What is a Data Breach? According to the Cornell institute of Law, the legal definition classifies a data breach as “unauthorized access […] to data containing sensitive personal information […] that results in the potential compromise of the confidentiality or integrity of the data…”.
If this definition sounds confusing, just know that whenever information is accessed from a system without the consent of that system’s owner, a data breach is said to have occurred.
In this article, we will be going over the concept of a data breach, including how they happen, their effects on both consumers and businesses, the laws in place to prevent them, and how you can protect yourself from the harmful effects of data breaches.
Brief History of Data Breaches
Although they are one of the most dangerous threats to personal security today, data breaches only recently became an issue, with some of the first publicly announced data breaches happening in 2005. These data breaches targeted Bank of America, CardSystems Solutions Inc., DSW Shoe Warehouse, and Citigroup Investment Banking.
Data security was already becoming a necessity for businesses before these attacks, however these data breaches forced governments across the globe to become aware of this looming threat to cyber security.
Since then the number of data breaches per year has continued to rise, peaking at 1,632 during 2017. In addition, the number of compromised records has also risen since 2005, peaking at a total of 473 million exposed records in 2018.
How do Data Breaches Happen?
Understanding how a data breach can occur is the first step in protecting yourself or your business from becoming a victim. Below is a list of the most common ways a data breach can happen.
The word malware is derived from the term malicious software, as its main purpose is to disrupt, damage, or gain access to unauthorized information. Malware typically works by tricking users into downloading something containing the malware, which then begins to “infect” the computer by overwriting files and system commands.
Avoiding malware is simple, yet challenging. Malware needs you to actively download it onto your computer, so be wary of what you download. Do not download anything unless you can guarantee that it comes from a trusted source.
2. Weak or Stolen Passwords
The easiest way for hackers to gain access to personal information is via stolen credentials, so its not surprising that one of most common scenarios for data breaches is stolen passwords. Finding usernames and emails are simple for hackers, so once they get their hands on your passwords it’s game over.
The solution to this problem is another simple one—use a variety of passwords. Using the same password for everything may make it easier to remember, however that means if even one website leaks your password, your information would be at risk for every other site using that same password.
It can also help to use more complex passwords, however always make sure you will still be able to remember them.
3. Insider Threats
When someone working for your company purposely leaks information/credentials, that is considered an insider threat. This can be one of the hardest data breaches to stop, as most employees need access to sensitive information to do their job.
All it takes is one rogue employee to impulsively leak the information and the damage is done, so the best way to approach this issue is to monitor the behavior of your workers/colleagues. If anyone appears to be a threat, casually reminding them of the severe legal charges they will face can be a good deterrent.
4. Social Engineering
Similar to malware, social engineering is the act of tricking you into providing sensitive information to the hacker by your own volition. A common type of social engineering is phishing, where someone pretends to be a trustworthy individual in order to acquire personal information, credentials, or even money.
For example, someone may call you claiming to work at your bank, informing you of an issue with your credit card. They will then ask you to “confirm” your card, hoping to steal your credit card information for their own use.
Social engineering can happen with any account you have, so the best way to prevent this from happening to you is by being cautious about who you share your information with, especially over the phone or email. If anyone ever calls you claiming to be from _____ company and asks for personal information/credentials, always hang up and call that company back using the phone number available on their website.
5. Compromised Hardware
Just as it sounds, Compromised Hardware is when a hacker gains access to physical hardware (phone, laptop, computer, etc.) and accesses personal information via that device. This could happen if a hacker breaks into a company and gains access to one of the work computers, but more realistically this could happen if your laptop or phone were stolen, and the information on there was breached.
To prevent this from happening to you, just keep track of your electronic devices and make sure you do not give anyone the opportunity to steal if from you.
6. Loose Permissions
Similar to Insider Threats, the general idea of Loose Permissions is when sensitive information gets leaked via an employee account. However in this case, it’s not a rogue employee doing the leaking, but a hacker who was able to gain access to the employee’s account. The cause of this is having loose or inconsistent permissions associated with the account, allowing the account to easily be stolen or compromised.
To avoid this, businesses must routinely “clean up” their employee/guest accounts. This can be done by deleting inactivate accounts, removing permissions after contracts are up, and requiring password changes every couple of months.
7. Back Doors
This is when hackers can manipulate vulnerable code on your website in order to gain access to the sensitive information associated with data breaches. Old websites are often the biggest targets of these attacks, as newer websites commonly have better coding standards, however any poorly coded website could be exploited by hackers regardless of age.
Having excellent website code is the obvious way to counter this data breach strategy, so make sure you avoid cutting corners when building your website.
Effects of Data Breaches
The affects of a data breach depend on two different factors. The first is the type of data/database that was compromised, and the second is the target of the data breach.
Although most company databases contain some form of personal information, any data outside of that comes down to the specific type of database. For example, the data exposed from a data breach at Walmart will be much different than the data exposed from a data breach at a hospital.
In addition, data breaches effect consumers and businesses separately, meaning a data breach targeting a certain business may not affect consumers at all. The information obtained from data breaches is often limited in scope, therefore if a hacker wants information specifically about a business your consumer data may be safe. Below is a list of the different types of information vulnerable in data breaches.
