A data breach involves the release of sensitive information. Many types of online attacks have a primary goal of causing a data breach to release information such as login credentials and personal financial data.
A data breach is releasing confidential, private, or otherwise sensitive information into an unsecured environment. A data breach can occur accidentally or as a deliberate attack.
Millions of people are affected by data breaches every year. They can range in scope from a doctor accidentally looking at the wrong patient’s chart to a large-scale attempt to access government computers to uncover sensitive information.
Data breaches are a significant security concern because sensitive data is constantly transmitted over the Internet. This continuous transfer of information makes it possible for attackers in any location to attempt data breaches on almost any person or business they choose.
Data is also stored in digital form by businesses all over the world. The servers that store the data are often vulnerable to various cyber-attacks.
Who is typically targeted for data breaches?
Major corporations are prime targets for attackers attempting to cause data breaches because they offer a large payload. This payload can include millions of users’ personal and financial information, such as login credentials and credit card numbers. This data can all be resold on underground markets.
However, attackers target anyone and everyone they can extract data from. All personal or confidential data is valuable to cyber criminals — usually, someone will pay for it.
What are some of the main ways a data breach can occur?
- Lost or stolen credentials – The most straightforward way to view private data online is by using someone else’s login credentials to sign into a service. To that end, attackers employ many strategies to get their hands on people’s logins and passwords. These include brute force attacks and on-path attacks.
- Lost or stolen equipment – A lost computer or smartphone that contains confidential information can be very dangerous if it falls into the wrong hands.
- Social engineering attacks – Social engineering involves using psychological manipulation to trick people into handing over sensitive information. For example, an attacker may pose as an IRS agent and call victims on the phone to convince them to share their bank account information.
- Insider threats involve people with access to protected information deliberately exposing that data, often for personal gain. Examples include a restaurant server copying customers’ credit card numbers and high-level government employees selling secrets to foreign states. (Learn more about insider threats.)
- Vulnerability exploits – Almost every company in the world uses various software products. Because software is so complex, it often contains “vulnerabilities.” An attacker can exploit these vulnerabilities to gain unauthorized access and view or copy confidential data.
- Malware infections – Many malicious software programs are designed to steal data or track user activities, sending the information they gather to a server the attacker controls.
- Physical point-of-sale attacks target credit and debit card information and most often involve the devices that scan and read these cards. For example, someone could set up a fake ATM or even install a scanner on a legitimate ATM to gather card numbers and PINs.
- Credential stuffing – After someone’s login credentials are exposed in a data breach. An attacker may try re-using those credentials on dozens of other platforms. If that user logs in with the same username and password on multiple services, the attacker may gain access to the victim’s email, social media, and/or online banking accounts.
- Lack of encryption – If a website that collects personal or financial data does not use SSL/TLS encryption, anyone can monitor transmissions between the user and the website and see that data in plaintext.
- Misconfigured web app or server – If a website, application, or web server is not set up correctly, it may leave data exposed to anyone with an Internet connection. Confidential data could be seen by users who accidentally stumble upon it or attackers who are purposefully looking for it.
What does a real-world data breach look like?
The Equifax data breach in 2017 is one major example of a large-scale data breach. Equifax is an American credit bureau. Between May and June 2017, malicious parties accessed private records within Equifax’s servers of nearly 150 million Americans, about 15 million British citizens, and about 19,000 Canadian citizens. The attack was made possible because Equifax had not applied a patch to a software vulnerability in their system.
Smaller-scale data breaches can have a big effect as well. In 2020, attackers hijacked the Twitter accounts of numerous famous and influential people. The attack was possible because of an initial social engineering attack that enabled the attackers to access Twitter’s internal administrative tools. Starting from this initial breach, attackers could take over multiple people’s accounts and promote a scam that collected approximately $117,000 in Bitcoin.
One of the most notorious data breaches of recent decades was the cyber-attack launched against major retailer Target in 2013. The combination of strategies used to pull this attack off was pretty sophisticated. The attack involved a social engineering attack, the hijacking of a third-party vendor, and a large-scale attack on physical point-of-sale devices.
The attack was initiated with a phishing scam that went after employees of an air-conditioning company that provided AC units to Target stores. These air conditioners were linked to computers on Target’s network to monitor energy usage, and the attackers compromised the air-conditioning company’s software to gain access to the Target system. Eventually, the attackers could reprogram credit card scanners in Target stores to provide attackers with customer credit card data. These scanners were not connected to the Internet but were programmed to periodically dump saved credit card data into an access point monitored by the attackers. The successful attack led to an estimated 110 million Target customers having their data compromised.
How can businesses prevent data breaches?
Since data breaches come in so many forms, there is no single solution to stop data breaches, and a holistic approach is required. Some of the main steps businesses can take include:
Access control: Employers can help combat data breaches by ensuring their employees only have the minimum access and permissions necessary to do their jobs.
Encryption: Businesses should encrypt their websites and the data they receive using SSL/TLS encryption. Businesses should also encrypt data at rest when it is stored in their servers or on employees’ devices.
Web security solutions: A web application firewall (WAF) can protect a business from several application attacks, and vulnerability exploits that aim to create data breaches. It is speculated that an adequately configured WAF would have prevented the major data breach attack on Equifax in 2017.
Network security: Besides their web properties, businesses must protect their internal networks from compromise. Firewalls, DDoS protection, secure web gateways, and data loss prevention (DLP) can all help keep networks secure.
Keeping software and hardware up-to-date: Old versions of the software are dangerous. Software almost always contains vulnerabilities that, when appropriately exploited, allow attackers to access sensitive data. Software vendors regularly release security patches or new software versions to patch vulnerabilities. If these patches and updates are not installed, attackers can compromise those systems — as occurred in the Equifax breach. Past a certain point, vendors will no longer support a software product — leaving that software utterly open to whatever new vulnerabilities are discovered.
Preparation: Companies should prepare a response plan to be executed in the case of a data breach to minimize or contain the information leak. For instance, companies should keep backup copies of essential databases.
Training: Social engineering is one of the most prevalent causes of data breaches. Train employees to recognize and respond to social engineering attacks.
How can users protect themselves from data breaches?
Here are some tips for protecting your data, although these actions on their own do not guarantee data security:
Use unique passwords for each service: Many users reuse passwords across multiple online services. The result is that when one of these services has a data breach, attackers can also use those credentials to compromise users’ other accounts.
Use two-factor authentication: Two-factor authentication (2FA) uses multiple verification methods to confirm a user’s identity before logging in. One of the most common forms of 2FA is when a user enters a unique one-time code texted to their phone in addition to their password. Users who implement 2FA are less vulnerable to data breaches that reveal login credentials because their passwords are insufficient to allow an attacker to steal their accounts.
Only submit personal information on HTTPS websites: A website that does not use SSL encryption will only have “http://” in its URL, not “https://”. Websites without encryption expose any data entered on that website, from usernames and passwords to search queries and credit card numbers.
Keep software and hardware up-to-date: This suggestion applies to users and businesses.
Encrypt hard drives: If a user’s device is stolen, encryption prevents the attacker from viewing the files stored locally on that device. However, this does not stop attackers who have gained remote access to the device through a malware infection or some other method.
Only install applications and open files from reputable sources: Users accidentally download and install malware every day. Ensure any files or applications you open, download, or install are from a legitimate source. In addition, users should avoid opening unexpected email attachments — attackers often disguise malware within seemingly harmless files attached to emails.
