Data breach definition
A data breach, or data leak, is a security event in which protected data is accessed by or disclosed to unauthorized viewers. A data breach is different from data loss, which is when data can no longer be accessed because of a hardware failure, deletion or other cause. Protected data can include information about individual customers or employees, such as personally identifiable information (PII), personal health information, payment card information and Social Security numbers. It can also include corporate information or intellectual property (IP), such as trade secrets, details about manufacturing processes, supplier and customer data, information about mergers and acquisitions, or data about lawsuits or other litigation.
Data breaches are not always intentional. Users can accidentally send protected data to the wrong email address or upload it to the wrong share; in fact, mistakes account for 17% of breaches, according to the well-known Verizon’s 2018 Data Breach Investigation Report. But the report found that most breaches are deliberate and financially motivated. While different methods are used to gain access to sensitive data, 28% of breaches involve insiders, according to the Verizon report. Organizations in every industry are potential targets.
Types of Data Breaches
Different sources define different types of data breaches. Here, I group them by the root cause:
- Cyber attacks — Hackers use malware, phishing, social engineering, skimming and related techniques to gain access to protected information.
- Theft or loss of devices — Laptops, smartphones, thumb drives and other data storage media can be lost, stolen or disposed of improperly. If they contain protected information and it ends up in the wrong hands, that’s a data breach.
- Employee data theft or data leak — Employees, especially those who are departing soon, might deliberately access protected information without authorization with malicious intent.
- Human errors. Mistakes happen, and people are negligent. Employees accidentally send proprietary data to the wrong person, upload it to public shares or misconfigure servers where it is stored.
Lessons learned from the three of world’s biggest data breaches
Case 1: Yahoo
When it happened: Series of breaches in 2013 and 2014
When it was disclosed: 2016
The scope of the breach: In 2016, Yahoo estimated that over 1 billion user accounts might have been compromised in the 2014 breach. Later, in 2017, it admitted all 3 billion of its user accounts had been hacked.
Details: The breaches involved the theft of user account details such as email addresses, telephone numbers, hashed passwords, dates of birth and, in some cases, answers to security questions. Fortunately, no payment information, such as credit card numbers or bank account details, was stolen. The first breach that was publicly announced in 2016 happened in 2014 and affected approximately 500 million users. A few months later, Yahoo disclosed another breach, which occurred in 2013, and said that it had affected over 1 billion user accounts. It took them almost a year to investigate and announce that all 3 billion of its user accounts had likely been affected in the 2013 breach.
Implications: In 2016, when the first two announcements of breaches hit the headlines, Yahoo was in the middle of negotiating a purchasing deal with Verizon. Due to this discovery, Verizon lowered their offer for Yahoo assets by $350 million. In addition, the company was hit with about 43 class action lawsuits.
Lessons learned: The investigation of the 2014 breach showed that Yahoo’s security team and senior executives knew right away that some user accounts had been hacked, and they did take some remedial actions, including contacting those users whose accounts thought to be affected. However, they failed to conduct further investigations to fully understand the matter. If Yahoo had properly and promptly investigated the 2014 breach, they might have become aware of the 2013 breach sooner, possibly before the user data went on sale on the black market. The main lesson here is to not to compromise on investigation, even if an incident seems to be small. Investigate thoroughly to fully understand what happened, how it happened and what data was affected, so you can minimize the negative effects and prevent similar incidents from happening in the future.
Case 2: Equifax
When it happened: Mid-May 2017
When it was disclosed: September 2017
The scope of the breach: 147.9 million U.S. consumers
Details: Hackers gained access to certain files containing Social Security numbers, birth dates, addresses, driver’s license numbers and other personal information. 209,000 consumers also had their credit card data exposed in the attack. An investigation by the U.S. General Accounting Office attributed the breach to the company’s failure to use well-known security best practices and its lack of internal controls and routine security reviews; in particular, the attack exploited a software vulnerability on a single Internet-facing web server that Equifax had failed to patch.
Implications: The breach affected the company’s stock price and Equifax’s CEO, CIO and CSO resigned soon after the breach was announced. The breach also helped trigger some states, including California, to pass stricter data protection regulations.
