A data breach is a cyber attack in which sensitive, confidential or otherwise protected data has been accessed and/or disclosed in an unauthorized fashion.
Data breaches can occur in any size organization, from small businesses to major corporations. They may involve personal health information (PHI), personally identifiable information (PII), trade secrets or other confidential information.
Common data breach exposures include personal information, such as credit card numbers, Social Security numbers, driver's license numbers and healthcare histories, as well as corporate information, customer lists and source code.
If anyone who is not authorized to do so views personal data, or steals it entirely, the organization charged with protecting that information is said to have suffered a data breach.
If a data breach results in identity theft and/or a violation of government or industry compliance mandates, the offending organization can face fines, litigation, reputation loss and even loss of the right to operate the business.
Potential causes for a data breach
While the types of data breaches are quite varied, they can almost always be attributed to a vulnerability or loophole that cybercriminals use to gain access to the organization's systems or protocols. Potential causes for a data breach include:
Data breach regulations
A number of industry guidelines and government compliance regulations mandate strict controls of sensitive information and personal data to avoid data breaches.
For financial institutions, and any business that handles financial information, the Payment Card Industry Data Security Standard (PCI DSS) dictates who may handle and use personal details or PII. Examples of PII include financial information like bank account numbers, credit card numbers, and contact information like names, addresses and phone numbers.
Within the healthcare industry, the Health Insurance Portability and Accountability Act (HIPAA) regulates who may see and use PHI such as a patient's name, date of birth, Social Security number and healthcare treatments. HIPAA also regulates penalties for unauthorized access.
There are no specific regulations governing the protection of intellectual property. However, the consequences of that type of data being breached can lead to significant legal disputes and regulatory compliance issues.
Data breach notification laws
To date, all 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have data breach notification laws that require both private and public entities to notify individuals, whether customers, consumers or users, of breaches involving PII. The deadline to notify individuals affected by breaches can vary from state to state.
The push for a data breach notification law at the federal government level is ongoing.
In May 2019, the Data Breach Prevention and Compensation Act was passed. It created an Office of Cybersecurity at the Federal Trade Commission for supervision of data security at consumer reporting agencies.
It also established standards for effective cybersecurity at consumer reporting agencies, like Equifax, and imposed penalties on credit monitoring and credit reporting agencies for breaches that put customer data at risk.
While the U.S. lacks a federal data breach notification law, the European Union's General Data Protection Regulation (GDPR), which went into effect in June 2018, requires organizations to notify the authorities of a breach within 72 hours.
GDPR not only applies to organizations located within the EU but also applies to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects.
How to prevent data breaches
There is no one security tool or control that can prevent data breaches entirely. The most reasonable means for preventing data breaches involves commonsense security practices. These include well-known security basics, such as:
- conducting ongoing vulnerability assessments
- penetration testing
- implementing proven malware protection
- using strong passwords/passphrases
- consistently applying the necessary software patches on all systems
While these steps will help prevent intrusions into an environment, information security experts also encourage encrypting sensitive data, whether on premises or in the cloud. In the event of a successful intrusion into the environment, encryption will prevent threat actors from accessing the actual data.
Additional measures for preventing breaches and minimizing their impact include well-written security policies for employees and ongoing security awareness training to promote those policies and educate staff.
Such policies may include concepts such as the principle of least privilege (POLP), which gives employees the bare minimum of permissions and administrative rights to perform their duties.
In addition, organizations should have an incident response plan that can be implemented in the event of an intrusion or breach. This plan typically includes a formal process for identifying, containing and quantifying a security incident.
Notable data breaches
Most confirmed data breaches occur in the finance industry, followed by information services and the public sector, according to the 2020 Verizon Data Breach Investigations Report. There have been many major data breaches at both large enterprises and government agencies in recent years.
In September 2017, Equifax, one of the largest credit card bureaus in the U.S., reported a data breach that exposed the personal information of about 147 million customers. Compromised information included Social Security numbers, birth dates, addresses and in drivers' license numbers. Additionally, the credit card numbers of approximately 209,000 consumers were stolen.
In 2013, retailer Target Corporation disclosed it had suffered a major data breach that exposed customer names and credit card information. The Target data breach affected 110 million customers and led to several lawsuits from customers, state governments and credit card companies. All told, the company paid tens of millions of dollars in legal settlements.
In late 2014, Sony Pictures Entertainment's corporate network was shut down when threat actors executed malware that disabled workstations and servers. A hacker group known as Guardians of Peace claimed responsibility for the data breach; the group leaked unreleased films that had been stolen from Sony's network, as well as confidential emails from company executives.
Guardians of Peace was believed to have ties to North Korea, and cybersecurity experts and the U.S. government later attributed the data breach to the North Korean government.
During the breach, the hacker group issued threats related to Sony's 2014 comedy The Interview, prompting the company to cancel its release in movie theaters. The film featured the assassination of a fictional version of North Korean leader Kim Jong-un.
Yahoo suffered a massive data breach in 2013, though the company didn't discover the incident until 2016 when it began investigating a separate security incident.
Initially, Yahoo announced that more than 1 billion email accounts were affected in the breach. Exposed user data included names, contact information and dates of birth, as well as hashed passwords and some encrypted or unencrypted security questions and answers. Following a full investigation into the 2013 data breach, Yahoo disclosed that the incident affected all of the company's 3 billion email accounts.
Yahoo also discovered a second major breach that occurred in 2014 affecting 500 million email accounts. The company found that threat actors had gained access to its corporate network and minted authentication cookies that allowed them to access email accounts without passwords.
Following a criminal investigation into the 2014 breach, the U.S. Department of Justice indicted four men, including two Russian Federal Security Service agents, in connection with the hack.
The U.S. Office of Personnel Management
The U.S. Office of Personnel Management (OPM) announced in 2015 that it had been breached by threat actors, giving up the personal information and government records of more than 21 million current and former federal employees.
The exposed data included personal information, such as Social Security numbers and dates of birth, while the government records included SF-86 forms for security clearance, as well as some fingerprint scans.
The authorities reported the hackers obtained credentials from a federal contractor and then used those credentials to access the OPM's network. The data breach led to the resignations of both the agency's director and its CIO.
Later that year, the Chinese government announced it had arrested and charged several Chinese nationals for the breach. In 2017, the FBI arrested another Chinese national whom authorities claimed was responsible for the malware used in the OPM data breach.
In 2020, SolarWinds was the target of a cybersecurity attack in which hackers used a supply chain attack to deploy malicious code into its widely adopted Orion IT monitoring and management software. The breach left the networks, systems and data of more than 18,000 SolarWinds government and enterprise customers compromised.
Information security company FireEye discovered and publicized the attack. The investigation is still ongoing, but U.S. cybersecurity officials determined that Russian intelligence services spearheaded the attack. The extent of the data exposed and the purpose of the breach is still unknown, but the focus on government agencies points to cyberespionage as the likely purpose.
Technology innovation has yet to thwart sophisticated criminals who continue to leverage new technologies to steal valuable information that can be bought and sold on the dark web. To combat this, organizations must implement strong commonsense security controls as well as automated monitoring software that can continuously scan and identify potential threats.
Prepare your organization for a possible breach by downloading the free guide at "Data breach response: How to plan and recover."