Data Breach

A data breach, or data leak, is a security event in which protected data is accessed by or disclosed to unauthorized viewers. A data breach is different from data loss, which is when data can be no longer accessed because of hardware failure, deletion or other cause. Protected data can include information about individual customers, or employees, such as personally identifiable information (PII), personal health information, payment card information and Social Security numbers. It can also include corporate information or intellectual property (IP), such as trade secrets, details about manufacturing processes, supplier and customer data, information about mergers and acquisitions, or data about lawsuits or other litigation.

Data breaches are not always intentional. Users can accidentally send protected data to the wrong email address or upload it to the wrong share; in fact, mistakes account for 17% of breaches, according to the well-known Verizon’s 2018 Data breach investigation Report. But the report found that most breaches are deliberate and financially motivated. While different methods are used to gain access to sensitive data, 28% of breaches involve insiders, according to the Verizon report.

Root causes

  • Cyber-attacks: Hackers use malware, phishing, social engineering, skimming, and related techniques to gain access to protected information.
  • Theft or loss of devices: Laptops, smartphones, thumb drives, and other data storage media can be lost, stolen or disposed of improperly. If they contain protected information and it ends up in the wrong hands, that’s a data breach.
  • Employee data theft or data leak: Employees, especially those who are departing soon, might deliberately access protected information without authorization with malicious intent.
  • Human Error: Mistakes happen, and people are negligent. Employees accidentally send proprietary data to the wrong person, upload it to public shares or misconfigure servers where it is stored.

World’s biggest data breaches

Prachi

Yahoo

When it Happened: series of breaches in 2013 and 2014

When it disclosed: 2016

In 2016, Yahoo estimated that over 1 billion user accounts might have been compromised in the 2014 breach. Later, in 2017, it admitted all 3 billion of its user accounts had been hacked. The breaches involved the theft of user account details such as email addresses, telephone numbers, hashed passwords, dates of birth and, in some cases, answers to security questions. Fortunately, no payment information, such as credit card numbers or bank account details, was stolen.

Equifax

When it Happened: Mid-May 2017

When it disclosed: September

Hackers gained access to certain files containing Social Security numbers, birth dates, addresses, driver’s license numbers and other personal information. 209,000 consumers also had their credit card data exposed in the attack.

Marriott International

When it Happened: 2014

When it disclosed: 2018

In 2018, Marriott International announced that cyber thieves had stolen data on approximately 500 million customers. Marriott believes that credit card numbers and expiration date of more than 100 million customers were stolen, although the company is uncertain whether the attackers were able to decrypt the credit card numbers.

Basic safeguard from data breaches

  • Encryption: According to the ponemon research, the second-to-top factor that reduces the overall costs of a data breach is encryption. It’s a simple yet often neglected way to secure your data. Even if it’s stolen or breached, properly encrypted data will be useless for malicious actors, they won’t be able to sell it or use it against you or the individuals whose data they stole.
  • Data access governance: Regular privilege attestation and data access monitoring will reduce your attack surface and help you spot abnormal activities.

Steps you should take when becoming a victim of data breach

  • Contact the “breach” company: That means contact the company whose data was breached. Find out the extent of the damage. Don’t trust – Even if they tell you that your stolen information was encrypted.
  • Change all your passwords. Don’t make it easy. Use different passwords for different accounts!
  • Call your credit card companies and banks: Doing so will lock your accounts and prevent further transactions.
  • You can file a report with Federal Trade Commission (FTC) if you are in the U.S. or similar agencies in other countries.
  • Get a copy of your credit report to see if something unusual is on your credit and include that in your police report and FTC report.

In conclusion, we can say that we read frequently about personal data breaches. One of the recent ones happened on German politicians’ data. Data breaches might sap our companies and our digital identities, regulations have been made trying to normalize and to block breaches, but unfortunately in 2019 is still easy to get random personal data out of internet. The main reason for vulnerable websites is “un-patched software versions”.

Here are few things that can help you –

  • Look for solutions that can help automate as many tasks as possible so you and your team can focus on strategically important activities.
  • Look for new Cybersecurity developments in various industries and apply those that seem to fit your company best.

Thanks for reading!! Contact Mirketa if you need a consulting on how you can protect your websites and application data.

Posted in Application Security, Data Security, Ethical Hacking. Tagged with , , .

Leave a Reply

Your email address will not be published. Required fields are marked *

*