Every day we are exposed to sensitive information, whether as a source, processor or user of such information. Our increasing dependence on data and information has heightened the probability of data breaches. Although most companies have a dedicated information and data custodian, each employee should be accountable for data security and must avoid data breaches at all costs.
What Exactly Is a Data Breach?
A data breach is the unauthorized access or disclosure of protected data. It may be intentional or unintentional and could involve anything from phone numbers to dates of birth to credit card numbers.
Protected Data
Protected data refers to personally identifiable information (PII) of employees and customers. These bits of information include their names, social security numbers, phone numbers, credit card information and bank account information.
It could also mean a company’s confidential information, including customer data, supplier information employee information. The company’s intellectual property (IP) is also a form of protected data. IP covers biometrics data, strategic plans, marketing plans and internal processes and procedures.
Intentional Data Breach
A data breach is considered intentional when a hacker breaks into an individual or a company’s computer systems to gain access and steal personal information, sensitive data and customer databases. It could also be when an employee reveals company information for a fee. An employee who is about to exit the company and decides to copy all the files from their desktop for malicious reasons is also guilty of committing an intentional data breach.
Unintentional Data Breach
Often, unintentional breaches are caused by a lack of knowledge or sheer negligence. When an employee’s smartphone or laptop gets lost or stolen, or they accidentally send an email to the incorrect email address, that could result in an unintentional data breach.
Note:
Unintentional data breaches can also occur if someone connects to an unsecured internet connection or downloads a compromised file. These things can expose a company to the risks of cyberattacks.Examples of a Data Breach
At the rate that digital transformation has been scaling up the number of data users, it is no wonder that data breaches affecting millions of users are also increasing. There are many examples of data breaches, but let’s look at a few of the biggest data breaches that have happened in the past.
Yahoo
The first of two breaches happened in 2013 but was reported three years later in December 2016. The cyberattack exposed the account information of all its three billion users. Based on the investigation, bank data, payment card info and plaintext passwords were not stolen. But the hackers got their hands on other info such as security questions and answers.
]The second breach, which happened a year later in 2014, affected 500 million users. This time, the cyberthieves took off with data including account names, dates of birth, email addresses, hashed passwords and phone numbers. Yahoo did not go public with this breach until the stolen database was sold on the black market in 2016.
Like Yahoo, LinkedIn suffered a data breach on two separate occasions, the first of which occurred in 2012. Although LinkedIn initially announced that the attack gave the hacker access to 6.5 million unassociated passwords, they revealed four years later that the hacker was selling the passwords and email addresses of around 165 million LinkedIn users.
The second attack took place recently in June 2021 and affected 700 million users. A hacker, who goes by the name “God User,” applied data scraping methods to access the 700 million user database, getting personal information that included email addresses, genders, geolocation records, phone numbers and social media details. The stolen information, posted for sale in a dark web forum, can be used for social engineering attacks targeting exposed LinkedIn users.
Uber
Uber’s system was hacked, with the personal data of about 57 million customers and drivers being exposed. The hacking happened in 2016 but was reported almost a year later. Stolen were the names and driver’s license numbers of Uber’s 600,000 drivers in the U.S. The customer information that the data thieves took aside from their names included mobile phone numbers and email addresses.
Recent Data Breach Incidents
With technology getting more sophisticated as we go digital, you would think the number of data breaches would drop significantly. But if we were to consider the attacks on various organizations during the first half of 2021, it seems the hackers have not been thwarted by technological improvements.
Let’s take a look at who was affected by these breaches.
Microsoft
In March 2021, a Chinese group called Hafnium hacked Microsoft, affecting more than 30,000 organizations across the U.S. The hackers used stolen passwords and previously undetected vulnerabilities to gain access to on-site servers. Due to the data breach, emails of various organizations, including some government agencies, were exposed.
In April, Facebook again suffered a data breach. Over 500 million users’ personal information was leaked and posted by hackers in a hacking forum. The database included phone numbers, Facebook IDs, names, dates of birth and email addresses. India, the U.K. and the U.S. were the most affected.
Automatic Funds Transfer Services (AFTS)
In February, Cuba Ransomware launched an attack that breached the data privacy of millions. The attack leaked information on tax documents, financial documents, account movements, etc.
What are the Types of Data Breach?
The list of types of data breaches is unlimited and each of them poses a similar level of risk and effects. Let us classify them into three types:
Physical Data Breach
Sometimes referred to as corporate espionage, a physical data breach refers to the physical act of stealing documents, information or equipment containing information, such as POS, laptops, smartphones, personnel files, various files of customers, credit card receipts, credit monitoring reports, etc.
Electronic Data Breach
An electronic data breach happens when an unauthorized person gains access to a system or network where business and personnel data is processed, stored or transmitted. Often, these hackers go through the web route to access your system before they attack. Hackers target the healthcare and the hotel industries because of the volume of patient and guest information that is available.
