A data breach is a type of security incident that leads to the accidental or unlawful destruction, loss, alteration, authorized disclosure of, or access to, sensitive information.
These incidents occur when personal information is mishandled, whether through malicious intent, carelessness, or theft. Once that happens, individuals whose information has been compromised might be at risk of identity theft, fraud, or other malicious activity.
Meanwhile, organizations risk financial losses and reputational damage – and in some cases they could face legal action.
What are the common causes of data breaches?
Data breaches can occur in any number of ways, but here are some of the most common:
Weak or stolen credentials
Stolen passwords are one of the simplest and most common causes of data breaches. This is because many people rely on predictable phrases like ‘Password1’ and ‘123456’. They also often use the names of children or pets, as well as favourite sports teams.
Using common passwords such as this means that cyber criminals don’t need to break into a sweat to gain access to sensitive information. They can simply guess a handful of the most frequently used passwords until they gain access to the account.
Even moderately secure passwords can be cracked with the help of a computer programs that run through millions of the most popular credentials, so it’s essential that you create strong, unique passwords for every account you use.
Phishing
Phishing is a type of social engineering attack in which fraudsters send emails that look like they are from a legitimate company or website.
The message will contain a malicious attachment or a link that takes the user to a fake website that looks like the real thing.
The user is then asked to enter personal information, such as their credit card number. This information is then used to steal the person’s identity or to make fraudulent charges on their credit card.
DDoS attacks
Unlike the other examples we’ve listed here, the primary purpose of DDoS (distributed denial-of-service) attacks isn’t to gain unauthorized access to sensitive information. They are instead conducted to flood an organization’s servers with traffic until their website is knocked offline
DDoS attacks are usually conducted for a political or personal motive, with the instigator often holding a grudge against the target. That said, in some cases, the attacks are used to distract the victim as the attacker launches a more sophisticated cyber attack to steal information.
Malware
Malware is a perfect example of just how simple cyber crime can be. Crooks purchase a piece of malicious software, find a system that contains a known vulnerability, plant the malware and scoop up the rewards.
What those rewards are depends on the type of malware. It could be anything from a keylogger, which tracks what a user types into a machine, to ransomware, which locks a system and demands payment for the user to regain access.
Malicious insiders
Many of your employees will have access to sensitive information, and there’s always a chance that someone will try to misuse it. That sounds cynical, but unfortunately the lure of financial gain from selling data on the dark web is too great for many.
Employees are also susceptible to use sensitive information maliciously if they are disgruntled at work or have left the organization under poor terms and still have access to its systems.
Negligence
Employees don’t have to act maliciously to commit a data breach. They might simply make a mistake, such as including the wrong person in the Cc field of an email, attaching the wrong document or losing a laptop.
Application vulnerabilities
All software has technical vulnerabilities that crooks can exploit. It’s why organizations that maintain those programs routinely look for weaknesses and create patches to close up the flaw.
Whenever those patches are released, organizations must apply them to ensure that the problem is fixed on their end.
They must do this as soon as possible, because with the vulnerability now made public, cyber criminals will be actively looking for organizations that have failed to secure their systems.
Physical security breaches
It’s not just networks, systems and electronic data must be protected. Organizations also need to consider information in physical form – whether that’s paper records or physical devices on which that data is stored, such as laptops, USB drives, or other infrastructure.
Physical security breaches often occur when organizations fail to dispose of these assets. Sensitive paper files must always be shredded, while devices should be wiped before being thrown out.
Meanwhile, there is also the risk of information in transit falling into the wrong hands. This can occur, for example, when employees use company laptops in public places or they take physical records outside the premises.
Data breach notification laws
Cybersecurity laws in the U.S. are more complex than in many other places. Unlike the E.U., for example, with its GPDR (General Data Protection Regulation), there is no single set of requirements that applies to all organizations across all sectors.
There is instead a patchwork of state-level and industry-specific laws. It includes:
- Sarbanes–Oxley Act, which regulates the accuracy and reliability of financial disclosures for all U.S. public company boards, management, and public accounting firms.
- Gramm-Leach-Bliley Act, which applies to banks, insurance companies, securities firms, non-bank mortgage lenders, auto dealers, and tax preparers.
