastructure to instigate a breach. These weaknesses may include, but are not limited to SQL injection, vulnerability exploitation, and/or session hijacking.
In a social attack, the attacker uses social engineering tactics to infiltrate the target network. This may involve a maliciously crafted email sent to an employee, tailor-made to catch that specific employee’s attention. The email can phish for information, fooling the reader into supplying personal data to the sender, or come with a malware attachment set to execute when downloaded.
- Exfiltrate
Reported Data Breaches
Date | Organization | Industry | Number of Records Stolen |
Between 2013 and 2014 | Email service provider | 3,000,000,000 | |
October 2016 | Adult website | 412,200,000 | |
May 2016 | Social media website | 360,000,000 | |
Between 2007 and February 2013 | Credit bureau | 200,000,000 | |
2012 | Social media website | 165,000,000 | |
February 2018 | Fitness mobile app | 150,000,000 | |
Between May and July 2017 | Information solutions company | 145,500,000 | |
May 2014 | eBay | Online auction website | 145,000,000 |
March 2008 | Heartland Payment Systems | Credit and debit processor | 134,000,000 |
December 2013 | Retailer | 110,000,000 | |
17-19 April 2011 | Sony PlayStation Network | Electronics firm | 102,000,000 |
17 February 2012 | Internet portal and email service provider | 98,100,000 | |
December 2006 | Retailer | 94,000,000 | |
October 2017 | Genealogy-testing service provider | 92,283,889 | |
2005 | ISP | 92,000,000 | |
July 2014 | Investment banking firm | 83,000,000 | |
February 2015 | Health insurer | 78,800,000 | |
2008 | Government agency | 76,000,000 | |
2012 | File-sharing and hosting service provider | 68,000,000 | |
2013 | Short-blogging website | 65,000,000 |
Data Breach Laws
Data breach legislation differs in every country or region. Many countries still do not require organizations to notify authorities in cases of a data breach. In countries like the U.S., Canada, and France, organizations are obliged to notify affected individuals of a data breach under certain conditions.
Read more: Global Guide to Data Breach Notifications 2016
Read more: Aligning with the GDPR: Data Breach Prevention and Notification
Best Practices
For Enterprises
- Patch systems and networks accordingly. IT administrators should make sure all systems in the network are patched and updated to prevent attackers from exploiting vulnerabilities in unpatched or outdated software.
- Educate and enforce. Inform your employees about the threats, train them to watch out for social engineering tactics, and introduce and/or enforce guidelines on how to handle a threat if encountered.
- Implement security measures. Create a process to identify vulnerabilities and address threats in your network. Regularly perform security audits and make sure all of the systems connected to your company network are accounted for.
- Create contingencies. Put an effective disaster recovery plan in place. In the event of a data breach, minimize confusion by being ready with contact persons, disclosure strategies, actual mitigation steps, and the like. Make sure that your employees are made aware of this plan for proper mobilization once a breach is discovered.
For Employees
- Keep track of your banking receipts. The first sign of being compromised is finding strange charges on your account that you did not make.
- Don’t believe everything you see. Social engineering preys on the gullible. Be skeptical and vigilant.
- Be mindful of what you share on social media. Don’t get carried away. If possible, don’t reveal too much about yourself on your profile.
- Secure all your devices. These devices include laptops, mobile devices, and wearables. Ensure that they are protected by security software that is always updated.
- Secure your accounts. Use a different email address and password for each of your accounts. You may opt to use a password manager to automate the process.
- Do not open emails from unfamiliar senders. When in doubt, delete suspicious-looking emails without opening it. Always try to verify who the sender is and the contents of the email before opening any attachment.