A data breach is a cybersecurity incident that results in an unauthorized party’s exposure or exfiltration of or damage to sensitive, confidential, private, or protected data. The term data breach is often incorrectly used interchangeably with the term cyberattack.
The most notable difference between a data breach and a cyberattack is that a data breach is a specific type of security incident resulting in compromised sensitive information. Importantly, a data breach, usually referring to digital information, encompasses data on physical media, such as paper documents, flash drives, laptops, mobile devices, and external hard drives. A cyberattack can result in a data breach, but also includes other malicious activities, such as a distributed denial of service (DDoS) attack.
Organizations of all types and sizes are at risk of a data breach—from small businesses to major corporations, hospitals to schools, and governments to individuals. Information commonly targeted with a data breach includes:
- Financial information (e.g., bank account information, credit card numbers)
- Personal health information (PHI) (e.g., medical histories, lab test results)
- Personally identifiable information (PII) (e.g., social security numbers, driver’s license numbers)
- Trade secrets (e.g., source code, formulas)
- Other confidential information (e.g., customer information, legal documents).
With a data breach, information can be copied or transmitted without damaging the source. A breach can also result in the loss of access to data due to theft or ransomware. In some cases, data can simply be destroyed in an act of vengeance or an attempt to cause catastrophic disruption.
The cost of a data breach
A data breach can result in hard and soft costs. That is, a data breach can have monetary or more ephemeral costs, such as reputational damage or lost opportunities.
In most cases, both types of damage occur. For instance, ransomware attacks, which are common data breaches, can result in organizations paying costly ransoms to regain access to their data, as well as seeing their brand tarnished when the word gets out about the data breach.
There are many other costs related to a data breach, including:
- Disruptions to operations that impact production and supply chains
- Identifying, containing, assessing, and remediating the breach along with the requisite audits, notifications, and changes to processes and technology to prevent future incidents
- Losing customers due to concerns about the organization’s ability to protect sensitive information
Additional business expenses related to a data breach include:
- Attorney fees
- Compliance violation fines
- Customer notifications
- Drop in stock price for public companies
- Insurance premium increases
- Loss of intellectual property
- Public relations costs
Ultimately, the costs of a data breach depend on the size and type of organization and the cause of the breach.
Why data breaches occur
Motivations for a data breach include:
- Financial—steal money or valuable assets to sell
- Geo-political—cause damage or disruption to a target politician or government
- Personal—exact vengeance in response to a real or perceived negative action
- Notoriety—display technical prowess (e.g., hack a high-profile system)
In the case of cybercriminals, the primary motivation is financial gain. For example, they often sell or trade sensitive information stolen through a data breach on the dark web. This information can also be used to:
- Apply for government benefits.
- File fake tax returns to obtain refunds.
- Generate falsified documents (e.g., driver’s licenses, passports).
- Open and use new credit cards.
- Withdraw money from banking or investment accounts.
How data breaches occur
There are several ways that a data breach can occur. Examples of commonly used vectors follow.
Targeted data breach attacks focus on specific individuals or organizations to obtain sensitive information. Tactics include:
- Accidental data leak or exposure
- Card skimmer and point-of-sale intrusion
- Distributed denial-of-service (DDoS) attacks
- Human error
- Lost or stolen devices
- Malicious insiders
- Password guessing
- Physical security breach
- Recording keystrokes
- Social engineering
- Spear phishing
- SQL (structured query language) injection
- Stolen or compromised credentials
- Vulnerability exploits
Whatever the vector, cybercriminals typically follow a similar attack pattern to execute a data breach successfully. Key steps of a data breach plan include.
- Observe potential targets.
Cybercriminals begin their attack process by finding targets and then identifying technical vulnerabilities, such as weak security systems, open ports, or accessible protocols. In other cases, they plan social engineering campaigns that can target large groups (i.e., phishing) or individuals (i.e., spear phishing) who have privileged access to systems.
- Execute a security breach.
The attacker successfully completes a security breach and gains access to systems and networks.
- Secure access.
If the targeted system does not provide the desired access, cybercriminals utilize lateral movement across networks and privilege escalation to access and compromise other systems and user accounts.
- Complete the data breach.
Once the desired sensitive data has been identified, the attackers exfiltrate it for their nefarious purposes, such as selling it on the black market or dark web or holding it for ransom.
Examples of data breaches
There are many paths to a data breach. Following are several examples of successful data breaches.
In an attack targeting a retailer, cybercriminals gained access to sensitive data through cash registers. Weak encryption was used to secure the network. The attackers were able to decrypt the wireless network, then move from stores’ cash registers to back-end systems. As a result of this data breach, more than a quarter million customer records were compromised.
In another incident, several billion individuals had their names, birthdates, email addresses, and passwords exposed. In this case, cybercriminals exploited a vulnerability in a cookie system the organization used.
An organization’s network monitoring system was used as an attack vector in another example. The attackers were able to use it to distribute malware to its customers covertly, then infiltrate customers’ systems to gain access to sensitive information.
Another organization was compromised by an employee’s password purchased by cybercriminals on the dark web. This single password was used to breach the network and launch a ransomware attack that cost the organization millions of dollars.
