Data Breach

A data breach is an incident where information is stolen or taken from a system without the knowledge or authorization of the system’s owner. A small company or large organization may suffer a data breach. Stolen data may involve sensitive, proprietary, or confidential information such as credit card numbers, customer data, trade secrets, or matters of national security.

The effects brought on by a data breach can come in the form of damage to the target company’s reputation due to a perceived ‘betrayal of trust.’ Victims and their customers may also suffer financial losses should related records be part of the information stolen.

Based on the number of data breach incidents recorded between January 2005 and April 2015, personally identifiable information (PII) was the most stolen record type while financial data came in second.

Breach methods observed across industries

Most data breaches are attributed to hacking or malware attacks. Other frequently observed breach methods include the following:

  • Insider leak: A trusted individual or person of authority with access privileges steals data.

  • Payment card fraud: Payment card data is stolen using physical skimming devices.

  • Loss or theft: Portable drives, laptops, office computers, files, and other physical properties are lost or stolen.

  • Unintended disclosure: Through mistakes or negligence, sensitive data is exposed.

  • Unknown: In a small of number of cases, the actual breach method is unknown or undisclosed

Phases of a Data Breach



  • Research
The attacker, having picked a target, looks for weaknesses to exploit: employees, systems, or the network. This entails long hours of research on the attacker’s part and may involve stalking employees’ social media profiles to find what sort of infrastructure the company has.
  • Attack

Having scoped a target’s weaknesses, the attacker makes initial contact either through a network-based or social attack.

In a network-based attack, the attacker exploits weaknesses in the target’s infrastructure to instigate a breach. These weaknesses may include, but are not limited to SQL injection, vulnerability exploitation, and/or session hijacking.

In a social attack, the attacker uses social engineering tactics to infiltrate the target network. This may involve a maliciously crafted email sent to an employee, tailor-made to catch that specific employee’s attention. The email can phish for information, fooling the reader into supplying personal data to the sender, or come with a malware attachment set to execute when downloaded.

  • Exfiltrate
Once inside the network, the attacker is free to extract data from the company’s network. This data may be used for either blackmail or cyberpropaganda. The information an attacker collects can also be used to execute more damaging attacks on the target’s infrastructure.


Reported Data Breaches

Date

Organization

Industry

Number of Records Stolen

Between 2013 and 2014

Yahoo

Email service provider

3,000,000,000

October 2016

Adult Friend Finder

Adult website

412,200,000

May 2016

MySpace

Social media website

360,000,000

Between 2007 and February 2013

Experian

Credit bureau

200,000,000

2012

LinkedIn

Social media website

165,000,000

February 2018

Under Armour/MyFitnessPal

Fitness mobile app

150,000,000

Between May and July 2017

Equifax

Information solutions company

145,500,000

May 2014

eBay

Online auction website

145,000,000

March 2008

Heartland Payment Systems

Credit and debit processor

134,000,000

December 2013

Target

Retailer

110,000,000

17-19 April 2011
(discovery date)

Sony PlayStation Network

Electronics firm

102,000,000

17 February 2012

Rambler

Internet portal and email service provider

98,100,000

December 2006

TJX Companies

Retailer

94,000,000

October 2017

MyHeritage

Genealogy-testing service provider

92,283,889

2005

AOL

ISP

92,000,000

July 2014

JP Morgan & Chase

Investment banking firm

83,000,000
(76,000,000 consumers; 7,000,000 small businesses)

February 2015

Anthem

Health insurer

78,800,000

2008

National Archive and Records Administration

Government agency

76,000,000

2012

Dropbox

File-sharing and hosting service provider

68,000,000

2013

Tumblr

Short-blogging website

65,000,000


Top 20 breach victims based on number of records stolen


Data Breach Laws

Data breach legislation differs in every country or region. Many countries still do not require organizations to notify authorities in cases of a data breach. In countries like the U.S., Canada, and France, organizations are obliged to notify affected individuals of a data breach under certain conditions.

Read more: Global Guide to Data Breach Notifications 2016
Read more: Aligning with the GDPR: Data Breach Prevention and Notification

Best Practices

For Enterprises

  • Patch systems and networks accordingly. IT administrators should make sure all systems in the network are patched and updated to prevent attackers from exploiting vulnerabilities in unpatched or outdated software.

  • Educate and enforce. Inform your employees about the threats, train them to watch out for social engineering tactics, and introduce and/or enforce guidelines on how to handle a threat if encountered.

  • Implement security measures. Create a process to identify vulnerabilities and address threats in your network. Regularly perform security audits and make sure all of the systems connected to your company network are accounted for.

  • Create contingencies. Put an effective disaster recovery plan in place. In the event of a data breach, minimize confusion by being ready with contact persons, disclosure strategies, actual mitigation steps, and the like. Make sure that your employees are made aware of this plan for proper mobilization once a breach is discovered.

For Employees

  • Keep track of your banking receipts. The first sign of being compromised is finding strange charges on your account that you did not make.

  • Don’t believe everything you see. Social engineering preys on the gullible. Be skeptical and vigilant.

  • Be mindful of what you share on social media. Don’t get carried away. If possible, don’t reveal too much about yourself on your profile.

  • Secure all your devices. These devices include laptops, mobile devices, and wearables. Ensure that they are protected by security software that is always updated.

  • Secure your accounts. Use a different email address and password for each of your accounts. You may opt to use a password manager to automate the process.

  • Do not open emails from unfamiliar senders. When in doubt, delete suspicious-looking emails without opening it. Always try to verify who the sender is and the contents of the email before opening any attachment.