BACKGROUND IMAGE: stock.adobe.com
A data breach is a confirmed incident in which sensitive, confidential or otherwise protected data has been accessed and/or disclosed in an unauthorized fashion. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.
Common data breach exposures include personal information, such as credit card numbers, Social Security numbers and healthcare histories, as well as corporate information, such as customer lists, manufacturing processes and software source code. If anyone who is not specifically authorized to do so views such data, the organization charged with protecting that information is said to have suffered a data breach. If a data breach results in identity theft and/or a violation of government or industry compliance mandates, the offending organization may face fines or other civil litigation.
Data breach causes
A familiar example of a data breach is an attacker hacking into a corporate website and stealing sensitive data out of a database. However, not all breaches are so dramatic. If an unauthorized hospital employee views a patient's health information on a computer screen over the shoulder of an authorized employee, that also constitutes a data breach. Data breaches can be brought about by weak passwords, missing software patches that are exploited or lost or stolen laptop computers and mobile devices. Users connecting to rogue wireless networks that capture login credentials or other sensitive information in transit can also lead to unauthorized exposures. Social engineering -- especially attacks carried out via email phishing -- can lead to users providing their login credentials directly to attackers or through subsequent malware infections. Criminals can then use the credentials they obtained to gain entry to sensitive systems and records -- access which often goes undetected for months, if not indefinitely. Threat actors can also target third-party business partners in order to gain access to large organizations; such incidents typically involve hackers compromising less secure businesses to obtain access to the primary target.
While hackers and cybercriminals often cause data breaches, there are also incidents where enterprises or government agencies inadvertently expose sensitive or confidential data on the internet. These incidents are typically known as accidental data breaches, and they usually involve organizations misconfiguring cloud services or failing to implement the proper access controls, such as password requirements for public-facing web services or applications.
Data breach notifications and regulations
A number of industry guidelines and government compliance regulations mandate strict control of sensitive, often personal, data to avoid data breaches. Within a corporate environment, for example, the Payment Card Industry Data Security Standard (PCI DSS) dictates who may handle and use sensitive PII, such as credit card numbers, in conjunction with names and addresses. Within a healthcare environment, the Health Insurance Portability and Accountability Act (HIPAA) regulates who may see and use PHI, such as a patient's name, date of birth, Social Security number and healthcare treatments. There are also specific requirements for the reporting of data breaches via HIPAA -- and its Health Information Technology for Economic and Clinical Health (HITECH) Act and Omnibus Rule -- as well as the various state breach notification laws. There are no specific regulations governing the protection of intellectual property. However, the consequences of that type of data being breached can lead to significant legal disputes and regulatory compliance issues, not to mention the internal and market losses if the breach is made public.
Many states have data breach notification laws that require both private and public entities to notify individuals, whether customers, consumers or users, of breaches involving PII. The deadline to notify individuals affected by breaches can vary from state to state.
Washington State recently expanded the coverage of “personal information,” to include more type of data that is exfiltrated, that is, taken without authorization during a data breach. Those changes are contained in Washington State’s HB1071. The bill was signed by the governor in May 2019 and goes into effect March 2020.
Several bills have been introduced in Congress over the years that would create a federal data breach notification law. By mid-2019, the bills remain in flux.
For example, a revised version of the Data Security and Breach Notification Act was introduced in 2017, which would give organizations 30 days following the identification of a breach to notify users or customers, stalled in committee hearings.
In May 2019, Rep. Cummings, Elijah E. introduced H.R.2545, also known as the Data Breach Prevention and Compensation Act of 2019. It would create an Office of Cybersecurity at the Federal Trade Commission for supervision of data security at consumer reporting agencies, establish standards for effective cybersecurity at consumer reporting agencies, and impose penalties on credit reporting agencies for cybersecurity breaches that put sensitive consumer data at risk. A similar bill, S.1336, was introduced to the Senate in May by Sen. Elizabeth Warren.
Other regions have stricter deadlines; the European Union's General Data Protection Regulation (GDPR) requires organizations to notify the authorities of a breach within 72 hours. The GDPR was approved and adopted by the EU Parliament in April 2016 and came into force on May 25, 2018. The GDPR not only applies to organizations located within the EU but also applies to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects.