Lessons learned: To avoid having similar things happen to your company, never forget about these security basics:
- Know your assets and conduct regular asset inventory.
- Regularly update and patch software.
- Classify your data and secure it according to its sensitivity.
- Archive or delete unnecessary data in a timely manner.
Case 3: Uber
When it happened: 2016
When it was disclosed: 2017
The scope of a breach: The personal data of 57 million Uber users and 600,000 drivers
Details: In late 2016, Uber learned that hackers had gotten the names, email address and mobile phone numbers of 57 million Uber app users, as well as the driver’s license numbers of 600,000 Uber drivers. Hackers were able to access Uber’s GitHub account, where they found the credentials to Uber’s Amazon Web Services (AWS) account. Uber learned about the breach in 2016 when hackers demanded money to delete their copy of the data; Uber finally went public with the breach a year later.
Consequences: The breach is believed to have cost Uber dearly in both reputation and money. When the breach was announced, Uber’s valuation was $68 billion and the company was in negotiations to sell a stake to Softbank. By the time the deal closed in December, its valuation had dropped to $48 billion. Not all of the drop is attributable to the breach, but analysts consider it a significant factor. Uber’s CEO and director of security and law enforcement were both fired and the CSO was forced out as well. The settlement totaled $148 million.
Lessons learned: If you use cloud repositories, ensure the following to minimize the risk of a similar incident:
- Know what information you store in public repositories, and don’t store any unnecessary data there.
- Properly configure your cloud repositories.
- Enforce strong security controls on your cloud repositories.
World’s largest data breaches in a nutshell:
Company name | What happened | Scope of the breach | What data was breached | Lessons learned |
---|---|---|---|---|
Yahoo | Yahoo failed to conduct thorough investigation to fully understand the 2014 breach. As a result, only in 2016 they found the true scope of this breach. | 3 billion accounts | • Email addresses • Telephone numbers • Hashed passwords • Answers to security questions | Make it a priority to thoroughly investigate when you have even a hint of an incident. |
Equifax | Hackers exploited unpatched software on a single internet-facing web server. | 147.9 million accounts | • SSN • Birth dates • Addresses • Driver’s license numbers • Credit card data • Tax IDs • Email (without credentials) • Gender • Name • Phone number • Passport or passport card numbers • Data from other government-issued IDs | • Know your assets and conduct regular asset inventory. • Regularly update and patch software. • Classify data and secure it according to its sensitivity. • Archive or delete unnecessary data in a timely manner. |
Uber | Hackers were able to access Uber’s GitHub account, where they found the credentials to Uber’s Amazon Web Services (AWS) account. | 57 million Uber users and 600,000 drivers | • Names • Email addresses • Phone numbers • Driver’s license numbers | • Know what information you store in public repositories, and don’t store any unnecessary data there. • Properly configure your cloud repositories. • Enforce strong security controls on your cloud repositories. |
Consequences of data breaches
The consequences of a data breach are often severe and can have a long-lasting effects in four key areas:
- Financial. Companies usually face substantial financial losses, including regulatory fines and settlement payments. They often see a drop in their valuation as well, as in the cases of Yahoo and Uber. And they can lose future revenue, especially if intellectual property is breached, because it often leads to the loss of competitive advantage and market share.
- Legal. Whenever a breach involves any kind of personal information, companies are likely to face class action lawsuits. In some cases, authorities can ban companies from performing certain operations, as happened to Heartland in January 2009, when it was deemed out of compliance with PCI DSS and prohibited from processing payments with major credit card providers until May 2009.
- Reputation It can be difficult to estimate how much damage a breach does to a company’s reputation, but the damage is often long-lasting. Moreover, individual executives can be fired or forced to resign to mitigate the damage.
- Data breaches often disrupt normal operations, especially during the investigation process. Moreover, some data breaches involve the complete loss of important data, which is especially painful because it takes time to replicate the data.
Data breach risk factors
According to the 2018 Cost of Data Breach Study conducted by the Ponemon Institute, the average cost of a data breach in the U.S. is $7.91 million and the average number of breached records is 31,465 —roughly $251 per record. Clearly, it’s wise to invest some of your security efforts on data breach risk mitigation.
