What is a data breach?

What is a data breach?

A data breach is the release of confidential, private, or otherwise sensitive information into an unsecured environment. A data breach can occur accidentally, or as the result of a deliberate attack.

Millions of people are affected by data breaches every year, and they can range in scope from a doctor accidentally looking at the wrong patient’s chart, to a large-scale attempt to access government computers to uncover sensitive information.

Data breaches are a major security concern because sensitive data is constantly being transmitted over the Internet. This continuous transfer of information makes it possible for attackers in any location to attempt data breaches on almost any person or business they choose.

Data is also stored in digital form by businesses all over the world. The servers that store the data are often vulnerable to various forms of cyber attack.

Who is typically targeted for data breaches?

Major corporations are prime targets for attackers attempting to cause data breaches because they offer such a large payload. This payload can include millions of users' personal and financial information, such as login credentials and credit card numbers. This data can all be resold on underground markets.

However, attackers target anyone and everyone they can extract data from. All personal or confidential data is valuable to cyber criminals — usually, someone in the world is willing to pay for it.

What are some of the main ways a data breach can occur?

• Lost or stolen credentials - The simplest way to view private data online is by using someone else’s login credentials to sign into a service. To that end, attackers employ a litany of strategies to get their hands on people’s logins and passwords. These include brute force attacks and on-path attacks.
• Lost or stolen equipment - A lost computer or smartphone that contains confidential information can be very dangerous if it falls into the wrong hands.
• Social engineering attacks - Social engineering involves using psychological manipulation to trick people into handing over sensitive information. For example, an attacker may pose as an IRS agent and call victims on the phone in an attempt to convince them to share their bank account information.
• Insider threats - These involve people who have access to protected information deliberately exposing that data, often for personal gain. Examples include a restaurant server copying customers’ credit card numbers as well as high-level government employees selling secrets to foreign states. (Learn more about insider threats.)
• Vulnerability exploits - Almost every company in the world uses a variety of different software products. Because software is so complex, it often contains flaws known as "vulnerabilities." An attacker can exploit these vulnerabilities in order to gain unauthorized access and view or copy confidential data.
• Malware infections - Many malicious software programs are designed to steal data or track user activities, sending the information they gather to a server that the attacker controls.
• Physical point-of-sale attacks - These attacks target credit and debit card information and most often involve the devices that scan and read these cards. For example someone could set up a fake ATM machine or even install a scanner onto a legitimate ATM machine in hopes of gathering card numbers and PINs.
• Credential stuffing - After someone’s login credentials are exposed in a data breach, an attacker may try re-using those same credentials on dozens of other platforms. If that user logs in with the same username and password on multiple services, the attacker may gain access to the victim’s email, social media, and/or online banking accounts.
• Lack of encryption - If a website that collects personal or financial data does not use SSL/TLS encryption, anyone can monitor transmissions between the user and the website and see that data in plaintext.
• Misconfigured web app or server - If a website, application, or web server is not set up properly, it may leave data exposed to anyone with an Internet connection. Confidential data could be seen by users who accidentally stumble upon it, or by attackers who are purposefully looking for it.

What does a real-world data breach look like?

The Equifax data breach in 2017 is one major example of a large-scale data breach. Equifax is an American credit bureau. Between May and June 2017, malicious parties accessed private records within Equifax's servers of nearly 150 million Americans, about 15 million British citizens, and about 19,000 Canadian citizens. The attack was made possible because Equifax had not applied a patch to a software vulnerability in their system.

Smaller-scale data breaches can have a big effect as well. In 2020, attackers hijacked the Twitter accounts of numerous famous and influential people. The attack was possible because of an initial social engineering attack that enabled the attackers to gain access to Twitter's internal administrative tools. Starting from this initial breach, attackers were able to take over the accounts of multiple people and promote a scam that collected approximately $117,000 in Bitcoin.

One of the most notorious data breaches of recent decades was the cyber-attack launched against major retailer Target in 2013. The combination of strategies used to pull this attack off were fairly sophisticated. The attack involved a social engineering attack, the hijacking of a third-party vendor, and a large-scale attack on physical point-of-sale devices.

The attack was initiated with a phishing scam that went after employees of an air-conditioning company that provided AC units to Target stores. These air conditioners were linked to computers on Target's network to monitor energy usage, and the attackers compromised the air-conditioning company’s software to gain access to the Target system. Eventually the attackers were able to reprogram credit card scanners in Target stores to provide attackers with customer credit card data. These scanners were not connected to the Internet, but were programmed to periodically dump saved credit card data into an access point monitored by the attackers. The attack was successful and led to an estimated 110 million Target customers having their data compromised.

How can businesses prevent data breaches?

Since data breaches come in so many forms, there is no single solution to stop data breaches and a holistic approach is required. Some of the main steps businesses can take include:

Access control: Employers can help combat data breaches by ensuring that their employees only have the minimum amount of access and permissions necessary to do their jobs.

Encryption: Businesses should encrypt their websites and the data they receive using SSL/TLS encryption. Businesses should also encrypt data at rest, when it is stored in their servers or on employees' devices.

Web security solutions: A web application firewall (WAF) can protect a business from several types of application attacks and vulnerability exploits that aim to create data breaches. In fact, it is speculated that a properly configured WAF would have prevented the major data breach attack on Equifax in 2017.

Network security: In addition to their web properties, businesses must protect their internal networks from compromise. Firewalls, DDoS protection, secure web gateways, and data loss prevention (DLP) can all help keep networks secure.

Keeping software and hardware up-to-date: Old versions of software are dangerous. Software almost always contains vulnerabilities that, when exploited properly, allow attackers to access sensitive data. Software vendors regularly release security patches or entirely new versions of their software to patch vulnerabilities. If these patches and updates are not installed, attackers will be able to compromise those systems — as took place in the Equifax breach. Past a certain point, vendors will no longer support a software product — leaving that software completely open to whatever new vulnerabilities are discovered.

Preparation: Companies should prepare a response plan to be executed in the case of a data breach, with a goal of minimizing or containing the leak of information. For instance, companies should keep backup copies of important databases.

Training: Social engineering is one of the most prevalent causes for data breaches. Train employees to recognize and respond to social engineering attacks.

How can users protect themselves from data breaches?

Here are some tips for protecting your data, although these actions on their own do not guarantee data security:

Use unique passwords for each service: Many users reuse passwords across multiple online services. The result is that when one of these services has a data breach, attackers can use those credentials to compromise users' other accounts as well.

Use two-factor authentication: Two-factor authentication (2FA) is the use of more than one verification method to confirm a user's identity before they are allowed to log in. One of the most common forms of 2FA is when a user enters a unique one-time code texted to their phone in addition to their password. Users who implement 2FA are less vulnerable to data breaches that reveal login credentials, because their password is not enough on its own to allow an attacker to steal their accounts.

Only submit personal information on HTTPS websites: A website that does not use SSL encryption will only have "http://" in its URL, not "https://". Websites without encryption leave any data entered on that website exposed, from usernames and passwords to search queries and credit card numbers.

Keep software and hardware up-to-date: This suggestion applies to users as well as businesses.

Encrypt hard drives: If a user's device is stolen, encryption prevents the attacker from viewing the files stored locally on that device. However, this does not stop attackers who have gained remote access to the device through a malware infection or some other method.

Only install applications and open files from reputable sources: Users accidentally download and install malware every day. Make sure any files or applications you open, download, or install are really from a legitimate source. In addition, users should avoid opening unexpected email attachments — attackers often disguise malware within seemingly harmless files attached to emails.