- Personal Data
- Financial Data
- Health Data
- Legal Data
For more information on these, please check out our informational guide on the various types of consumer data.
As mentioned above, the consequences of having a data breach target consumer data will vary depending on the data compromised by the data breach. At best, you may experience an uncomfortable invasion of privacy, but at worst you are in danger of identity theft, fraud, or stalking.
- Business Strategy — Anything related to the sale of your product, including market research, pricing models, and competitor information.
- Financial Data — Anything related to the legal side of your business, including employee contracts, partnership details, ongoing or past court cases, and regulations.
- Health Data — Anything related to the cyberinfrastructure of your business, including employee login credentials, firewall details, and encryption protocols.
- Legal Data — Anything related to the creation of your product, including mathematical formulas, potential patents, software blueprints, and overall product design.
Business data breaches can be done by competitors looking to steal marketing strategy or trade secrets for their personal gain, however the repercussions of this would be astronomical if they are caught. Outside of that, understanding the legal issues a business maybe facing can be beneficial to anyone looking to use legal action against that business, and hackers gaining access to network security information maybe trying to sabotage their system from the inside.
Data Breach Laws and Regulations
With the severe consequences of data breaches, it should come as no surprise that there are laws and regulations put in place encouraging businesses to protect their data as best as possible. mainly, there are strict guidelines on who has access to the financial or health information of their consumers.
For businesses handling financial information, they must abide by the Payment Card Industry Data Security Standard (PCI-DSS).The PCI-DSS was created to increase consumer financial security by ensuring companies follow specific guidelines when handling or transmitting credit card information, bank account numbers, and contact information.
For businesses or institutions handling health information, they must abide by the Health Insurance Portability and Accountability Act Security Rule (HIPAA-SR).The HIPAA mandates that any sensitive patient health information cannot be disclosed without the patients consent or knowledge, and the security rule applies this to electronically transmitted data as well. So if a hospital is hacked and medical data is released, this would violate the HIPAA-SR, thus forcing hospitals to maintain excellent cyber security.
But what if a data breach still happens despite these regulations? In that case, institutions must follow the Data Breach Prevention and Compensation Act signed in May 2019. This act aims to “provide robust compensation to consumers for stolen data, impose mandatory penalties on [Credit Reporting Agencies] for data breaches, and give the Federal Trade Commission (FTC) more direct supervisory authority over data security at [Credit Reporting Agencies]” (senate.gov). On top of that, all 50 states require corporations to notify individuals whenever a data breach occurs.
Protecting yourself from Data Breaches
For consumers, protecting yourself from data breaches may seem like a hopeless endeavor, as you have no influence over the cyber security of corporate databases. And while this is true, there are ways to reduce the harmful effects that a data breach can have on your wellbeing.
In general, the best way to prevent your data from being involved in a data breach is to limit the amount of data you provide to the internet. Ideally you would erase all traces of your personal, financial, health, and legal data from the internet, however in today’s society that feat is nearly impossible. With that being said, there is one thing everyone can (and should) do to reduce their digital footprint, and that is to minimize your number of online accounts.
Whenever you create an online account, you are asked to provide some combination of your name, age, email, phone number, and billing address in order to continue. This information is stored in a website’s database and can easily be compromised if a data breach targets that specific company.
Additionally, if you’ve bought items from this company online and saved your payment information with them, hackers would have access to all of your personal data along with your credit card information. This dangerous combination could easily result in identity theft or fraud, both of which are extremely detrimental to your financial wellbeing.
So what’s the solution? Delete unused online accounts and try to avoid saving your payment information on ecommerce websites.
Going to your email inbox/spam and taking note of all the websites that send you emails if the easiest way to clean up your number of online accounts. There may be a lot of them, but if a website actively sends you promotional emails, then there is a good chance you have made an account with them.
Deleting your account will vary from site-to-site, however most of them will have you sign in, go to account settings, and hit a button/prompt saying “delete account".
Another way to protect yourself from data breaches is to set up notifications for your bank accounts. With notifications enabled, anytime you make purchase greater than a certain amount of money (i.e. $100) you will be informed of it via email. This won’t prevent your data from being exposed in a data breach, but it will help you counter any possible identity theft or fraud that may happen as a result of one.
How to see if your data was compromised
If you want to be notified when a data breach happens, you have a couple of options.
The first option is to subscribe to as many data security newsletters as you can, with hope that they post timely updates regarding data breaches. There are a few issues with this option, as newsletters are not great for receiving specific information immediately. Even if they do provide an update on a data breach, it may be days or weeks after the fact, in which your data could already be compromised. You also won’t know immediately if your data was in that specific data breach, which may require more work on your side.
The other option is to find a privacy service that tracks data breaches and provides instant email notifications when they occur. An example of this is DataSeal, as our service automatically enrolls you in our data breach alert system. We provide up-to-date email notifications regarding any data breaches that may contain your personal information, including a running timeline of every known data breach so you can always be sure your data is safe.