What is a data breach?

What is the definition of a data breach?

A data breach is a cybersecurity incident that results in an unauthorized party’s exposure or exfiltration of or damage to sensitive, confidential, private, or protected data. Data breaches are significant because they can lead to severe consequences for individuals (i.e., identity theft and financial loss, and organizations (i.e., reputational damage, legal repercussions, and financial penalties).  

The term data breach is often incorrectly used interchangeably with the term cyber attack. The most notable difference between a data breach and a cyber attack is that a data breach is a specific type of security incident resulting in compromised sensitive information. Importantly, a data breach, usually referring to digital information, encompasses data on physical media, such as paper documents, flash drives, laptops, mobile devices, and external hard drives. A cyber attack can result in a data breach, but also includes other malicious activities, such as a distributed denial of service (DDoS) attack. 

Organizations of all types and sizes are at risk of a data breach—from small businesses to major corporations, hospitals to schools, and governments to individuals. Information commonly targeted with a data breach includes: 

• Financial information (e.g., bank account information, credit card numbers) 
• Personal health information (PHI) (e.g., medical histories, lab test results) 
• Personally identifiable information (PII) (e.g., Social Security Numbers, driver’s license numbers) 
• Trade secrets (e.g., source code, formulas) 
• Other confidential information (e.g., customer information, legal documents). 

With a data breach, information can be copied or transmitted without damaging the source. A breach can also result in the loss of access to data due to theft or ransomware. In some cases, data can simply be destroyed in an act of vengeance or an attempt to cause catastrophic disruption. 

What causes a data breach?

Understanding the causes of data breaches helps organizations optimize their security measures and mitigate risks related to sensitive information. Common causes of data breaches include the following.

Cyber attacks

• Hacking—targeted attacks by cybercriminals using sophisticated techniques to exploit vulnerabilities in software or hardware
• Malware—installation of malicious software (e.g., viruses, worms, Trojan horses, and ransomware) on a victim’s system to steal data, monitor user actions, or gain control of the computer
• Man-in-the-middle (MitM) attacks—an attacker covertly intercepts and potentially modifies the communications between two parties who are under the impression that they are directly interacting with each other
• Phishing—deceptive social engineering tactics used to acquire sensitive data (e.g., credentials, personal data, and financial information) by posing as a legitimate entity in electronic communications or on websites
• Ransomware—malicious software that encrypts an organization’s data with subsequent demands for payment to decrypt it
• SQL injection—insertion of malicious SQL code into databases via web form input fields to manipulate or steal data from an application

Insider threats

• Accidental exposure—authorized users inadvertently expose sensitive information through mishandling of data, such as sending it to the wrong recipient or misconfiguring databases
• Improper disposal—improper disposal of hardware (e.g., old computers and drives) and printed documents) containing sensitive data
• Lost devices—accidental loss of laptops, smartphones, external storage devices, documents, files, or any physical medium containing sensitive information
• Malicious insiders—authorized users who intentionally steal or leak data for personal gain, revenge, or other nefarious motives

Physical theft 

• Device theft—stealing laptops, smartphones, external hard drives, or other devices containing sensitive information
• Physical documents—stealing documents, files, or any physical medium that contains confidential information
• Unauthorized access—gaining physical access to facilities or areas where sensitive information is stored without proper authorization

Poor security practices

• Inadequate security measures—lack of comprehensive security solutions, such as anti-malware and anti-virus software, firewalls, and intrusion detection and prevention systems
• Lack of encryption—failing to encrypt data, making it easy for attackers to read information if they gain access
• Inadequate access controls—not restricting data access based on user roles and allowing too many people unnecessary access to sensitive information
• Misconfigured cloud storage—incorrectly configuring cloud storage settings, exposing sensitive information to unauthorized access
• Outdated systems—failing to update and patch software and systems, leaving known vulnerabilities unaddressed
• Weak passwords—using easily guessable or default passwords

Stolen credentials

• Credential theft—stealing usernames and passwords through phishing, malware, or social engineering attacks
• Password attacks—using brute force attacks, dictionary attacks, or credential stuffing to crack weak passwords

What is targeted in data breaches?

In data breaches, attackers target a variety of sensitive and valuable information. The specific nature of the targeted data often depends on the motives of the attackers. Common types of data targeted in breaches include the following.