A problem with the hashing process that an organization used to encrypt its users’ passwords forced a massive effort to have hundreds of millions of users change their passwords to remediate the vulnerability.
An insecure direct object reference (IDOR) exposed nearly a billion sensitive documents. This website design error was supposed to make a link available to a specific individual, but the link became publicly available, exposing the documents.
Data breach prevention
Effective data breach prevention programs are built using a multi-layered defense comprised of technology and processes. Following are several of the many components of a data breach protection defensive strategy.
Education and training
The leading cause of data breaches is an attack that starts with a human vector. Because of humans’ inherent weaknesses, they are widely considered to be the weakest link in any data breach prevention strategy.
To combat this, security training is imperative. Employees require training to recognize and avoid attacks (e.g., phishing) as well as learn to handle sensitive data to prevent accidental data breaches and leaks.
Endpoint threat detection and response
Endpoint detection and response (EDR), also known as endpoint threat detection and response (ETDR), provides an integrated solution for endpoint security. EDR helps prevent a data breach by combining real-time continuous monitoring and collection of endpoint data with rules-based automated response and analysis capabilities to identify and neutralize cyberattacks.
Identity and access management (IAM)
Identity and access management (IAM) solutions offer a strong defense against a data breach. Features of IAM solutions include strong password policies, password managers, two-factor authentication (2FA) or multi-factor authentication (MFA), single sign-on (SSO), and role-based access. These technologies and processes help organizations prevent data breach attempts that use stolen or compromised credentials.
Incident response plans
Preparation is one of the best defenses against a data breach. An incident response plan provides detailed instructions on how to handle a breach—before, during, and after a confirmed or suspected incident.
An incident response plan includes explanations of the roles and responsibilities along with step-by-step processes for each phase.
An incident response plan has been proven to be an effective tool in data breach defense plans. It can expedite the time to resolution and recovery as well as reduce the cost of a data breach.
Multi-factor authentication (MFA)
Using multi-factor authentication (MFA) helps overcome the inherent weakness of users and passwords. With MFA, the user must go through a multi-step account login process rather than simply entering their username and password.
MFA requires the user to complete additional steps to verify their identity. For instance, a user may be asked to enter a code sent via email or text message, answer a secret question, or perform a biometric scan (e.g., fingerprint, facial, retinal).
Penetration testing, also referred to as pen testing or ethical hacking, helps prevent a data breach by simulating cyberattacks to test systems and identify any exploitable vulnerabilities. Penetration testers use the same tools, techniques, and processes as cybercriminals to simulate real-world attacks that could result in a breach.
Software updates and security patches
Software and operating systems (OS) updates and patches should always be installed when they are made available. These updates frequently include patches to fix vulnerabilities that could lead to a data breach.
Using strong passwords eliminates a common cyberattack vector. Knowing that people often use weak passwords, cybercriminals frequently launch attacks (e.g., password spraying) that exploit them. Strong passwords, combined with policies that require users to frequently change their passwords and use different passwords for services and applications, support an effective defense against data breach attempts.
Zero trust security approach
A zero trust security approach assumes that no user or system should be trusted, even if they are inside a network. Key components of a zero trust security approach include:
- Continuous authentication, authorization, and validation of any user or system that attempts to access a network or a network resource
- Least privileged access, which allows only the minimum access needed for a task or role
- Comprehensive monitoring of all network activity
Data breach mitigation
A swift and comprehensive response is critical when a data breach is identified. Here are five key steps to follow:
- Minimize the impact of the breach.
Stop the spread by isolating impacted systems or networks and locking any compromised accounts, including those that were used to access data. This stops additional information from being exposed and hinders lateral movement across networks.
- Perform an assessment.
Identify the cause of the attack to determine if there are additional risks associated with the initial intrusion, such as compromised user or system accounts or dormant malware lying in wait.
- Restore systems and patch vulnerabilities.
Use clean backups and, in some cases, new systems to rebuild and restore affected systems. At this time, any available security updates should be made to remediate the vulnerability that led to the data breach.
- Notify affected parties.
Once the scale and scope of the breach have been determined, notifications must be made to affected parties. Depending on the type of organization and the information that was compromised, this could range from notifying executives and employees to notifying all customers and issuing a public statement.
- Document lessons learned.
To help prevent a future data breach, it is important to document information and knowledge gained from the breach. This information should be used to update existing systems and practices as well as safeguarded for future reference.
Preparation limits data breach risks
Data breaches are widely considered to be one of the most common and expensive types of cybersecurity incidents. Impacting organizations of all sizes without geographic boundaries, data breaches can cause widespread damage that result in financial and physical harm.
The best defense against a data breach is preparation. This includes having strong technical and process-based defenses in place to ensure early detection and response.
Organizations with strong data breach defense systems and response plans have repeatedly been shown to recover faster with more limited damage.
In addition to implementing the right tools and procedures, it is important to test all systems. This proactive approach identifies vulnerabilities before a data breach occurs. Taking steps to identify and remediate vulnerabilities along with developing and practicing response plans go a long way to protecting sensitive information from a data breach.
You might also be interested in:
Take control of your cloud platform.
Learn more about SailPoint Identity Security.