Data breaches are being reported more and more often. Hardly a week goes by without another high-profile data breach making the headlines. But what exactly does it mean? Do hackers have that stolen data now or was the data just improperly handled? What kind of data is it? Who is being most affected by it?
To help shed a bit more light on the issue of data breaches, we created this guide on everything you need to know about insecure data, data breach scandals and stolen data incidents.
What Is a Data Breach?
There are many types of incidents which can be classified as data breaches, depending on who is accessing the data, why, whose data it is, and so on.
But in order to keep things simple and still provide a definition, a data breach is a security incident in which data gets accessed or exposed, intentionally or non-intentionally, without authorization or made visible to unauthorized parties.
As you can see from our data breach definition above, not all data breaches are the result of hacking or malicious intent. Sometimes, a breach can occur as the result of a technical glitch or human mistake, and in this case, it’s known as a data leak or a data spill.
If the data breach is intentional, then we can differentiate between data breach hacks (conducted from the outside) and insider data breaches (conducted by an authorized person on the inside who exposes the data to an unauthorized environment). Furthermore, especially when it comes to unintentional data breaches, the lines get even murkier between an actual breach and potential exposure or simply improper data storage (without evidence that someone abused the vulnerability in order to see sensitive data).
In any case, this is all just organizational and infosec jargon, up to a point. While it’s important to differentiate between all these with great precision in order to diagnose an incident, as professionals, we have to admit that the label of data breach is usually only used outside the field for huge incidents. So, whenever you hear or read about a data breach in relation to a famous brand name, you can be pretty sure that the incident was big.
The Main Types of Data Breaches Explained
Let’s take each type of data breach and explain it shortly, just so you can envision what each of them can look like in practice. This way, when you next read a major news story about a data breach, you’ll know exactly what it’s about.
#1. The classic hack data breach
Usually, when people hear about a data breach, this is the type of breach they envision. In this scenario, the data is lost in the most aggressive way possible: outsiders hack into the protected systems of the target organization and forcibly copy or expose the data.
#2. The insider job
In this case, the main agent of the data breach is a person on the inside of the organization who is abusing their privileges for the sake of gain or simply out of spite. Disgruntled employees have been behind plenty of data breaches over the years. Besides any harbored grudge, the financial incentive provided by an outside third party can definitely serve as a catalyst to the decision to play for the opposing team.
#3. The taking of data
In some data breaches, it can be discovered after a long time that someone took data outside the organization. Even if the data was not exposed to other unauthorized parties (as far as the investigators can tell) and even if the person who took it was authorized to access it, it is still considered a breach. That’s because the privileges of the job end at the limits of the organization’s infrastructure, whether those limits are the actual building space or the sole use of company endpoints.
Furthermore, taking data without the knowledge of the rest of the organization is illegal and very likely has an ulterior motive which is not in the organization’s best interest, Otherwise, why would it happen without the knowledge of the other management members?
#4. The stealing of data
Stealing data from an organization is a similar type of data breach with data taking. But while in the first case, the person is authorized to access that data in the first place, in this case they are not cleared for accessing it. That’s why we call it stealing instead of taking, because the employee is accessing the data through dishonest means in the first place. This could done either through hacking, through abusing the trust of a colleague with higher authorization, or through exploiting an insecure environment.
#5. Improper data storage
If at some point an organization discovers that they had been storing data improperly for a while, they need to report and classify this as a data breach. Even if no unauthorized person saw that data, it’s still technically a breach compared to how it was supposed to be stored. The recent headlines about Facebook storing user passwords in plain text is a good example of this type of data breach.
#6. The unintentional data leak
Data leaks, defines as the transfer of data from inside the organization to persons or entities outside of it, can also happen unintentionally. A careless send email, a wrong email address filled in with an auto-complete function and never checked, or even accidents and glitches unrelated to human behavior – these can all be causes of an unintentional data leak.
But, even if a leak is unintentional, an organization is still held responsible for it if the data leaked belonged to clients and customers.
#7. The whistleblowing (intentional data leak)
How about when the data leak is intentional? When someone on the inside of the organization causes the leak on purpose? How does this differ from an insider job, described above?
The difference lies in the purpose of the data breach, on the insider’s part. If they are seeking gain or to cause harm to the organization, it’s a breach. If they want to share the information with the greater public or with journalists because they believe it’s a matter of public interest, then it’s officially classified as whistleblowing.
While essentially noble in theory, the practice of whistleblowing is nonetheless controversial in many cases (see the Edward Snowden case). Still, in most cases, whistleblowers are protected from retaliation and thanked for doing a huge community service for exposing the data.
Examples of Notorious Data Breaches
Now that we covered the main types of data breaches and explained how they work, let’s take a look at famous data breaches of the past few years. We’re pretty sure you may have heard of at least a few from this list.
While there are certainly bigger data breaches than these out there, based on the number of people whose data has been exposed, the breaches were selected are important based on other criteria. Brand popularity or the circumstances of the breach can be such alternate criteria, for example.
