A data breach happens when data is accessed, modified, or deleted without authorization. Security weaknesses can lead to incidents ranging from an accidental data leak to a malicious database breach – and the effects can be devastating. Learn how data breaches happen and the steps you can take to protect yourself and your business.
This article contains:
Cybercriminals flood a target website or network with requests until its resources become unavailable to legitimate users, resulting in a denial of service. Although it is not a data breach in itself, a DDoS attack can be used to divert the attention of IT or security staff while malware is installed.
A form of malicious software (malware), ransomware allows cybercriminals to encrypt data on the target network and demand a ransom payment to restore it. In the event of a data breach, this may be combined with the attacker viewing, copying, or exporting data from the network before encrypting it and threatening a data leak if the ransom is not paid. However, it’s important to note that payment does not guarantee the safe return of data.
Many web applications use SQL databases to store important data and sensitive information, such as customers’ usernames, passwords, and credit card details. In an SQL injection attack, cybercriminals exploit security flaws to manipulate the queries an application makes to its database, allowing them to access, modify, or delete data.
A cybercriminal may contact a victim by email, phone, or text message pretending to be a trusted contact. The attacker then convinces the victim to download malware or a virus – often by opening an attachment or clicking a link – or they may fool them into handing over data directly.
A criminal insider is someone – often an employee or contractor who may or may not have legitimate authority to access sensitive information – who abuses their position in order to leak data. Their motivation is usually personal profit or to cause harm to the organization.
Conversely, an accidental insider is someone who unintentionally causes a cybersecurity breach, such as falling victim to a phishing attack, using an unauthorized personal device, or through poor password management. Employees who have not had basic cybersecurity training are a vulnerability to their employer.
Any physical device, such as an unsecured laptop, hard drive, mobile phone, or USB containing sensitive information that is lost or stolen could put your business at risk.
It may seem like large companies are the main targets of data breaches, possibly because they make headlines when it happens, but small businesses and individuals are equally at risk. The following data breach examples highlight just how much damage they can cause.
In early 2020, Cam4, a small business that provides an adult streaming service, became the victim of one of the largest data breaches ever recorded. A misconfigured database allowed the release of 10.88 billion user records. The data stolen included customers’ personally identifiable information (PII) such as names, email addresses, and chat transcripts.
The popular email service, Yahoo, disclosed two data breaches in 2016, which affected all three billion of its user accounts.
The first attack was initiated by a phishing email. Attackers were able to access the names, email addresses, passwords, dates of birth, and telephone numbers of users. The breaches wiped an estimated $350 million off the company’s market value, and several shareholders filed lawsuits following the disclosures.
The Equifax breach was entirely preventable. In 2017, hackers exploited an unpatched – but known – vulnerability in a system used to build the credit reporting agency’s web application.
The data of more than 143 million individuals was compromised, including names, addresses, dates of birth, and even driving license information. The company reported that the breach cost $1.4 billion. Surprisingly, no fraud or identity theft cases have been connected with the incident.
Data privacy is covered by various laws and regulations around the world, and depending on where you or your customers are located, they may be different. If your business is a victim of a data breach, there are certain steps you must follow, so it’s important to know what is required of you. This will be affected by:
Where you do business
Where you store personally identifiable information (PII)
What type of PII your company maintains
Where the individual data subjects of the PII reside
Widely considered the world’s strongest set of rules governing data protection, GDPR was put into force by the European Parliament in May 2018. Here is a brief overview of the requirements relating to data breaches:
Personal data must be protected against "unauthorized or unlawful processing”.
You must report to a country’s data protection regulator the "destruction, loss, alteration, unauthorized disclosure of, or access to" people’s data where it could have a detrimental impact on the data subjects.
In the UK, a breach must be reported to the ICO within 72 hours of discovery.
If a breach puts individuals at risk, you must inform them, too. This should be done as soon as possible.
Even if a data breach does not require notification, you must still keep a record of it.
While the US doesn’t have a federal law governing notification following a data breach, certain states have their own data privacy laws, and you will need to be aware of the provisions for each. Well-known US regulations include the California Consumer Privacy Act (CCPA) and the Health Insurance Portability and Accountability Act (HIPAA).
If you’re unlucky enough to be on the receiving end of a data breach disclosure, there are several things you can do to improve your security:
Change your passwords on all accounts. Whether an account was affected by the breach or not, it’s wise to change all of your passwords. Choose long, complex passwords and activate two-factor authentication (2FA) where possible.
Contact your bank or other financial institutions. Let them know that you’ve been the subject of a data breach, and ask them to check for any fraudulent activity. Request fraud alerts and consider changing your account details or replacing cards.
Update your software. Install any pending updates to shore up potential vulnerabilities.
Be proactive. Learn about potential threats and make sure you know how to spot signs of suspicious activity. Data breaches can also result in doxing if someone collects enough of your info. Stay alert for any future data issues.
In 2020, the average cost per lost or stolen record in a data breach was $146, so the impact of a significant breach could be devastating, particularly for a small business. Fortunately, there is plenty you can do to make it harder for cybercriminals to infiltrate your systems and get their hands on your data.
Follow the steps below to ensure that you have a solid security foundation in place:
Install firewalls. The first line of defense in protecting your network, a firewall will prevent any unauthorized traffic or malicious software from entering your network.
Install antivirus. A comprehensive business antivirus solution will proactively block, detect and remove threats like malware, and should also provide anti-phishing protection.
Install encryption software. Protect sensitive information by making it unreadable to unauthorized users.
Use a VPN or Zero Trust Network. Only send data via secured channels to avoid being intercepted by an unauthorized person.
Use strong passwords. Require the use of complex and unique passwords for every user account and enforce regular password changes.
Educate employees. Highlight the importance of cybersecurity and train employees to recognize cybersecurity threats and take appropriate action.
Communicate. Regularly remind employees of the dangers of clicking on links or attachments in emails from unfamiliar senders.
Encourage accountability. Make sure every staff member is aware of their personal roles and responsibilities in protecting the company’s data.
Set up new starters. Identify the specific data, devices, and access privileges new starters need.
Process leavers. Adopt a controlled exit policy for leavers, including prompt group password resetting.
Review returned devices. Wipe or securely destroy data where necessary.
Stay up to date. Scan your network and devices frequently and check for necessary upgrades. Install any updates or patches from trusted software providers as soon as possible. Consider using software that can automate this process or alert you to anything that needs attention.
Prepare. Create an Emergency Response Plan that outlines how to handle a breach, theft, or loss of data.
Make copies. Regularly back up your data so you can easily restore it if the worst happens.
While cybercriminals are continuously devising new ways to detect and exploit business vulnerabilities, some security weaknesses can be easily prevented by implementing best practices. Here are some of the most common vulnerabilities and what to do about them.
Weak credentials are an easy win for cybercriminals. Create a requirement for employees to use unique, complex passwords for every account, and use two-factor authentication (2FA) on sensitive accounts.
If your employees use their personal devices for work – which they often do – you have far less control over security standards, such as passwords, who else has access to the device, and use of public Wi-Fi. Implement a bring your own device (BYOD) policy that sets out clear expectations for each employee, and spend some time on training to highlight the potential threats.
If you are running software that has an update or patch available but not installed, you are exposing your business to risk. Ensure that all software is fully patched and updated.
The most effective way to safeguard your business is to follow best practices and use a wide range of security tools to build multiple layers of protection. Avast Business offers cybersecurity solutions that defend your business against data breaches using a combination of next-gen endpoint protection and cloud-based network security solutions. Keep your data in the right hands.