What is a Data Breach?
Data Breach Definition
A data breach is an event that results in confidential, private, protected, or sensitive information being exposed to a person not authorized to access it.
It can be the consequence of an accidental event or intentional action to steal information from an individual or organization. For example, an employee could accidentally expose sensitive information or they could purposely steal company data and share it with—or sell it to—a third party. Alternatively, a hacker might steal information from a corporate database that contains sensitive information.
Whatever the root cause of a data breach, the stolen information can help cyber criminals make a profit by selling the data or using it as part of a wider attack. A data breach typically includes the loss or theft of information such as bank account details, credit card numbers, personal health data, and login credentials for email accounts and social networking sites.
An information breach can have highly damaging effects on businesses, not only through financial losses but also the reputation damage it causes with customers, clients, and employees. On top of that, organizations may also be subjected to fines and legal implications from increasingly stringent data and privacy regulations like the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
How Does a Data Breach Happen?
A data breach can be caused by an outside attacker, who targets an organization or several organizations for specific types of data, or by people within an organization. Hackers select specific individuals with targeted cyberattacks.
Data breaches can be the result of a deliberate attack, an unintentional error or oversight by an employee, or flaws and vulnerabilities in an organization’s infrastructure.
Loss or Theft
A common form of security incident is the loss of devices or unauthorized access to credentials, resulting in cyber criminals obtaining confidential information. For example, a lost laptop, mobile phone, or external hard drive that is unlocked or unencrypted can easily lead to information being stolen if it ends up in the wrong hands. Even a locked device could be hacked into by a sophisticated attacker.
An insider attack is a data breach caused by an employee leaking information to a third party. Also known as a malicious insider, this individual will access or steal data with the intent of causing harm to the organization or another individual within the company.
For example, the malicious insider could have access to the company’s financial details or a client list, which they could pass on or sell to a competitor. Alternatively, the malicious insider could access information about high-risk individuals within the organization—or even password details—and sell them to a hacker for a profit.
Targeted data breach attacks see a cyber criminal or a group of attackers target specific individuals or organizations to obtain confidential information. Attackers use various methods to gain unauthorized access to corporate networks and systems or to steal user login credentials. Common types of targeted cyberattacks that can result in a data breach include:
- Phishing attack: A phishing attack involves cyber criminals using social engineering to steal information like credit card details, login credentials, and user data. Attacks typically masquerade as an email or Short Message Service (SMS) from a trusted individual to dupe the victim into opening a malicious link or visiting a spoofed website.
- Malware attack: A malware attack occurs when an attacker tricks a target into opening a malicious attachment, link, or website. The attacker will then inject malware onto the user’s device to steal their credentials.
- Vulnerability exploits: Cyber criminals routinely search for potential vulnerabilities in organizations’ hardware or software before the vulnerability becomes known to the company. This form of attack, known as a zero-day attack, occurs when a hacker creates an exploit then launches it before the organization is able to patch the vulnerability.
- Denial-of-service (DoS) attack: A DoS attack is an intentional attack that aims to overload an organization’s network or website with fake requests. This will prevent legitimate users from gaining access, crashing the system, or damaging it. Attackers can also use multiple infected machines, known as a botnet, to launch distributed denial-of-service (DDoS) attacks.
What Can Attackers Do with Stolen Data?
Attackers tend to target high-value data such as corporate data or personally identifiable information (PII), which they can sell for financial gain or cause harm to the individual or organization. As attackers become increasingly sophisticated, their methods become meticulously planned to unearth vulnerabilities and identify individuals who are susceptible to an attack.
Once they gain access to data, the effects can be hugely damaging. A data breach can lead to organizations not only losing their data, which could be sensitive financial information or corporate secrets, but they can also suffer fines, financial loss, and reputational damage, which are often irreparable. An attack on a government agency could leave confidential and highly sensitive information, such as military operations, national infrastructure details, and political dealings, exposed to foreign agencies, which could threaten the government and its citizens.
Individuals who suffer a breach could lose their personal data, such as banking details, health information, or Social Security number. Armed with this information, a cyber criminal could steal the individual’s identity, gain access to their social accounts, ruin their credit rating, spend money on their cards, and even create new identities for future attacks.
Some of the biggest data compromise events in history had long-lasting effects on the organizations that suffered them. These data breach examples include:
In 2016, internet giant Yahoo revealed that it had suffered two data breaches in 2013 and 2014. The attacks, which affected up to 1.5 billion Yahoo accounts, were allegedly caused by state-sponsored hackers who stole personal information, such as email addresses, names, and unencrypted security questions and answers.