- Federal Trade Commission Act §5, which applies to almost every organization in the US, except for banks and common carriers.
- Health Insurance Portability and Accountability Act, which applies to health care providers, health plans, health care clearinghouses, and, in some instances, business associates of these businesses called covered entities.
- Defense Federal Acquisition Regulation, which applies to the US Department of Defense contractors.
- Children’s Online Privacy Protection Act, which applies to websites and online services that are directed at children under the age of 13. It also applies if the site operator has actual knowledge that children under the age of 13 are using a website.
- Regulations for the Use of Electronic Records in Clinical Investigations, which applies to organizations involved in clinical investigations of medical products, including sponsors, clinical investigators, institutional review boards, and contract research organizations.
- Commodity Futures Trading Commission Derivatives Clearing Organizations Regulation, which applies to derivatives clearing organizations. These entities act as a medium for clearing transactions in commodities for future delivery or commodity option transactions.
- Electronic Communications Privacy Act and Stored Communications Act, which forbid the intentional use, disclosure, or access to any wire, oral, or electronic communication without authorization.
- Privacy Act of 1974, which governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals maintained in systems of records by federal agencies.
How to recover from a data breach
There is no one-size-fits-all approach to data breach response – not least because, as we have demonstrated, incidents can occur in all manner of ways. However, there is a general framework that organizations can follow when they have discovered a security incident.
1. Identify the extent of the incident
The first thing you need to do is determine the scale of the breach.
That means finding out the types of data involved (names, email addresses, financial records, etc.) and the number of records that have been compromised.
Depending on how the incident happened and how you became aware of it, this process can be relatively straightforward.
For example, a third party might contact you to say that they’ve found a database of your customers’ information on the dark web. In that case, you have all the information you need immediately.
Alternatively, you might find out that a fraudster has sent phishing emails to your staff. You should therefore ask your employees to let you know if they’ve fallen for this scam.
It will then be a case of determining what information the criminal had access to once they’d lured the employee.
2. Immediate response
You must find out how your data was exposed and isolate the affected areas as soon as possible.
For example, if a malicious insider was leaking information, you should cut off their access to the organization both physically and via your network.
If an application vulnerability is being exploited, you should take it offline immediately.
3. Determine your legal responsibilities
With the breach under control, you can take a moment to assess the damage and work out whether you are required to notify authorities or affected individuals.
Depending on the laws within your state and industry, you might also be required to take further action. It’s essential that you review your obligations as soon as possible, as there might be strict deadlines that you must meet or information that should be gathered immediately following the disclosure.
4. Incident notification
If you are legally required to notify authorities and affected individuals, you must do so without delay. Ideally, you will already have a process to ensure that the relevant information is provided promptly and comprehensively.
Even if you aren’t obligated to disclose the data breach, you should at least issue a public statement to inform customers and other stakeholders of the incident.
Although such a disclosure risks reputational damage, a well-planned notification could maintain – or even improve – your reputation. For example, you can use the opportunity to get ahead of any criticism by explaining the steps you took to mitigate the damage.
With the growing frequency of data breaches, the public has come to understand that not all security incidents are the result of poor organizational practices. It is simply an inevitability given the scale of the cybersecurity threat.
You can assure them that you take cybersecurity seriously by being transparent in your response and offering support with things such as a dedicated webpage or helpline.
5. Business continuity planning
By now, you should have addressed the immediate cause of the security incident, but there is likely to be ongoing disruption.
This could be because systems are offline or otherwise unavailable, or because employees are pulled away from their day-to-day activities in order to oversee response efforts.
To manage these problems, organizations should have a business continuity plan. This outlines the steps that should be taken to ensure that an acceptable level of service continues throughout a disruptive incident.
Looking for more tips?
You can find more tips on how to bolster your data protection practices with our free guide: Cybersecurity 101 – A guide for SMBs.
Small organizations often struggle to know where to begin when developing security defenses due to a lack of expertise and resources.
This free green paper explains that it doesn’t take a team of dedicated professionals and a huge budget to implement effective measures.
You’ll discover key considerations for developing your cybersecurity strategy, including effective and affordable defences you can implement immediately to improve your security posture.
