What is a data breach, and how do they happen?
So you’ve just heard from a company that your account has been breached. Panic ensues; have you used the same password for other accounts? Has your money or other invaluable information been stolen? Has it affected your business or employees? The situation is dire. Here’s what a data breach is and how you can avoid them.
Table of Contents
Table of Contents
What is a data breach?
Data breach is a security incident which occurs when a company leaks personal user information. This data may include names, usernames, email addresses, passwords, and financial information that can be used for personal gain.
It is also known as a data leak, data spill, data theft, or information disclosure.
Cybercriminals want to steal data like names, email addresses, usernames, passwords, and credit card numbers, and other financial information for personal gain. Whether it’s to steal your identity or to sell on the dark web.
Some of the largest recent breaches
Capital One, Dubsmash, Houzz, Clearview AI. These are just some of the corporate giants who have recently faced some of the biggest breaches the world has ever seen. Nearly 800 million unique email addresses, 21 million passwords, and mountains of other stolen data were sold on the web by hackers in 2019.
Here’s a quick snapshot of those breaches by industry sector:
- Business: 644 incidents (43.7%)
- Health care/medical: 525 (35.6%)
- Banking/credit/financial: 108 (7.3%)
- Education: 113 (7.7%)
- Government/military: 83 (5.6%)
When you look at the figures year on year, the rate of data breaches across sectors almost never sees a dramatic drop. Data shows that banking breaches only lessened by 4% from 2018 to 2019, and the business sector only managed to lower their rate of breaches by 10% over the course of two years. (2017-2019).
With cybercriminals constantly devising ways to exploit company infrastructures, it’s best for us to begin taking security into our own hands.
How do data breaches happen?
Malware
Malware or malicious code is a data exfiltration technique that can infect a website or network and leak valuable customer data. A silent threat, malware can be downloaded by accident from an email attachment or corrupted software. Once it’s in, it spreads like a virus and sends all your personal data back to the command and control servers run by the cybercriminals.
Phishing
Since phishing attacks largely rely on human error, they are shockingly simple to execute but come with catastrophic effects. Usually, an ‘urgent’ email is sent mimicking a legitimate sender like PayPal or Microsoft for example. Once the phishing email is opened or the attachments are clicked on, a swarm of malicious malware infects your device or network and steals everything in sight.
Human error
Human error or unintentional actions contribute massively to data breaches. With a barrage of tools, and passwords supporting our complex work environments, employees and end-users can easily make security mistakes. Some fail to recognize fraudulent emails. Some use crackable passwords for major company networks. Some fail to recognize split tunneling security risks when using work devices to take care of personal business — or compromise sensitive information by carelessly posting on social media.
In fact, of all breaches reported in 2019, CybSafe (a cybersecurity awareness company) found that 90% were caused by the haphazard mistakes of end-users.
Weak passwords
Weak passwords are more common than you think. In a brute force attack, for example, a hacker can churn out millions of user/password combinations per second. They’re then tried against the system in rapid speed until one sticks – open sesame!
Obviously, the best passwords are long, complex and nonsensical. Here’s how to make a strong password.
An inside job
Late last year Amex informed millions of customers that their account information may have been “wrongfully accessed” by an “employee attempting to commit fraud.” Morrisons, the UK supermarket giant also played host to a disgruntled employee who leaked the payroll information of 100,000 staff members. The reason? Revenge against a previous disciplinary.
Less malicious cases, but equally as damaging could be employees innocently downloading sensitive data onto their device, medical records misconfigured by staff and system warnings being ignored by employees who don’t know any better.
Technical faults
Speaking of security maintenance, investing in solid security can only safeguard you against any of the aforementioned vulnerabilities. Most companies stay vigilant by taking a reactive approach to potholes and patching flaws as they go. Infamous technology breaches like the one Adobe experienced left 150M email addresses and passwords exposed.
PRO TIP: If you hear that a company you gave your data to has been breached — an online store or a social media platform, for example — change your passwords and update your security measures. Don’t wait for them to contact you directly.
How to avoid data breaches
Even the world’s largest organizations can fall victim to a breach, but there are plenty of steps we can all take to protect ourselves.
Here’s a simple checklist:
Shred documents
Get into the habit of destroying letters, bills, documents or anything with pieces of your identity on it. Criminals only need your SSI number, date of birth, and name and address to open credit card accounts and take out loans.
Use secure websites
The tell-tale sign is in the web address bar. A secure website should read as https://www.website.com rather than http://www.website.com, the ‘S’ stands for secure.
Create strong passwords
The most secure passwords use uppercase and lowercase letters, non-sequential numbers, special characters and symbols and use non-dictionary words. Always use a good password manager so you don’t forget your new nonsensical passwords.
Use different passwords on every different account
If a hacker gets hold of the credentials for one of your accounts, they can break into all of your other accounts. A good rule of thumb is to always keep your email password completely different, because attackers can login to your inbox to authenticate themselves and request password changes.
Update your computer and mobile devices
Make sure you’re always running the latest versions of operating systems and applications. Updates aren’t always about shiny new features, they contain vital security fixes designed to protect you from hackers.
Avoid public USB charging stations
Did you know that a regular public USB charging port can carry malware? Now you do. Using public USB ports to spread malware and steal data is called juice jacking. To avoid it, steer clear of the public USB ports you see at airports, or get a USB data blocker designed to link your device to the port and protect it from any malicious codes.
Don’t ignore your statements
Frequently monitor your transactions online to identify any strange transactions. Sometimes hackers will use your details to buy items for $1 or less to begin with, that way your account won’t get flagged for security checks when they do make the big purchase.
Regularly check your credit reports
Your credit report will show if any accounts or loans have been opened in your name. Identity thieves can piece together your identity in minutes. An innocent Instagram photo with your door number and street in the background, unshredded mail from the trash, access to your email or social media accounts – the clues are everywhere for a hacker determined enough to find them.
Avoid data hoarding
The more data you have, the more data you can lose. Avoid accummulating large amounts of digital assets, regularly audit your data, and ensure it’s stored securely. Data hoarding is not a practice you should follow to avoid data leaks.
What should I do if I’ve been breached?
Don’t panic, there are some simple steps you can take to get everything back on track:
Step 1: Confirm the breach
Please try not to click on emails from companies telling you that a breach has occurred. Quite often they’re phishing emails – written by scammers in order to steal your personal information. Instead, call the company directly or wait for them to post it on their website.
Step 2: Determine the type of breach you’ve had
If your sensitive information has been exposed there are some quick fixes to regain control – depending on what information it was.
If your social security number was breached
Report it immediately to the IRS. Social security numbers are harder to replace than credit card information or bank details. Your social security number can be used to assume your identity, file fake tax returns, rent or buy properties and commit any number of crimes, all in your name.
If your password was exposed
If you’re worried about your password or email address being tampered with, you can see if it was exposed here. Change and strengthen your password and security questions immediately. Choose something over 7 characters, make it nonsensical and use a password manager so you don’t forget it.
If a company that you have an account with has been breached
Immediately change your username and password and double check you haven’t used the same credentials elsewhere. Keep a separate email address to sign into important accounts for your banking, healthcare, social records or university for example. If you use the same credentials for every single account, one breach could give a hacker access to every single account you own.
Step 3: Accept their offers to help
If your social security number or other personally identifiable information is exposed, monitor your account for the next year at least. When it comes to banking fraud, sometimes a hacker will take miniscule amounts of money from a batch of accounts to go unnoticed. Reputable companies will offer victims free credit monitoring or identity theft protection services, so please take advantage of this by informing them of your compromised data.