How to prevent data breaches
There is no one security product or control that can prevent data breaches. The most reasonable means for preventing data breaches involve commonsense security practices. This includes well-known security basics, such as conducting ongoing vulnerability and penetration testing, applying proven malware protection, using strong passwords/passphrases and consistently applying the necessary software patches on all systems. While these steps will help prevent intrusions into an environment, information security (infosec) experts also encourage encrypting sensitive data, whether it is stored inside an on-premises network or third-party cloud service. In the event of a successful intrusion into the environment, encryption will prevent threat actors from accessing the actual data.
Additional measures for preventing breaches, as well as minimizing their impact, include well-written security policies for employees and ongoing security awareness training to promote those policies and educate employees. Such policies may include concepts such as the principle of least privilege (POLP), which gives employees the bare minimum of permissions and administrative rights to perform their duties. In addition, organizations should have an incident response plan (IRP) that can be implemented in the event of an intrusion or breach; an IRP typically includes a formal process for identifying, containing and quantifying a security incident.
Notable data breaches
Most data breaches occur in the banking industry, followed by the healthcare sector and the public sector, according to a 2019 Verizon Data Breach Investigations Report (DBIR). The study included incidents reported from Nov. 1, 2017 to Oct. 31, 2018, and was based on data from 41,686 security incidents and 2,013 data breaches provided by 73 data sources, both public and private entities, spanning 86 countries.
In the financial services industry, 927 incidents were reported with 207 cased of confirmed data disclosure. In heathcare, where most of the breaches were attributed to internal actors, 466 incidents were reported with 304 confirmed cases of data disclosure. And in the public sector, where 79 percent of breaches were blamed on state-affiliated actors (i.e., government spies), there were 23,399 incidents and 330 with confirmed data disclosure.
There have been several major data breaches of both large enterprises and government agencies in recent years. In 2013, retail giant Target Corporation disclosed it had suffered a major data breach that exposed customer names and credit card information. The company initially announced that 40 million customers were affected by the breach but later raised that number to 110 million. An internal investigation into the matter revealed the initial intrusion point was a third-party business partner that had been breached; the threat actors then used the business partner's credentials to access Target's network and then spread point-of-sale (POS) malware to the company's POS systems. The Target data breach led to several lawsuits from customers, state governments and credit card companies, which resulted in the company paying tens of millions of dollars in legal settlements. In addition, the company's CEO and CIO both resigned in the wake of the breach.
In late 2014, Sony Pictures Entertainment's corporate network was shut down when threat actors that had previously breached the company executed malware that disabled workstations and servers. A hacker group known as Guardians of Peace claimed responsibility for the data breach; the group leaked unreleased films that had been stolen from Sony's network, as well as confidential emails from company executives. The company later pulled from movie theaters the 2014 comedy The Interview, which featured the assassination of a fictional version of North Korean leader Kim Jong-un, prior to its premiere after the hackers issued vague threats. Cybersecurity experts and the U.S. government later attributed the data breach to the North Korean government.
Yahoo suffered a massive data breach in 2013, though the company didn't discover the incident until 2016 when it began investigating another, separate security incident. Initially, Yahoo announced that more than 1 billion email accounts were affected in the breach; exposed user data included names, email addresses, telephone numbers and dates of birth, as well as hashed passwords (using the MD5 algorithm) and some encrypted or unencrypted security questions and answers. Following a full investigation into the 2013 data breach, Yahoo disclosed that the incident affected all of the company's 3 billion email accounts. Yahoo also discovered a second major breach that occurred in 2014 that affected 500 million email accounts; the company found that threat actors had gained access to its corporate network and minted authentication cookies that allowed them to access email accounts without passwords. Following a criminal investigation into the 2014 breach, the U.S. Department of Justice indicted four men, including two Russian Federal Security Service agents, in connection with the hack.
The U.S. Office of Personnel Management (OPM) announced in 2015 that it had been breached by threat actors, giving up the personal information and government records of more than 21 million current and former federal employees. The exposed data included personal information, such as Social Security numbers and dates of birth, while the government records included SF-86 forms for security clearance, as well as some fingerprint scans. The authorities reported the hackers obtained credentials from a federal contractor and then used those credentials to access the OPM's network. The data breach led to the resignations of both the agency's director and its CIO. Later that year, the Chinese government announced it had arrested and charged several Chinese nationals for the breach. In 2017, the FBI arrested another Chinese national who authorities claimed was responsible for the malware used in the OPM data breach.