What is a Data Security Breach?
Other beginner-level courses in the data security module include “Data Security Best Practices for Business”, and “What is a data security incident?”. Check out the “Data security training” course page for all data security modules.
Data security is the process of protecting digital information against unauthorized access, modification, theft, or deletion. It is a vital measure to safeguard customer and user data, retain trust, and remain compliant with regional regulations.
This beginner data security training module will explain what data security is and how it works. It will look at data security breaches and incidents before identifying the key steps for building your own data security and protection toolkit.
What is a data breach?
A data breach is when protected information (which could be personal or sensitive) is exposed to an unauthorized person, breaching integrity and confidentiality. This is different from a data security incident, which is a violation of a company’s own security policies. Often they will take place together – an incident could occur, for example leaving a laptop on a train. While this in itself is a data security incident as it could breach data security policy, it does not become a data breach until a malicious third-party accesses company data using the missing device.
Often a breach will occur due to weaknesses in the technology used or human error. This can be due to a preference for convenience over security, for example, when users repeat passwords across accounts or devices not being promptly updated with new security patches.
Three types of data breach
There are three categories of data breach, based on how the data is stolen: Physical, Electronic, and Skimming.
A physical data breach refers to the theft or misuse of physical property. Examples include:
- Stealing hard copies of documents
- Theft of hardware such as laptops, memory sticks, etc.
- Misuse of ID cards to access offices or buildings.
An electronic data breach is defined as a deliberate attack or unauthorized access to a system or network that stores, transmits, or processes secure data. Examples include:
- Signing in as someone else to access information
- Targeting vulnerabilities in a network to access web servers or other network components to collect information or stage a cyberattack.
Skimming is named after the theft and collection of personal information from the back of a credit card, often done by tampering with ATMs or card readers, without the owner’s knowledge or consent.
Similar in approach and intention, digital skimming refers to user access information, such as PINs or passwords, being stolen. This could be done through phishing, targeting vulnerabilities in payment platforms, or redirecting users to a malicious fake version of a website. It could also be done through keylogging, which tracks the keystrokes of a user to ‘skim’ information they use.
How do data breaches happen?
For many people, the idea of a data breach may bring to mind the image of a hacker targeting your company and trying to break through your network’s security. The reality is that, while intentional attacks can occur, data breaches are predominantly the result of human error – either in the form of individual mistakes through a lack of training or vulnerabilities in the company’s systems and processes that have not been addressed.
Common data breach threat types include:
Accidental insider breach
One of the most common sources of data breaches is human error. The types of error vary but include:
- Using weak passwords (or reusing passwords)
- Sharing account details
- Losing laptops or other devices
- Using personal devices for business purposes.
One of the largest data security problems is ensuring that staff are trained to identify a potential breach and that they are always operating within the parameters of best practices.
Most cyberattacks target multiple potential victims, aiming to infect as many devices as possible. This is generally done by targeting known vulnerabilities in the software. While patches and updates will be available to repair many of these issues, the hacker assumes that many users will not have promptly applied these security patches that would have protected their data.
A malicious insider would be an individual who accesses and distributes data with the intent of causing harm to individuals or the organization. For example, this could be a former employer who left on bad terms and decided to copy protected files before leaving.
Examples of big data breaches
The following examples of high-profile data breaches demonstrate the importance of implementing effective data security to protect your business and its customers/clients.
The database of credit report agency Equifax was breached by hackers in 2017, exposing the names, birthdays, bank information, and other private details of 147 million members across the world.
The result was a fine up to $700 million for the failings that resulted in the leak.
In 2021, the LinkedIn records of 700 million users were posted for sale on the Dark Web –this equated to 92% of LinkedIn users at the time. While LinkedIn claimed that this was not a data breach, there were numerous reports from users who claimed to be targeted by cyberattacks and identity theft as a result.
British Airways (2020)
The Information Commissioner’s Office (ICO) in the UK fined British Airways (BA) £20m ($25.6m) for failing to protect the personal and financial details of more than 400,000 of its customers.
What information is targeted in a data breach?
Perpetrators of malicious data breaches are likely to target specific types of data. Common targets would be financial information, such as bank account details and credit card numbers, but the personal information of employees could also be targeted.
Personal information, combined with readily available company details (names of senior staff, email addresses, clients) could be used for spearphishing, which is when a bad actor uses specific, personal information to make a spam email seem legitimate. By posing as their manager or colleague requesting access to a certain file, for example, a hacker could trick a victim into giving out sensitive information.