Corporate information

Targeted for corporate espionage, competitive advantage, ransom, or to harm the company’s reputation and financial standing

• Business plans
• Customer databases
• Financial reports
• Internal communications
• Merger and acquisition details
• Strategic plans
• Trade secrets

Educational records

Targeted for various reasons, including identity theft and academic fraud

• Academic information
• Loan information 
• Research data
• Student records

Financial information

Targeted to commit financial fraud or sell the information on the dark web

• Bank account details
• Credit card numbers
• Financial statements 

Government and military information

Targeted for espionage purposes by adversarial nation-states or terrorist groups

Information related to:

• Classified operations
• Infrastructure
• Military plans
• National security
• Public safety

Health information

Targeted to be used for insurance fraud, obtaining prescription drugs, or even for blackmail

• Insurance details
• Medical information
• Patient histories
• Treatment data

Intellectual property and trade secrets

Targeted by competitors or nation-states looking to gain an advantage

• Formulas
• Manufacturing plans
• Patents
• Recipes
• Research and development information
• Strategic plans

Login credentials

Targeted to gain unauthorized access to systems for further exploitation or to compromise additional accounts through credential-stuffing attacks

• Authentication tokens  
• Passwords
• Usernames

Personally identifiable information (PII)

Targeted to commit identity theft, fraud, and other malicious activities

• Addresses
• Dates of birth
• Identification numbers
• Names
• Social Security Numbers

What happens when organizations experience a data breach?

During a data breach, unauthorized individuals gain access to confidential, sensitive, or protected information, which can occur through various means. The sequence of events typically is as follows.

1. Intrusion
   A data breach usually starts with an attacker finding a vulnerability in a target organization. This could be a software flaw, inadequate security practices, compromised credentials, or even physical security weaknesses. The vulnerability is exploited to access the target organization’s network or systems.
2. Installation
   Once inside, attackers may install malicious software or tools to maintain access, gather more information, or cover their tracks. Often, attackers use malware to help them move laterally within the breached system or network to reach more valuable data repositories.
3. Discovery and exfiltration
   After gaining the necessary access, attackers identify valuable data such as personal information, intellectual property, financial data, or corporate secrets. They then extract this data from the organization’s network and transfer it to a location they control using exfiltration.
   
   Cyber attackers use a variety of tactics to exfiltrate data, often deploying multiple methods to maximize their chances of success while minimizing detection. Common exfiltration tactics used to expedite extraction and avoid detection include:
   • Automated tools and scripts that automate transfers when network usage is low
   • Data compression and encryption to minimize file sizes and mask content
   • Data smuggling and steganography to hide sensitive data in other files (e.g., images or videos)
   • DNS (Domain Name System) tunneling using DNS queries and responses
   • Instant messaging and social media services
   • Physical removal using USBs (Universal Serial Bus) or other removable media
   • Secure protocols (e.g., HTTPS (hypertext transfer protocol secure), FTPs (file transfer protocol), or VPNs (virtual private network) to blend with legitimate traffic

The cost of a data breach

A data breach can result in hard and soft costs. That is, a data breach can have monetary or more ephemeral costs, such as reputational damage or lost opportunities.  

In most cases, both types of damage occur. For instance, ransomware attacks, which are common data breaches, can result in organizations paying costly ransoms to regain access to their data, as well as seeing their brand tarnished when the word gets out about the data breach. 

There are many other costs related to a data breach, including: 

• Disruptions to operations that impact production and supply chains 
• Identifying, containing, assessing, and remediating the breach along with the requisite audits, notifications, and changes to processes and technology to prevent future incidents 
• Losing customers due to concerns about the organization’s ability to protect sensitive information 

Additional business expenses related to a data breach include: 

• Attorney fees 
• Compliance violation fines 
• Customer notifications  
• Drop in stock price for public companies 
• Insurance premium increases 
• Loss of intellectual property 
• Public relations costs 

Ultimately, the costs of a data breach depend on the size and type of organization and the cause of the breach. 

Why data breaches occur

Motivations for a data breach include: 

• Financial—steal money or valuable assets to sell 
• Geo-political—cause damage or disruption to a target politician or government 
• Personal—exact vengeance in response to a real or perceived negative action   
• Notoriety—display technical prowess (e.g., hack a high-profile system) 

In the case of cybercriminals, the primary motivation is financial gain. For example, they often sell or trade sensitive information stolen through a data breach on the dark web. This information can also be used to: 

• Apply for government benefits. 
• File fake tax returns to obtain refunds. 
• Generate falsified documents (e.g., driver’s licenses, passports). 
• Open and use new credit cards. 
• Withdraw money from banking or investment accounts. 

How data breaches occur

There are several ways that a data breach can occur. Examples of commonly used vectors follow.  