Skimming
Skimming is a form of credit card fraud in which identity thieves use a skimmer to read the customer information stored in the card’s magnetic strip or microchip. Through the skimmer, the criminals get hold of the payment and personal information of the credit card holders.
What Is a Privacy Breach?
First, let us establish what privacy is. Privacy refers to a person’s right to be free from public attention and prying eyes without anybody getting into our personal space. It is your right to be left alone. It gives us the power to choose what information about us we can share, who to share it with, when and where we share it and how it is shared. However, many of our activities require us to give out personal details, whether we are using GPS, browsing the web, shopping online or in-store, watching videos and the list goes on.
While teeming with advantages, our data-driven world has forced us into sharing our personal data with others. People we don’t know personally, most of the time unseen, have collected and stored our personal data. And none of us can tell for sure if they are sharing that data without our consent. When they do, we fall victim to a privacy breach, increasing our risk of identity theft.
Data Breach vs. Privacy Breach
Are data breaches and privacy breaches the same? You could say that they are because hackers get unauthorized access to our personal information in both instances. One can always argue that we gave our personal data voluntarily when websites requested the info from us. But how and where they use it after they have served our purpose is beyond us.
Both involve our personal information, including our names, email addresses, phone numbers, Social Security numbers and credit card numbers. For some, the data may include their driver’s license numbers and bank accounts.
Note:
There is one difference between a data breach and a privacy breach: privacy is more personal. Our personal information has value, and cybercriminals can make a fortune by selling that info on the dark web. But like a data breach, we cannot stop privacy breaches from happening.Causes of a Privacy Breach
The two main causes of privacy breaches are the user and the technology. We will look at each individually to clarify what we mean.
User
How users behave in a digital environment plays a crucial role in data security. What makes them struggle with protecting data?
- Lack of Knowledge – In business settings, it is common to see employees who are not knowledgeable about cybersecurity and its threats. As long as their system network is fully functional and they can go online, all is well with their setup.
- Inadequate Skills – How many of you are dependent on IT every time your computer malfunctions? Some people cannot recognize signals that their system has been compromised. And even if they do, they wouldn’t know what to do about it.
- Negligent Attitude – Your skills or knowledge of data breaches won’t make a difference if you don’t take security seriously. Negligence and a lack of concern will undoubtedly draw your personal data to the dark web.
Technology
A poorly mapped-out network system or poorly designed software applications may leave gaps that allow hackers to get into your system. Likewise, outdated technology may also contribute to security vulnerabilities. Its obsolescence makes the technology unreliable, mainly because it is not designed to prevent hackers whose techniques have become sophisticated.
The absence of security measures in network systems leaves them prone to breaches. For example, a Wi-Fi network without WPA or WPA2 may be a candidate for an attack. The lack of security features in a company’s server might allow hackers to get their hands on confidential information.
How is Data Privacy Breached?
Hackers and identity thieves are very enterprising and creative in looking for ways to break into systems. In this section, we bring our attention to the most common ways of breaching cybersecurity.
Brute-Force Attack
This type of breach is also known as password guessing. Hackers attempt to get into one of the user’s systems by guessing the password. Once they manage to log in, they gain access to the user’s files and records. Hackers can do this because some of us use predictable passwords, like our birthdays or common words or phrases.
Note:
Sometimes, hackers don’t even have to guess. You may commonly see sticky notes with the employee’s login ID and password posted on the side of their desktops for everyone to see. Practices like this make hackers’ jobs much easier.Malware
Malware or viruses are a significant threat to any company because they may delete a large chunk, if not all, of the data stored by your company. Upon execution, a malware program can replicate itself to attack the data files, hard drive’s boot sector and other computer programs, causing damage that may lead to a system crash. Some malware programs contain malicious codes that steal data from your system. These programs are known as spyware.
The telltale signs that your computer is infected with malware are:
- An antivirus program is disabled automatically
- Computer, internet connection and programs slow down significantly
- Disk space is reduced unexplainably
- Screen repeatedly shows unwanted pop-up ads, unusual programs or messages
- System or program crashes unexpectedly
- Web browser stops working completely
- Programs run automatically
Phishing
Phishing is a data breach in which third-party hackers create legitimate-looking websites of well-known and trustworthy companies. They send out emails and ask you to log into the site for a necessary change, e.g. for a security check or verification, and by doing so, you have unknowingly given the hacker your password.
Ransomware
You know you are a victim of ransomware when you can’t access your system because it has been hacked. This data breach gets its name because the hacker will ask you to pay a certain amount to regain access to your account.