Sometimes the volume of data is the goal. If hackers can access databases or a large number of files, this could be encrypted and used as part of a ransomware attack, where information could either be deleted or leaked online if a ransom fee is not paid within a certain time period.
How do hackers breach data?
The reason data security threats persist is the range of methods that can be used. Each example listed below has multiple variants to take advantage of emerging vulnerabilities and changes in security approaches.
Types of external attacks include:
- Social engineering – A form of phishing, social engineering is an attempt to trick someone into sharing sensitive information that can be used to attack systems or networks.
- Zero-day attacks – This type of attack identifies hardware or software vulnerabilities before the organization identifies them, meaning that the attack begins before a patch is applied.
- Malware – Often starts with a phishing attack (email scam) to get the user to visit a spoofed website or click a malicious link. With this access, malware is injected into the system to steal or encrypt huge amounts of data.
- Brute force – This method uses trial and error to guess passwords and encryption keys. It will usually be automated due to the range of combinations. Variations of this approach include testing known or weak passwords in order to take advantage of poor password security.
How much damage can a data breach do?
A data breach can be highly damaging to a business. Financial losses are a major concern, as well as the reputational damage and loss of trust among clients, customers, and employees who may all have had data stolen that was in your care. A prominent example of this is Equifax, who are widely known for their high-profile breach in 2017 that affected 143 million Americans.
Another major consideration are the consequences of not adhering to privacy regulations like GDPR, which can result in large fines. The maximum fine for infringements of EU GDPR is €20 million (about $19.7 million) or 4% of annual global turnover, whichever is greater.
How to prevent a data breach
When seeking to prevent a data breach, keep in mind that your protection is only as strong as your weakest link. This means that protecting data is the responsibility of every single person at every level of the organization – not just IT staff.
Establishing best practices will ensure that processes are clearly defined and that each person’s role and responsibilities are established in the same manner as they would be for other emergencies, such as a fire. This will help to reduce preventable risks and provide clear guidance should a breach occur, so that the downtime is minimal.
The following measures should all be considered essential elements of data security best practice:
To reduce accidental breaches and help staff to identify threats quickly, it is vital that training is regularly conducted to provide updates regarding new security measures and emerging threats.
Applying patches and updates
Poor patch management is responsible for 57% of data breaches. This means that the majority of data breaches could be prevented with effective security processes and management.
Hackers anticipate that many organizations will be slow to apply patches due to the volume of devices that will require updating and will take advantage of this. Applying patches and updates as soon as they become available is therefore critical for minimizing vulnerabilities.
To make sure that all devices are updated promptly and correctly, Patch Management software should be implemented to automate the process, saving time and providing reassurance.
Security software and encryption
Threats are continually evolving as the tools used by cybercriminals become more intelligent. Scanners, firewalls, VPNs, and anti-malware tools should all be implemented as a fundamental part of an endpoint security framework to prevent malicious attacks before they reach the network.
From secure browsers to VPNs, encryption is a key feature of data security, both online and off. By scrambling your information and locking it with a secret key, attackers are not able to read your confidential information as the data will just be a jumble of characters until it is unencoded at its destination.
Make sure that your systems are using end-to-end encryption on all communications and that strong encryption methods, such as AES-256 are in place.
In the past, when just a password was required, simply acquiring this information was enough to gain access to an account. Today, that has changed with the introduction of 2-Factor Authentication (2FA) and Multi-Factor Authentication (MFA).
In addition to a username and password, other information is requested to verify the identity of the user.
- Single-use codes sent to a personal device
- Biometrics such as fingerprints or face scans
- A physical key
With MFA, the user can prove their identity with a combination of three pieces of information; something you know (password), something you are (biometrics), and something you have (an ID card or mobile device). A thief may secure one of these, but will not be able to access accounts without all three.
MFA is increasingly common on many online accounts and should be activated on any business software that offers it.
The world has become increasingly mobile, especially due to the pandemic and the rise of hybrid working. However, remote working brings increased security risks. Employees may access business documents on personal devices or become more casual about security best practices when not in the office.
To ensure that standards are maintained, a Bring Your Own Device policy (BYOD) should be implemented and agreed on before staff members are allowed to remotely access the company network and databases.
A disaster recovery plan (DRP) is an evolving policy that defines how organizations will respond to data breaches and exploits that impact service delivery. An effective DRP should include three elements:
- Emergency response procedures – A detailed response strategy to reduce the impact of an attack.
- Backup operations – An ongoing process to ensure that recovery time following an incident will be minimal.
- Recovery actions procedures – An agreed approach to get all data and systems restored as soon as possible.