Targeted data breach attacks focus on specific individuals or organizations to obtain sensitive information. Tactics include: 

• Accidental data leak or exposure 
• Card skimmer and point-of-sale intrusion  
• Distributed denial-of-service (DDoS) attacks 
• Human error  
• Lost or stolen devices 
• Malicious insiders 
• Malware   
• Password guessing  
• Phishing    
• Physical security breach  
• Ransomware 
• Recording keystrokes  
• Social engineering 
• Spear phishing 
• SQL (structured query language) injection   
• Stolen or compromised credentials 
• Vulnerability exploits  

Whatever the vector, cybercriminals typically follow a similar attack pattern to execute a data breach successfully. Key steps of a data breach plan include. 

1. Observe potential targets.
   Cybercriminals begin their attack process by finding targets and then identifying technical vulnerabilities, such as weak security systems, open ports, or accessible protocols. In other cases, they plan social engineering campaigns that can target large groups (i.e., phishing) or individuals (i.e., spear phishing) who have privileged access to systems. 
2. Execute a security breach. 
   The attacker successfully completes a security breach and gains access to systems and networks. 
3. Secure access. 
   If the targeted system does not provide the desired access, cybercriminals utilize lateral movement across networks and privilege escalation to access and compromise other systems and user accounts. 
4. Complete the data breach. 
   Once the desired sensitive data has been identified, the attackers exfiltrate it for their nefarious purposes, such as selling it on the black market or dark web or holding it for ransom. 

Examples of data breaches

There are many paths to a data breach. Following are several examples of successful data breaches. 

In an attack targeting a retailer, cybercriminals gained access to sensitive data through cash registers. Weak encryption was used to secure the network. The attackers were able to decrypt the wireless network, then move from stores’ cash registers to back-end systems. As a result of this data breach, more than a quarter million customer records were compromised. 

In another incident, several billion individuals had their names, birthdates, email addresses, and passwords exposed. In this case, cybercriminals exploited a vulnerability in a cookie system the organization used.   

An organization’s network monitoring system was used as an attack vector in another example. The attackers were able to use it to distribute malware to its customers covertly, then infiltrate customers’ systems to gain access to sensitive information.   

Another organization was compromised by an employee’s password purchased by cybercriminals on the dark web. This single password was used to breach the network and launch a ransomware attack that cost the organization millions of dollars. 

A problem with the hashing process that an organization used to encrypt its users’ passwords forced a massive effort to have hundreds of millions of users change their passwords to remediate the vulnerability.

An insecure direct object reference (IDOR) exposed nearly a billion sensitive documents. This website design error was supposed to make a link available to a specific individual, but the link became publicly available, exposing the documents. 

Data breach prevention

Effective data breach prevention programs are built using a multi-layered defense comprised of technology and processes. Following are several of the many components of a data breach protection defensive strategy. 

Education and training

The leading cause of data breaches is an attack that starts with a human vector. Because of humans’ inherent weaknesses, they are widely considered to be the weakest link in any data breach prevention strategy.  

To combat this, security training is imperative. Employees require training to recognize and avoid attacks (e.g., phishing) as well as learn to handle sensitive data to prevent accidental data breaches and leaks.  

Endpoint threat detection and response 

Endpoint detection and response (EDR), also known as endpoint threat detection and response (ETDR), provides an integrated solution for endpoint security. EDR helps prevent a data breach by combining real-time continuous monitoring and collection of endpoint data with rules-based automated response and analysis capabilities to identify and neutralize cyberattacks. 

Identity and access management (IAM)

Identity and access management (IAM) solutions offer a strong defense against a data breach. Features of IAM solutions include strong password policies, password managers, two-factor authentication (2FA) or multi-factor authentication (MFA), single sign-on (SSO), and role-based access. These technologies and processes help organizations prevent data breach attempts that use stolen or compromised credentials. 

Incident response plans 

Preparation is one of the best defenses against a data breach. An incident response plan provides detailed instructions on how to handle a breach—before, during, and after a confirmed or suspected incident.  

An incident response plan includes explanations of the roles and responsibilities along with step-by-step processes for each phase. 

An incident response plan has been proven to be an effective tool in data breach defense plans. It can expedite the time to resolution and recovery as well as reduce the cost of a data breach.   

Multi-factor authentication (MFA)

Using multi-factor authentication (MFA) helps overcome the inherent weakness of users and passwords. With MFA, the user must go through a multi-step account login process rather than simply entering their username and password.  