1. The Yahoo data breach from 2014
Although they only discovered it in September 2016, Yahoo was the target of one of history’s largest data breaches back in 2014. The breach exposed personal data from more than 500 million users, including home addresses, phone numbers and so on. According to company representatives, the pervasive breach had been sponsored by a state actor, placing in the cyberespionage tier of digital crime.
2. The eBay data breach from 2014
The giant ecommerce company was targeted by a huge data breach which led to the records of over 140 million users being exposed. The hackers gained access through 3 compromised corporate email accounts and worked their way inside the system from there, following a long approach which took over 200 days.
Luckily for users, the financial data was stored somewhere separately so the hackers weren’t able to access it in the end, but it still got pretty close.
3. Facebook (2018 onwards)
The social media corporation is facing an increasing wave of criticism following its failure to properly protect user data. First there was the Cambridge Analytica scandal, which revealed how voters were manipulated based on the insights of a highly advanced AI. Then, smaller data breaches occurred (such as the report about the company storing passwords in plain text format), but which eroded the trust in Facebook even further.
4. Quora (end of 2018)
The popular system of questions and answers Quora reported a major breach in December 2018. Apparently, an unauthorized third party gained access to more than 100 million user profiles and passwords etc.
5. Newegg (2014-2018)
Through a malicious script injection, hackers managed to collect over 50 million sets of sensitive data (credit card info) from online shoppers within this time frame. The scary part is that the breach managed to continue undetected for 4 years. Basically, whenever shoppers bought something online from Newegg, the malicious script was capturing their data and sending it to the hackers.
6. MyHeritage (2018)
Due to the work of cybersecurity researchers, the operators of the MyHeritage website found out that a collection of their users’ data was being hosted somewhere online. After an internal investigation, they detected the vulnerability which was exploited for this breach and they alerted the impacted users about the fact that they need to change their credentials.
7. Equifax (2017)
As one of the U.S.’s biggest credit bureaus, Equifax had access to very sensitive data about its users. Sadly, this is precisely what drew hackers in and made for one of history’s biggest data breaches. In June 2017, over 143 million consumers saw their data leaked, including information such as their social security number.
8. Uber (2016)
Two hackers managed to gain access to the personal data of 57 users of the Uber app. Due to poor crisis management, the hackers then targeted Uber’s Github account and gained access to a huge number of credentials (which technically should not have been stored on GitHub in the first place).
9. Adobe (2013)
Discovered by security researcher Brian Krebs in 2013, the Adobe data breach exposed the private data of over 38 million users. Adobe had to settle in the end and pay these users damages for mishandling an issue and almost turning it into a PR crisis.
10. ElasticSearch (2018)
A regular security audit that seemed just another report to sign off on has quickly turned into the discovery of a huge data breach. No one knows for how long the malicious scripts may have been put there to gather data, but in the end more than 82 million user accounts were compromised.
Protecting Your Organization Against a Data Breach
As you can see, a data breach can be a very serious thing, with the potential to negatively impact the lives of users and to significantly diminish a business, or to lead to a PR crisis. So how can you protect your organization against a data breach? No defensive recipe is fail-proof, but here are a few great places to start from in order to minimize all chances of going through a data breach.
a) Patch and update all software used across the network
It’s actually best if you have an automated software patcher installed, just to make sure every patch is installed as soon as it’s available. Very often, new software patches are released precisely because they respond to a vulnerability recently reported. The more you delay installing the new patch, the more you leave your systems exposed to threats and exploits.
b) Use double encryption on data
If you can’t use advanced encryption, even a simple type of encryption is better than nothing. This way, even if a data breach does occur, the data will be still safe without the encryption key.
c) Create a security policy or adopt a cybersecurity framework
If creating your own security policy, make sure you pay special attention to data protection. This helps not just prevent data breaches and contain them should they occur nonetheless, but it also ensures compliance to data protection regulations.
Organizations worldwide have started being very concerned with data protection ever since the European Union started enforcing its GDPR set of rules. Recent reports indicate that the U.S. is currently in the process of developing an equivalent legislation for data protection, so it’s clear that compliance is going to be an issue for most international organizations.
d) Enforce good password hygiene and 2FA
To prevent unintentional leaking and to make intentional leaks harder, encourage all members of your organization to have better password hygiene. Enforce automatic prompts for changing your password every 3 months and mandatory two factor authentication (2FA). This should make it harder to gain access to another person’s account.
e) Educate your employees for avoiding social engineering
Keep your employees up to date with the latest security threats and case studies on how social engineering works. That way, they can know what to expect and how to guard themselves against it. Insider threat is unintentional in the majority of cases. Just teach your employees better data protection practices and they will be better equipped to prevent data breaches.
That’s it! We’ve shared the main scoop on data breaches and on how they work. Do you have anything to share about data breaches too? Was your organization ever targeted by a data breach? If so, don’t hesitate to let us know what happened, in the comment field below. Our readers can all use more learning opportunities.