Data breach


A data breach, also known as data leakage, is "the unauthorized exposure, disclosure, or loss of personal information".
Attackers have a variety of motives, from financial gain to political activism, political repression, and espionage. There are several technical root causes of data breaches, including accidental or intentional disclosure of information by insiders, loss or theft of unencrypted devices, hacking into a system by exploiting software vulnerabilities, and social engineering attacks such as phishing where insiders are tricked into disclosing information. Although prevention efforts by the company holding the data can reduce the risk of data breach, it cannot bring it to zero.
A large number of data breaches are never detected. If a breach is made known to the company holding the data, post-breach efforts commonly include containing the breach, investigating its scope and cause, and notifications to people whose records were compromised, as required by law in many jurisdictions. Law enforcement agencies may investigate breaches, although the hackers responsible are rarely caught.
Many criminals sell data obtained in breaches on the dark web. Thus, people whose personal data was compromised are at elevated risk of identity theft for years afterwards and a significant number will become victims of this crime. Data breach notification laws in many jurisdictions, including all states of the United States and European Union member states, require the notification of people whose data has been breached. Lawsuits against the company that was breached are common, although few victims receive money from them. There is little empirical evidence of economic harm to firms from breaches except the direct cost, although there is some evidence suggesting a temporary, short-term decline in stock price.

Definition

Like almost all terms in cyber security, the definition of 'data breach' is context dependent.
  • According to the National Institute of Standards and Technology, a data breach is "An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or that constitutes a violation or imminent threat of violating security policies, security procedures, or acceptable use policies.".
  • The UK National Cyber Security Centre defines a data breach as occurring "when information held by an organisation is stolen or accessed without authorisation".
  • Others define a data breach is a violation of "organizational, regulatory, legislative or contractual" law or policy that causes "the unauthorized exposure, disclosure, or loss of personal information". Some researchers include other types of information, for example intellectual property or classified information.

    Prevalence

Before the widespread adoption of data breach notification laws around 2005, the prevalence of data breaches is difficult to determine. Even afterwards, statistics per year cannot be relied on because data breaches may be reported years after they occurred, or not reported at all. Nevertheless, the statistics show a continued increase in the number and severity of data breaches that continues. In 2016, researcher Sasha Romanosky estimated that data breaches outnumbered other security breaches by a factor of four.

Threat actors

According to a 2020 estimate, 55 percent of data breaches were caused by organized crime, 10 percent by system administrators, 10 percent by end users such as customers or employees, and 10 percent by states or state-affiliated actors. Opportunistic criminals may cause data breaches—often using malware or social engineering attacks, but they will typically move on if the security is above average. More organized criminals have more resources and are more focused in their targeting of particular data. Both of them sell the information they obtain for financial gain. Another source of data breaches are politically motivated hackers, for example Anonymous, that target particular objectives. State-sponsored hackers target either citizens of their country or foreign entities, for such purposes as political repression and espionage. Often they use undisclosed zero-day vulnerabilities for which the hackers are paid large sums of money. The Pegasus spyware—a no-click malware developed by the Israeli company NSO Group that can be installed on most cellphones and spies on the users' activity—has drawn attention both for use against criminals such as drug kingpin El Chapo as well as political dissidents, facilitating the murder of Jamal Khashoggi.

Causes

Technical causes

Despite developers' goal of delivering a product that works entirely as intended, virtually all software and hardware contains bugs. If a bug creates a security risk, it is called a vulnerability. Patches are often released to fix identified vulnerabilities, but those that remain unknown as well as those that have not been patched are still liable for exploitation. Both software written by the target of the breach and third party software used by them are vulnerable to attack. The software vendor is rarely legally liable for the cost of breaches, thus creating an incentive to make cheaper but less secure software.
Vulnerabilities vary in their ability to be exploited by malicious actors. The most valuable allow the attacker to inject and run their own code, without the user being aware of it. Some malware is downloaded by users via clicking on a malicious link, but it is also possible for malicious web applications to download malware just from visiting the website. Keyloggers, a type of malware that records a user's keystrokes, are often used in data breaches. Hashing is also a good solution for keeping passwords safe from brute-force attacks, but only if the algorithm is sufficiently secure.
Many data breaches occur on the hardware operated by a partner of the organization targeted—including the 2013 Target data breach and 2014 JPMorgan Chase data breach. Outsourcing work to a third party leads to a risk of data breach if that company has lower security standards; in particular, small companies often lack the resources to take as many security precautions. As a result, outsourcing agreements often include security guarantees and provisions for what happens in the event of a data breach.

Human causes

Human causes of breach are often based on trust of another actor that turns out to be malicious. Social engineering attacks rely on tricking an insider into doing something that compromises the system's security, such as revealing a password or clicking a link to download malware. Data breaches may also be deliberately caused by insiders. One type of social engineering, phishing, obtains a user's credentials by sending them a malicious message impersonating a legitimate entity, such as a bank, and getting the user to enter their credentials onto a malicious website controlled by the cybercriminal. Two-factor authentication can prevent the malicious actor from using the credentials. Training employees to recognize social engineering is another common strategy.
Another source of breaches is accidental disclosure of information, for example publishing information that should be kept private. With the increase in remote work and bring your own device policies, large amounts of corporate data is stored on personal devices of employees. Via carelessness or disregard of company security policies, these devices can be lost or stolen. Technical solutions can prevent many causes of human error, such as encrypting all sensitive data, preventing employees from using insecure passwords, installing antivirus software to prevent malware, and implementing a robust patching system to ensure that all devices are kept up to date.

Breach lifecycle

Prevention

Although attention to security can reduce the risk of data breach, it cannot bring it to zero. Security is not the only priority of organizations, and an attempt to achieve perfect security would make the technology unusable. Many companies hire a chief information security officer to oversee the company's information security strategy. To obtain information about potential threats, security professionals will network with each other and share information with other organizations facing similar threats. Defense measures can include an updated incident response strategy, contracts with digital forensics firms that could investigate a breach, cyber insurance, and monitoring the dark web for stolen credentials of employees. In 2024, the United States' National Institute of Standards and Technology issued a special publication, "Data Confidentiality: Identifying and Protecting Assets Against Data Breaches". The NIST Cybersecurity Framework also contains information about data protection. Other organizations have released different standards for data protection.
The architecture of a company's systems plays a key role in deterring attackers. Daswani and Elbayadi recommend having only one means of authentication, avoiding redundant systems, and making the most secure setting default. Defense in depth and distributed privilege also can make a system more difficult to hack. Giving employees and software the least amount of access necessary to fulfill their functions limits the likelihood and damage of breaches. Several data breaches were enabled by reliance on security by obscurity; the victims had put access credentials in publicly accessible files. Nevertheless, prioritizing ease of use is also important because otherwise users might circumvent the security systems. Rigorous software testing, including penetration testing, can reduce software vulnerabilities, and must be performed prior to each release even if the company is using a continuous integration/continuous deployment model where new versions are constantly being rolled out.
The principle of least persistence—avoiding the collection of data that is not necessary and destruction of data that is no longer necessary—can mitigate the harm from breaches. The challenge is that destroying data can be more complex with modern database systems.