MFA requires the user to complete additional steps to verify their identity. For instance, a user may be asked to enter a code sent via email or text message, answer a secret question, or perform a biometric scan (e.g., fingerprint, facial, retinal). 

Penetration testing

Penetration testing, also referred to as pen testing or ethical hacking, helps prevent a data breach by simulating cyberattacks to test systems and identify any exploitable vulnerabilities. Penetration testers use the same tools, techniques, and processes as cybercriminals to simulate real-world attacks that could result in a breach.   

Software updates and security patches

Software and operating systems (OS) updates and patches should always be installed when they are made available. These updates frequently include patches to fix vulnerabilities that could lead to a data breach.   

Strong passwords

Using strong passwords eliminates a common cyberattack vector. Knowing that people often use weak passwords, cybercriminals frequently launch attacks (e.g., password spraying) that exploit them. Strong passwords, combined with policies that require users to frequently change their passwords and use different passwords for services and applications, support an effective defense against data breach attempts.   

Zero trust security approach

A zero trust security approach assumes that no user or system should be trusted, even if they are inside a network. Key components of a zero trust security approach include: 

• Continuous authentication, authorization, and validation of any user or system that attempts to access a network or a network resource 
• Least privileged access, which allows only the minimum access needed for a task or role 
• Comprehensive monitoring of all network activity 

Data breach mitigation

A swift and comprehensive response is critical when a data breach is identified. Here are five key steps to follow: 

1. Minimize the impact of the breach.
   Stop the spread by isolating impacted systems or networks and locking any compromised accounts, including those that were used to access data. This stops additional information from being exposed and hinders lateral movement across networks.
2. Perform an assessment.
   Identify the cause of the attack to determine if there are additional risks associated with the initial intrusion, such as compromised user or system accounts or dormant malware lying in wait.  
3. Restore systems and patch vulnerabilities.
   Use clean backups and, in some cases, new systems to rebuild and restore affected systems. At this time, any available security updates should be made to remediate the vulnerability that led to the data breach.
4. Notify affected parties.
   Once the scale and scope of the breach have been determined, notifications must be made to affected parties. Depending on the type of organization and the information that was compromised, this could range from notifying executives and employees to notifying all customers and issuing a public statement.  
5. Document lessons learned.
   To help prevent a future data breach, it is important to document information and knowledge gained from the breach. This information should be used to update existing systems and practices as well as safeguarded for future reference.

Preparation limits data breach risks

Data breaches are widely considered to be one of the most common and expensive types of cybersecurity incidents. Impacting organizations of all sizes without geographic boundaries, data breaches can cause widespread damage that result in financial and physical harm. 

The best defense against a data breach is preparation. This includes having strong technical and process-based defenses in place to ensure early detection and response.  

Organizations with strong data breach defense systems and response plans have repeatedly been shown to recover faster with more limited damage.

In addition to implementing the right tools and procedures, it is important to test all systems. This proactive approach identifies vulnerabilities before a data breach occurs. Taking steps to identify and remediate vulnerabilities along with developing and practicing response plans go a long way to protecting sensitive information from a data breach. 

Data breach FAQ

Here are answers to some frequently asked questions about data breaches.

What is the definition of a data breach?

A data breach is a type of security incident in which confidential, protected, or sensitive information is accessed, disclosed, or used without authorization.

What is an example of a data breach?

One of the most significant and commonly cited data breaches targeted a major credit reporting agency. First reported in September 2017, this data breach exposed the personal information of approximately 147 million people.

Attackers exploited a vulnerability in the Apache Struts web application framework that the credit reporting agency used for one of its online dispute portals. The vulnerability was well-known, and a patch was available months before the breach occurred. However, the credit reporting agency failed to apply the necessary updates and patches in a timely manner.

Attackers were able to exploit the vulnerability and gain unauthorized access to the company’s systems. The data breach exposed highly sensitive information, including Social Security Numbers, birth dates, addresses, and, in some cases, driver’s license numbers and credit card numbers. 

The credit reporting agency faced widespread criticism for its handling of the data breach, including delays in disclosure, inadequate response measures, and the overall impact on consumers. The data breach led to multiple high-level resignations within the company, numerous lawsuits, and significant regulatory scrutiny.

The company also faced investigations by federal agencies, state attorneys general, and international regulators. It agreed to pay up to $700 million as part of a global settlement with the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and all U.S. state attorneys general. Additionally, the company’s reputation suffered significantly, impacting customer trust and leading to public scrutiny of its practices.