To reducing the risk of a data breach, you need to understand where the risk is coming from. There are two major risk factors: people and devices. Some people have to be granted access to regulated or sensitive information; you can’t simply disallow all access to the data. But their deliberate or accidental actions can lead to a data breach of valuable company data. As we have seen, they can make mistakes, such as sending information to the wrong email address or uploading to an unsecured share, and they can also deliberately use their access to steal important data for financial gain or to sabotage the company. Moreover, users can fall victim to identity theft, in which someone else learns their credentials and takes over their user identity to gain access to data.
Devices are the other major risk factor, especially portable devices that can store sensitive data and mobile devices that are used to access corporate networks and resources. These devices are often lost or stolen, and it can be hard to extend security controls to these devices. Other devices also present a serious risk when software isn’t patched in a timely manner or they are improperly configured.
Data breach prevention and response
Cyber criminals are constantly coming up with new techniques and strategies, which makes it difficult to predict how exactly they will execute their next attack on your sensitive data. Nonetheless, there are things you can do to minimize the risk of a data breach. In this blog, I’ve decided to use the NIST Cybersecurity Framework to outline basic steps that can help you prevent data breaches:
- Identify cybersecurity risks to your data. The 2018 Netwrix IT Risks Report found that 70% of organizations have performed risk assessment at least once, but only 33% of organizations re-evaluate their IT risks at least once a year. However, both cyber threats and your IT environment are constantly evolving— people, software, hardware, mobile devices and cloud platforms are constantly changing. To discover new risks and mitigate them to protect your data, you need to perform information risk assessment at least once a year.
Only 33% of organizations re-evaluate their IT risks at least once a year
- Protect your data by implementing appropriate safeguards. If you are not sure where to start, you can always turn to one of the regulatory compliance documents for guidance. You can learn a thing or two about data security controls, especially from regulations that are solely focused on data security and privacy, like the GDPR. Another useful source is the list of CIS Controls, which was created and is kept up to date by the Center for Internet Security. Because this is a big topic, I’ll just mention three basic safeguards that can significantly improve your data security:
- Encryption – According to the Ponemon research, the second-to-top factor that reduces the overall costs of a data breach is encryption. It’s a simple yet often neglected way to secure your data. Even if it’s stolen or breached, properly encrypted data will be useless for malicious actors; they won’t be able to sell it or use it against you or the individuals whose data they stole.
- Data access governance — Regular privilege attestation and data access monitoring will reduce your attack surface and help you spot abnormal activities in their early stages.
- Employee training and awareness – The Netwrix report shows that 50% of data breaches involved regular users. Clearly communicate your security policy and teach your employees how to spot and respond to attacks, and you’ll reduce your chances of suffering a data breach.
- Enable timely detection of cybersecurity events that threaten your data. With 68% of breaches going unnoticed for months or even longer, according to Verizon, it’s no wonder that detection is one of the two top areas that respondents to the Netwrix IT Risks survey plan to improve in order to minimize the risk of data breaches. One really good source that can help is the MITRE ATT&CK knowledge base, which details the signs you need to be looking for to detect attacks.
62% of respondents state that they need to develop and implement appropriate activities to identify the occurrence of a cybersecurity event
- Be prepared to respond properly when a data breach is detected. Map out a response plan and clearly communicate it so everyone in the company is aware whom to contact and what to do in the event of a data breach. Include in your plan a notification procedure aligned with the regulations your company is subject to. Remember the lesson from the Yahoo breaches — do a thorough investigation to fully understand what happened, how it happened, what data is affected and what needs to be done to prevent similar incidents from happening in the future.
- Be able to recover data, systems and services that were stolen or destroyed in a data breach. Have a recovery plan and test and improve it regularly.
Conclusion
These basic measures can be a great starting point in reducing the risk of a data breach. However each of them requires thorough analysis and translation to the specifics of your company’s business. Here are few things that can help you with that process:
- Do not go it alone. Look for solutions that can help automate as many tasks as possible so you and your team can focus on strategically important activities.
- Look for new cybersecurity developments in various industries and apply those that seem to fit your company best.