A data breach is a cyber attack in which sensitive, confidential or otherwise protected data has been accessed or disclosed in an unauthorized fashion. Data breaches can occur in any size organization, from small businesses to major corporations. They may involve personal health information (PHI), personally identifiable information (PII), trade secrets or other confidential information.
Common data breach exposures include personal information, such as credit card numbers, Social Security numbers, driver's license numbers and healthcare histories, as well as corporate information, such as customer lists and source code.
If anyone who isn't authorized to do so views personal data, or steals it entirely, the organization charged with protecting that information is said to have suffered a data breach.
If a data breach results in identity theft or a violation of government or industry compliance mandates, the offending organization can face fines, litigation, reputation loss and even loss of the right to operate the business.
While the types of data breaches are quite varied, they can almost always be attributed to a vulnerability or gap in a security posture that cybercriminals use to gain access to the organization's systems or protocols. When this happens, the financial risk of data loss can be devastating. According to the 2021 Federal Bureau of Investigation "Internet Crime Report," organizations lost $6.9 billion in 2021 due to cybercrime across the globe. Much of this loss is due to data breaches.
Looking at the current cyber landscape, potential causes for a data breach can include the following:
A number of industry guidelines and government compliance regulations mandate strict controls of sensitive information and personal data to avoid data breaches.
For financial institutions and any business that handles financial information, the Payment Card Industry Data Security Standard, or PCI DSS, dictates who may handle and use personal details or PII. Examples of PII include financial information, like bank account numbers, credit card numbers and contact information, like names, addresses and phone numbers.
Within the healthcare industry, the Health Insurance Portability and Accountability Act (HIPAA) regulates who may see and use PHI, such as a patient's name, date of birth, Social Security number and healthcare treatments. HIPAA also regulates penalties for unauthorized access.
There are no specific regulations governing the protection of intellectual property. However, the consequences of that type of data being breached can lead to significant legal disputes and regulatory compliance issues.
To date, all 50 states, the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands have data breach notification laws that require both private and public entities to notify individuals, whether customers, consumers or users, of breaches involving PII. The deadline to notify individuals affected by breaches can vary from state to state.
On March 15, 2022, President Joe Biden signed into law data breach reporting legislation. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 requires organizations in certain critical infrastructure sectors to report cybersecurity incidents to the Department of Homeland Security within 72 hours of the cyber incident.
The European Union's (EU) General Data Protection Regulation (GDPR), which went into effect in June 2018, also requires organizations to notify the authorities of a breach within 72 hours. GDPR not only applies to organizations located within the EU, but also applies to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects.
In May 2019, the Data Breach Prevention and Compensation Act was passed in the U.S. It created an Office of Cybersecurity at the Federal Trade Commission for supervision of data security at consumer reporting agencies. It also established standards for effective cybersecurity at consumer reporting agencies, like Equifax, and imposed penalties on credit monitoring and credit reporting agencies for breaches that put customer data at risk.
There's no one security tool or control that can prevent data breaches entirely. The most reasonable means for preventing data breaches involve commonsense security practices. These include well-known security basics, such as the following:
While these steps help prevent intrusions into an environment, information security experts also encourage encrypting sensitive data, whether on premises or in the cloud, along with ensuring data is encrypted at rest, in use and in motion. In the event of a successful intrusion into the environment, encryption prevents threat actors from accessing the actual data.
Additional measures for preventing breaches and minimizing their impact include well-written security policies for employees and ongoing security awareness training to promote those policies and educate staff. Such policies may include concepts such as the principle of least privilege, which gives employees the bare minimum of permissions and administrative rights to perform their duties.
In addition, organizations should have an incident response plan that can be implemented in the event of an intrusion or breach. This plan typically includes a formal process for identifying, containing and quantifying a security incident.
When a data breach is first identified, time is of the essence so that data can potentially be restored and further breaches limited. The following steps can be used as a guide when responding to a breach:
Most confirmed data breaches occur in the finance industry, followed by information services, manufacturing and education, according to the Verizon 2022 "Data Breach Investigations Report." There have been many major data breaches at both large enterprises and government agencies in recent years.
In May 2021, Colonial Pipeline, a major oil pipeline operator in the U.S., succumbed to a ransomware attack that affected automated operational technologies that were used to manage oil flow. This incident affected more than a dozen states on the East Coast and took several months to fully restore -- even despite the fact that the company paid the ransom to restore critical data and software that was stolen and rendered unusable.
In March 2021, Microsoft announced it fell victim to a massive cyber attack that affected 60,000 companies worldwide. In this case, hackers took advantage of several zero-day vulnerabilities within Microsoft Exchange. Those who were using the compromised email servers had their emails exposed, and malware and backdoors were installed by hackers so they could further penetrate unknowing businesses and governments.
In 2020, SolarWinds was the target of a cybersecurity attack in which hackers used a supply chain attack to deploy malicious code into its widely adopted Orion IT monitoring and management software. The breach left the networks, systems and data of many SolarWinds government and enterprise customers compromised.
Information security company FireEye discovered and publicized the attack. While questions remain, U.S. cybersecurity officials claim that Russian intelligence services spearheaded the attack. The extent of the data exposed and the purpose of the breach are still unknown, but the focus on government agencies points to cyberespionage as the likely purpose.
In late 2014, Sony Pictures Entertainment's corporate network was shut down when threat actors executed malware that disabled workstations and servers. A hacker group known as Guardians of Peace claimed responsibility for the data breach; the group leaked unreleased films that had been stolen from Sony's network, as well as confidential emails from company executives.
Guardians of Peace was believed to have ties to North Korea, and cybersecurity experts and the U.S. government later attributed the data breach to the North Korean government.
During the breach, the hacker group issued threats related to Sony's 2014 comedy, The Interview, prompting the company to cancel its release in movie theaters. The film featured the assassination of a fictional version of North Korean leader Kim Jong-un.
In 2013, retailer Target Corp. disclosed it had suffered a major data breach that exposed customer names and credit card information. The Target data breach affected 110 million customers and led to several lawsuits from customers, state governments and credit card companies. All told, the company paid tens of millions of dollars in legal settlements.
Yahoo suffered a massive data breach in 2013, though the company didn't discover the incident until 2016 when it began investigating a separate security incident.
Initially, Yahoo announced that more than 1 billion email accounts were affected in the breach. Exposed user data included names, contact information and dates of birth, as well as hashed passwords and some encrypted or unencrypted security questions and answers. Following a full investigation into the 2013 data breach, Yahoo disclosed that the incident affected all of the company's 3 billion email accounts.
Yahoo also discovered a second major breach that occurred in 2014 affecting 500 million email accounts. The company found that threat actors had gained access to its corporate network and minted authentication cookies that enabled them to access email accounts without passwords.
Following a criminal investigation into the 2014 breach, the U.S. Department of Justice indicted four men, including two Russian Federal Security Service agents, in connection with the hack.
Technology innovation has yet to thwart sophisticated criminals who continue to use new technologies to steal valuable information that can be bought and sold on the dark web. To combat this, organizations must implement strong security controls and automated monitoring software that can continuously scan and identify potential threats.
Prepare your organization for a possible breach by downloading the free guide at "Data breach response: How to plan and recover."
27 Jul 2022