What is a data breach?
A data breach is a security incident in which a malicious actor breaks through security measures to illicitly access data.
Data about individuals—names, birthdates, financial information, social security numbers and driver’s license numbers, and more—lives in innumerable copies across untold numbers of servers at private companies, public agencies, and in the cloud. If someone who isn’t authorized to access personally identifiable information (PII) manages to get a look at it, that can have dire consequences both for the individual and for the organization that stored the data and was supposed to keep it safe.
PII is valuable to a number of types of malicious actors, which gives an incentive for hackers to breach security and seek out PII where they can. On the flip side, companies and government organizations that store data often fail to adequately protect it, and in some jurisdictions legislation aims to crack down on lax security practices that can lead to data breaches.
One last note on terminology before we begin: sometimes people draw a distinction between a data breach and data leak, in which an organization accidentally puts sensitive data on a website or other location without proper (or any) security controls so it can be freely accessed by anyone who knows it’s there. But the line between a breach and leak isn’t necessarily easy to draw, and the end result is often the same.
How do data breaches happen?
A data breach happens when someone gets access to a database that they shouldn’t have access to. This is a broad description and could include something as simple as a library employee sneaking a peek at what books a friend has checked out when they have no legitimate work reason to do so, for instance.
Most people wouldn’t find that to be all that problematic, but it is true that some data breaches are inside jobs—that is, employees who have access to PII as part of their work might exfiltrate that data for financial gain or other illicit purposes. In other cases, however, data breaches occur along the same pattern of other cyberattacks by outsiders, where malicious hackers breach defenses and manage to access their victim’s data crown jewels.
The how question helps us differentiate several different types of data breaches.
4 types of data breaches
Insider theft: Insiders can be compromised by attackers, may have their own personal beef with employers, or may simply be looking to make a quick buck.
Unauthorized access: This is probably the scenario most of us imagine when we picture a hacker stealing PII: an expert cybercriminal navigating around firewalls and other defense systems or taking advantage of zero-days to access databases full of credit card numbers or medical data that they can exploit. Attackers may use phishing, spyware, and other techniques to gain a foothold in their target networks. A specialized version of this type of attack involves physical theft of hardware where sensitive data is stored, either from an office or (increasingly likely) from individuals who take laptops home and improperly secure them.
Data on the move: PII that’s being transmitted across open networks without proper encryption is particularly vulnerable, so great care must be taken in situations in which large batches of tempting data are moved around in this way.
Accidental exposure: This is the data leak scenario we discussed above. It’s surprisingly common for sensitive databases to end up in places they shouldn’t—copied to serve as sample data for development purposes and uploaded to GitHub or some other publicly accessible site, for instance. Attackers have automated tools that scan the internet looking for the telltale signatures of PII. Then there are those organizations that upload crucial data to a cloud service but misconfigure access permissions. There’s also a physical analogue here, when companies insecurely dispose of old laptops and hard drives, allowing dumpster divers to get access.
For those organizations looking to prevent the damage of a data breach, it’s worth considering what these scenarios have in common. Most companies probably believe that their security and procedures are good enough that their networks won’t be breached or their data accidentally exposed. Some are right about this; many are wrong. If you are wrong—and the increasing ubiquity of network breaches makes it increasingly likely that you will be—a zero trust approach can mitigate against the possibility of data disaster. Even if an attacker gets access to your network, PII should be ringed with extra defenses to keep it safe. Access to databases that store PII should be as restricted as possible, for instance, and network activity should be continuously monitored to spot exfiltration. Stored passwords need to be treated with particular care, preferably cryptographically hashed (something even companies that should know better fail to do).
What are examples of data breaches?
CSO has compiled a list of the biggest breaches of the century so far, with details on the cause and impact of each breach. These include not just the big Chinese-driven hacks noted above, but also hundreds of millions of accounts breached at Yahoo, Adobe, LinkedIn, and MyFitnessPal. What’s worse, some companies appear on the list more than once.