A data breach against financial firm Equifax between May and June 2017 affected more than 153 million people in Canada, the U.K., and the U.S. It exposed customers’ personal data, including birth dates, driver’s license numbers, names, and Social Security numbers, as well as around 200,000 credit card numbers. The breach was caused by a third-party software vulnerability that was patched but not updated on Equifax’s servers.
In 2018, Twitter urged its 330 million users to change and update their passwords after a bug exposed them. This was the result of a problem with the hashing process, which Twitter uses to encrypt its users’ passwords. The social networking site claimed it found and fixed the bug, but this is a good example of potential vulnerability exploits.
Twitter also suffered a potential breach in May 2020, which could have affected businesses using its advertising and analytics platforms. An issue with its cache saw Twitter admit it was “possible” that some users’ email addresses, phone numbers, and the final four digits of their credit card numbers could have been accessed.
First American Financial Corporation
In May 2019, insurance firm First American Financial suffered an attack that saw more than 885 million sensitive documents exposed. The attack resulted in files containing bank account numbers and statements, mortgage records, photos of driver’s licenses, Social Security numbers, tax documents, and wire transfer receipts dating back to 2003 digitized and made available online.
The attack is believed to have been caused by an insecure direct object reference (IDOR), a website design error, which makes a link available to a specific individual. Unfortunately, that link became publicly available, meaning anyone could view the documents.
In September 2019, a server containing phone numbers linked to more than 419 million Facebook users’ account IDs was exposed. The server was not password-protected, which meant that anyone could find, access, and search the database. Three months later, a database containing roughly 300 million Facebook users’ names, phone numbers, and user IDs was exposed by hackers and left unprotected on the dark web for around two weeks.
How to Prevent a Data Breach?
Data breach prevention is reliant on an organization having the right, up-to-date security tools and technologies in place. But it is also imperative for all employees within the organization to take a comprehensive approach to cybersecurity and know how to handle a data breach. This means understanding the security threats they face and how to spot the telltale signs of a potential cyberattack.
It is important to remember that any organization’s cybersecurity strategy is only as strong as its weakest link. It is therefore vital for all employees to follow cybersecurity best practices and not take any actions that put them or their organization at risk of a data breach.
Organizations and employees must implement and follow best practices that support a data breach prevention strategy. These include:
- Use strong passwords: The most common cause of data breaches continues to be weak passwords, which enable attackers to steal user credentials and give them access to corporate networks. Furthermore, people often reuse or recycle passwords across multiple accounts, which means attackers can launch brute-force attacks to hack into additional accounts. As such, use strong passwords that make it harder for cyber criminals to steal credentials. Also, consider using a password manager.
- Use multi-factor authentication (MFA): Due to the inherent weakness of passwords, users and organizations should never rely on passwords alone. MFA forces users to prove their identity in addition to entering their username and password. This increases the likelihood that they are who they say they are, which can prevent a hacker from gaining unauthorized access to accounts and corporate systems even if they manage to steal the user’s password.
- Keep software up to date: Always use the latest version of a software system to prevent potential vulnerability exploits. Ensure that automatic software updates are switched on whenever possible, and always update and patch software when prompted to do so.
- Use secure URLs: Users should only open Uniform Resource Locators (URLs) or web addresses that are secure. These will typically be URLs that begin with Hypertext Transfer Protocol Secure (HTTPS). It is also important to only visit trusted URLs. A good rule of thumb is to never click any link in an email message, but
- Educate and train employees: Organizations must educate employees on the risks they face online and advise them on the common types of cyberattacks and how to spot a potential threat. They also should provide regular training courses and top-up sessions to ensure employees always have cybersecurity at the top of their minds and that they are aware of the latest threats.
- Create a response plan: With cyber criminals increasing in sophistication and cyberattacks becoming more prevalent, businesses must have a response plan in case the worst happens. They must know who is responsible for reporting the attack to the appropriate authorities, then have a clear plan in place for the steps that need to take place. This must include discovering what data and what kind of data was stolen, changing and strengthening passwords, and monitoring systems and networks for malicious activity.
How Fortinet Can Help
The Fortinet FortiNAC solution enables organizations to gain total control and visibility of everything connected to their network. The network access control (NAC) tool provides device and user control and strengthens the network infrastructure security. FortiNAC protects against Internet-of-Things (IoT) threats and orchestrates automatic responses across the network. With it in place, organizations can gain visibility of every device and user that joins the network, control where devices can go, and react to events that would normally take days in just a matter of seconds.
This technology is crucial to establishing a zero-trust approach, which sets a policy of trust no longer being implicit for applications, devices, or users attempting to access a network. This helps IT teams easily understand which users and devices are accessing the organization’s network.