Your IP: Unknown · Your Status: Unprotected Protected


Blog In Depth

What is a data breach and how do they happen?

Apr 14, 2020 · 6 min read

What is a data breach and how do they happen?

So you’ve just heard from a company that your account has been breached. Panic ensues; have you used the same password for other accounts? Has your money or other invaluable information been stolen? Has it affected your business or employees? The situation is dire. Here’s what a data breach is and how you can avoid them.

What is a data breach?

Also known as a data leak, data spill, or information disclosure, a data breach is when your private information is intentionally or unintentionally leaked by a company you trusted it with.

Cybercriminals want to steal names, email addresses, usernames, passwords, and credit card numbers. Whether it’s to steal your identity or to sell on the dark web.

Data breaches: A record breaking year

Capital One, Dubsmash, Houzz, Clearview AI. These are just some of the corporate giants who in the last year, faced some of the biggest breaches the world had ever seen. Nearly 800 million unique email addresses and 21 million passwords were sold on the web by hackers in 2019.

Here’s a quick snapshot of those breaches by industry sector:

  • Business: 644 incidents (43.7%)
  • Health care/medical: 525 (35.6%)
  • Banking/credit/financial: 108 (7.3%)
  • Education: 113 (7.7%)
  • Government/military: 83 (5.6%)

When you look at the figures year on year, the rate of data breaches across sectors almost never sees a dramatic drop. Data shows that banking breaches only lessened by 4% from 2018 to 2019, and the business sector only managed to lower their rate of breaches by 10% over the course of two years. (2017-2019).

With cybercriminals constantly devising ways to exploit company infrastructures, it’s best for us to begin taking security into our own hands. But before we give you our advice, here’s what we should all be looking out for:

6 major causes of data breaches

Malware

Malware or malicious code can infect a website or network and leak valuable customer data. A silent threat, malware can be downloaded by accident from an email attachment or corrupted software. Once it’s in, it spreads like a virus and sends all your personal data back to the command and control servers run by the cybercriminals.

Phishing

Since phishing attacks largely rely on human error, they are shockingly simple to execute but come with catastrophic effects. Usually, an ‘urgent’ email is sent mimicking a legitimate sender like PayPal or Microsoft for example. Once the email is opened or the attachments are clicked on, a swarm of malicious malware infects your device or network and steals everything in sight.

Human error

Human error or unintentional actions contribute massively to data breaches. With a barrage of tools, and passwords supporting our complex work environments, employees and end-users can easily make security mistakes. Some fail to recognize fraudulent emails, some use crackable passwords for major company networks, and others unwittingly compromise sensitive information on social media, or on devices left unlocked at work.

In fact, of all breaches reported in 2019, CybSafe (a cybersecurity awareness company) found that 90% were caused by the haphazard mistakes of end-users.

Weak passwords

Weak passwords are more common than you think. In a brute force attack, for example, a hacker can churn out millions of user/password combinations per second. They’re then tried against the system in rapid speed until one sticks – open sesame!

Obviously, the best passwords are long, complex and nonsensical. Here’s how to make a strong password.

An inside job

Late last year Amex informed millions of customers that their account information may have been “wrongfully accessed” by an “employee attempting to commit fraud.” Morrisons, the UK supermarket giant also played host to a disgruntled employee who leaked the payroll information of 100,000 staff members. The reason? Revenge against a previous disciplinary.

Less malicious cases, but equally as damaging could be employees innocently downloading sensitive data onto their device, medical records misconfigured by staff and system warnings being ignored by employees who don’t know any better.

Technical faults

Speaking of security maintenance, investing in solid security can only safeguard you against any of the aforementioned vulnerabilities. Most companies stay vigilant by taking a reactive approach to potholes and patching flaws as they go. Infamous technology breaches like the one Adobe experienced left 150M email addresses and passwords exposed.

Data breaches: how to avoid them

Even the world’s largest organizations can fall victim to a breach, but there are plenty of steps we can all take to protect ourselves.

Here's a simple checklist

  • Shred documents
  • Get into the habit of destroying letters, bills, documents or anything with pieces of your identity on it. Criminals only need your SSI number, date of birth, and name and address to open credit card accounts and take out loans.

  • Use secure websites
  • The tell-tale sign is in the web address bar. A secure website should read as https://www.website.com rather than http://www.website.com, the ‘S’ stands for secure.

  • Create strong passwords
  • The most secure passwords use uppercase and lowercase letters, non-sequential numbers, special characters and symbols and use non-dictionary words. Always use a good password manager so you don’t forget your new nonsensical passwords.

  • Use different passwords on every different account
  • If a hacker gets hold of the credentials for one of your accounts, they can break into all of your other accounts. A good rule of thumb is to always keep your email password completely different, because attackers can login to your inbox to authenticate themselves and request password changes.

  • Update your computer and mobile devices
  • Make sure you’re always running the latest versions of operating systems and applications. Updates aren’t always about shiny new features, they contain vital security fixes designed to protect you from hackers.

  • Don’t ignore your statements
  • Frequently monitor your transactions online to identify any strange transactions. Sometimes hackers will use your details to buy items for $1 or less to begin with, that way your account won’t get flagged for security checks when they do make the big purchase.

  • Regularly check your credit reports
  • Your credit report will show if any accounts or loans have been opened in your name. Identity thieves can piece together your identity in minutes. An innocent Instagram photo with your door number and street in the background, unshredded mail from the trash, access to your email or social media accounts – the clues are everywhere for a hacker determined enough to find them.

I've been breached. What should I do?

Don’t panic, there are some simple steps you can take to get everything back on track:

Step 1: Confirm the breach

Please try not to click on emails from companies telling you that a breach has occurred. Quite often they’re phishing emails – written by scammers in order to steal your personal information. Instead, call the company directly or wait for them to post it on their website.

Step 2: Determine the type of breach you've had

If your sensitive information has been exposed there are some quick fixes to regain control – depending on what information it was.

If your social security number was breached

Report it immediately to the IRS. Social security numbers are harder to replace than credit card information or bank details. Your social security number can be used to assume your identity, file fake tax returns, rent or buy properties and commit any number of crimes, all in your name.

If your password was exposed

If you’re worried about your password or email address being tampered with, you can see if it was exposed here. Change and strengthen your password and security questions immediately. Choose something over 7 characters, make it nonsensical and use a password manager so you don’t forget it.

If a company that you have an account with has been breached

Immediately change your username and password and double check you haven’t used the same credentials elsewhere. Keep a separate email address to sign into important accounts for your banking, healthcare, social records or university for example. If you use the same credentials for every single account, one breach could give a hacker access to every single account you own.

Step 3: Accept their offers to help

If your social security number or other personally identifiable information is exposed, monitor your account for the next year at least. When it comes to banking fraud, sometimes a hacker will take miniscule amounts from a batch of accounts to go unnoticed. Reputable companies will offer victims free credit monitoring or identity theft protection services, so please take advantage of this.

Are you worried that your sensitive information isn’t secure enough? Try using a VPN to shield your accounts from hackers.


Zen Bahar
Zen Bahar successVerified author

Zen likes to use her cybersecurity knowledge to help protect the privacy and freedom of others, otherwise, you can find her playing with paints in her studio in London.


Subscribe to NordVPN blog