Here is a brief timeline of those significant breaches:
LinkedIn – 165 million users
Yahoo – 3 billion accounts
Adobe – 153 million user records
Court Ventures (Experian) – 200 million personal records
MySpace – 360 million user accounts
Yahoo – 500 million accounts
NetEase – 235 million user accounts
Adult Friend Finder – 412.2 million accounts
My Fitness Pal – 150 million user accounts
Dubsmash – 162 million user accounts
Marriott International (Starwood) – 500 million customers
Facebook – 533 million users
Alibaba – 1.1 billion pieces of user data
Sina Weibo – 538 million accounts
LinkedIn – 700 million users
Recent data breaches: 2022
While 2022 hasn’t seen any breaches quite as high-profile as those listed above, that doesn’t mean hackers have been sitting on their hands:
Data breach statistics
Looking for some key data breach stats? Security software provider Varonis has compiled a comprehensive list; here are some worth noting:
- 58% of data breaches involve PII
- 64% of Americans don’t know what to do after a data breach
- In 2020, it took a breached company on average 207 days to realize they’d been breached
Impact of a data breach on individuals
In some ways, the idea of your PII being stolen in a breach may feel fairly abstract—and after an endless drumbeat of stories in the news about data breaches, you may be fairly numb to it. But there’s an awful lot that criminals can do with your personal data if they harvest it in a breach (or, more likely, buy it from someone who’s harvested it; the criminal underworld is increasingly specialized).
PII provides the fundamental building blocks of identity theft. A clever criminal can leverage OPSEC and social engineering techniques to parlay even a partial set of information about you into credit cards or other fake accounts that will haunt you in your name. If your password was in the stolen data, and if you’re the type of person who uses the same password across multiple accounts, hackers may be able to skip the fraud and just drain your bank account directly.
That said, the correlation between data breaches and stolen identities is not always easy to prove, although stolen PII has a high enough resale value that surely someone is trying to make money off it. Some of the highest-profile data breaches (such as the big breaches at Equifax, OPM, and Marriott) seem to have been motivated not by criminal greed but rather nation-state espionage on the part of the Chinese government, so the impacts on the individual are much murkier.
What to do after a data breach
Organizations should have detailed plans in place for how to deal with data breaches that include steps such as pulling together a task force, issuing any notifications required by law, and finding and fixing the root cause.
If you’re an individual whose data has been stolen in a breach, your first thought should be about passwords. If the account that was breached shares a password with other accounts you have, you should change them as soon as possible, especially if they’re for financial institutions or the like. Many password managers not only help you chose different strong passwords across websites, but also include data intelligence features that automatically let you know if any of your accounts are associated with a publicized data breach.
Beyond that, you should take extra care to maintain your financial hygiene. In particular, freezing your credit so that nobody can open a new card or loan in your name is a good idea.
Consequences of a data breach
A company that allows the data with which they were entrusted to be breached will suffer negative consequences. Such a breach can damage a company’s reputation and poison relationships with customers, especially if the details of the breach reveal particularly egregious neglect.
There are also direct financial costs associated with data breaches, in 2020 the average cost of a data breach was close to $4 million. Much of those costs are the result of privacy regulations that companies must obey when their negligence leads to a data breach: not just fines, but also rules about how breaches are publicized to victims (you didn’t think they’d tell you out of the goodness of their hearts, did you?) that involve administrative work and headaches on the part of the company. The overall goal is to encourage companies to lock down user data so they aren’t breached, but that’s cold comfort to those that are.
Data breaches and the GDPR
There are a number of regulations in different jurisdictions that determine how companies must respond to data breaches. HIPAA in the U.S. is important, thought its reach is limited to health-related data. But the 800-pound gorilla in the world of consumer privacy is the E.U.’s GDPR, which many large companies end up conforming to across the board because it represents the most restrictive data regulation of the jurisdictions they deal with.
The GDPR requires that users whose data has been breached must be informed within 72 hours of the breach’s discovery, and companies that fail to do so may be subject to fines of up to 4 percent of the company’s annual revenues. The details, however, are enormously complex, and depend on whether you can show you have made a good faith effort to implement proper security controls.