Note:
Some other types of data breaches are around to threaten you with stolen information and damages to your computer systems. With hackers getting more aggressive and tireless in discovering other ways of breaking into your system, you should be prepared and armed to prevent their attacks.What Threats Do Data Privacy Breaches Pose?
In 2020, the Ponemon Institute released the Cost of a Data Breach Study, which reported a worldwide average data breach cost of $3.86 million. Big or small companies alike are adversely affected by data breaches, but more so the small businesses. Each business must understand the risk involved to anticipate it and arm against it. What ill-effects does a data breach cause businesses?
Damage to Brand Image
Perhaps the most damaging effect that data breaches can have on a business is the loss of customer trust and confidence. It is not easy to earn consumers’ trust and build a good reputation with your market in the business world. So when the social media platforms buzz with how a business compromised customer information, the damage is distressing and far-reaching.
Financial Losses
Data breaches can be costly. When customer data is compromised, you need to compensate all affected customers for the damage done. The compensation cost does not include putting together an incident response team, along with setting up a location for them, to ensure that all customer concerns are attended to. Can you imagine how much you will be spending when you’re talking about a million users or more who were affected? You would also have to spend money investigating the data breach and installing or upgrading security features to prevent a similar occurrence.
Legal Problems
Legal problems are not just about customers seeking compensation for their data being exposed and stolen. Don’t forget the stiff penalties for noncompliance with existing relevant regulations on data breaches. And yes, all eyes will be on you as all relevant regulatory bodies observe how your company recovers from the situation and prevents it from happening again.
Business Disruption
The breach’s discovery will lead to an investigation of how the cybercriminal managed to get into your system. In some cases, operations need to be shut down to give way to the investigation. But even if a shutdown is unnecessary, it will be challenging to maintain normalcy in the operations as investigators come and go. The disruption will undoubtedly harm the company’s revenue.
How Do We Prevent Data Breaches?
Although we cannot totally prevent data breaches, we can reduce their occurrence and lessen their impact. There are few different methods to do so that we can take a look at.
Education
Employees who are well-trained and educated on data security are essential to the prevention of data breaches. Aside from empowering them to recognize potential threats and risks and to correct their negligent behaviors, it gives birth to a culture that puts a premium on privacy and data security.
Policies
Aside from the government, various sectors like health care and finance have put together their own regulations on data privacy. Every member of your company should know about these laws.
Internally, you should have a set of policies that support relevant laws and external policies. These policies should be able to spell out to each employee their roles in ensuring data privacy. For example, the company may set conditions to allow employees to use their own devices such as installing security measures to protect company data. You can do the same when you decide to issue company-owned devices to select employees.
This is important:
Policies should be comprehensive and cover all areas where a breach could happen. It should include data access controls to limit the availability of information to those who need it.Patch Management
Implement a well-planned patch management strategy to cover vulnerabilities.
Information and Data Security
Information and data can come in either electronic form or paper form. While it may not seem likely, data in paper form can be just as vulnerable to a data breach as electronic data.
Electronic Format
When possible, encrypt files when transmitting them through a public network or the internet. Make it a habit to double-check if you are sending them to the correct recipients.
Proper Use of Email
Here are some tips for avoiding breaches through email:
- Refrain from using your company-provided email for your personal transactions and vice versa.
- Report a suspicious email or spam to your IT department or whoever is responsible for cybersecurity. Do not forward such emails. Likewise, stop spreading the chain letters you receive through your email. This will only give the hackers more opportunities to steal sensitive information.
- Never share or download shared files. Unless authorized by management, do not download copyrighted materials such as software and e-books as you could face a copyright lawsuit, which often starts with receiving a cease and desist letter. If you have already received one, you should consider consulting a lawyer on how to approach a cease and desist letter to avoid further trouble.
- Stop clicking on pop-ups or opening links and attachments unless you trust the source.
Social Media
Think twice before posting anything on social media. Be sure that your post will not trigger any security threat to you, your company or your customers. Unless the nature of your job asks you to do so, do not post anything related to your company, clients or business partners on social media.
Password Security
Passwords are there to keep your computer and your files secure. However, when you fail to observe password protocols you defeat the purpose of having a password. Apply the following best password practices:
- Use a strong password – one that has alphanumeric characters with at least one special character. Stop using obvious passwords such as your initials plus your birthday.
- Make it a habit to change your passwords at least once every three months.
- Do not use hashed passwords – hackers will love you for using them.
- Never share, disclose or leave passwords written down. If you must write it down so you won’t forget it, be sure to keep it where it is safe. If you need to share your password be sure to change it as soon as the person you shared it with has finished what they are doing.
Paper Format
Never leave confidential documents exposed in your workspace. Always keep them in a secure place. When you need to print a document with sensitive information, do not leave it unattended and pick up the document off the printer immediately. Shred company documents when they are no longer needed and include document disposal as part of your data security policy.