This data breach demonstrates the importance of timely software updates and patches, comprehensive vulnerability management, and robust cybersecurity strategies. It also highlights the far-reaching consequences of failing to protect sensitive data.

Is experiencing a data breach the same as being hacked?

Experiencing a data breach and being hacked are related concepts but not the same. The distinction lies in the nature of the incident and the methods involved. It is worth noting that while all hacking incidents that result in unauthorized data access can be considered data breaches, not all data breaches are the result of hacking. 

Being hacked

Experiencing a data breach

Hacking is gaining unauthorized access to computer systems, networks, or devices, often facilitated by exploiting vulnerabilities or bypassing security mechanisms using sophisticated techniques. Key characteristics of hacking include: -Active intrusion -Certain level of skill required -Result of a targeted attack with intent to gain unauthorized access

A data breach is a security incident in which confidential, sensitive, or protected data is accessed, disclosed, or taken without authorization. This can be the result of hacking or sensitive data compromised by accidental exposure, a malicious insider, lost devices, or physical theft of devices or content. Key characteristics of a data breach include: -Impact the privacy of individuals whose data is compromised -Loss of data control -Result of security failure where confidential, sensitive, or protected data is accessed or disclosed without authorization

How should organizations respond to a data breach?

Responses to a data breach typically fall into five core phases. 

1. Immediate response

• Detection and identification—recognizing that a security incident has occurred
• Containment—isolating affected systems, revoking access credentials, or temporarily shutting down certain services to prevent further unauthorized access or data loss
• Assessment—determining what data was compromised, the number of individuals affected, and the potential consequences of the breach

2. Investigation and remediation

• Eradication—removing malware or unauthorized tools used by attackers from the affected systems
• Recovery—recovering from the impact of the data breach, including restoring lost data from backup and reinstating secure system operations
• Remediation—fixing the vulnerabilities that led to the data breach, including patching software, changing security protocols, enhancing network security, or upgrading systems to close security gaps and strengthen the organization’s defenses against future attacks
• Forensic analysis—understanding how the breach occurred, which vulnerabilities were exploited, and whether the breach is fully contained

3. Legal and regulatory compliance

• Notification—adhering to various laws and regulations that require organizations to notify affected individuals, regulatory bodies, and sometimes the public about the data breach
• Regulatory action—depending on the jurisdiction and the severity of the breach, organizations may face inquiries, audits, and penalties from regulatory bodies

4. Reputation management and communication

• Stakeholder communication—mitigating damage to trust and confidence among customers, investors, and the public with effective communication and transparent handling of the data breach
• Public relations—engaging in public relations efforts to manage the fallout, including press releases, media briefings, and customer service support to address concerns and questions about the data breach

5. Long-term prevention and lessons learned

• Security enhancements—reviewing and improving security practices, including adopting new technologies, changing policies, and increasing security training
• Continuous improvement—reviewing security practices regularly to adapt to evolving threats
• Ongoing vigilance—monitoring systems on a continuous basis to proactively identify suspicious activity

What can organizations do to prevent data breaches?

Conduct risk assessments
Regularly perform risk assessments to identify vulnerabilities within the organization’s IT infrastructure and data handling processes that could enable a data breach. Risk assessments also help prioritize security efforts based on the areas of greatest vulnerability.

Deploy security software
Comprehensive security solutions are critical for preventing data breaches. Security solutions such as anti-virus and anti-malware software, firewalls and network segmentation, intrusion detection systems (IDS),  intrusion prevention systems (IPS), and data loss prevention (DLP) technology protect against data breaches.

Encrypt sensitive data
Encrypt sensitive data both in transit and at rest to make it unreadable to unauthorized users, even if data is intercepted during a breach.

Implement strong access controls
Data breaches can be prevented by using robust authentication methods, such as multi-factor authentication (MFA), to restrict access to sensitive systems and data only to authorized users. Employing role-based access controls (RBAC) can also be used to restrict access to information based on the user’s role within the organization, minimizing the potential impact of a compromised account. 

Secure physical access
Control physical access to facilities where sensitive data is stored to prevent data breaches. These controls include secure locks, access cards, and surveillance systems to prevent unauthorized physical access to data storage areas.

Monitor and audit network activity
Continuously monitor network activity for unusual or unauthorized behavior that could indicate a security breach. Regular audits of security practices and logs help detect potential security incidents before they result in data loss.

Third-party risk management
Assess and manage the security practices of third-party vendors and service providers who have access to your organization’s data. Implement stringent security clauses in contracts and conduct regular security assessments of third parties.