What is a data breach, and how do they happen?

It is also known as a data leak, data spill, data theft, or information disclosure.

Cybercriminals want to steal data like names, email addresses, usernames, passwords, and credit card numbers, and other financial information for personal gain. Whether it’s to steal your identity or to sell on the dark web.

Capital One, Dubsmash, Houzz, Clearview AI. These are just some of the corporate giants who have recently faced some of the biggest breaches the world has ever seen. Nearly 800 million unique email addresses, 21 million passwords, and mountains of other stolen data were sold on the web by hackers in 2019.

Here’s a quick snapshot of those breaches by industry sector:

• Business: 644 incidents (43.7%)
• Health care/medical: 525 (35.6%)
• Banking/credit/financial: 108 (7.3%)
• Education: 113 (7.7%)
• Government/military: 83 (5.6%)

When you look at the figures year on year, the rate of data breaches across sectors almost never sees a dramatic drop. Data shows that banking breaches only lessened by 4% from 2018 to 2019, and the business sector only managed to lower their rate of breaches by 10% over the course of two years. (2017-2019).

With cybercriminals constantly devising ways to exploit company infrastructures, it’s best for us to begin taking security into our own hands.

Below you can get familiar with the worst data breaches that happened in 2019, 2020, and 2021.

• The biggest data breaches of 2019
• The biggest data breaches of 2020
• The biggest data breaches of 2021

Malware or malicious code is a data exfiltration technique that can infect a website or network and leak valuable customer data. A silent threat, malware can be downloaded by accident from an email attachment or corrupted software. Once it’s in, it spreads like a virus and sends all your personal data back to the command and control servers run by the cybercriminals.

Since phishing attacks largely rely on human error, they are shockingly simple to execute but come with catastrophic effects. Usually, an ‘urgent’ email is sent mimicking a legitimate sender like PayPal or Microsoft for example. Once the email is opened or the attachments are clicked on, a swarm of malicious malware infects your device or network and steals everything in sight.

Human error or unintentional actions contribute massively to data breaches. With a barrage of tools, and passwords supporting our complex work environments, employees and end-users can easily make security mistakes. Some fail to recognize fraudulent emails, some use crackable passwords for major company networks, and others unwittingly compromise sensitive information on social media, or on devices left unlocked at work.

In fact, of all breaches reported in 2019, CybSafe (a cybersecurity awareness company) found that 90% were caused by the haphazard mistakes of end-users.

Weak passwords are more common than you think. In a brute force attack, for example, a hacker can churn out millions of user/password combinations per second. They’re then tried against the system in rapid speed until one sticks – open sesame!

Obviously, the best passwords are long, complex and nonsensical. Here’s how to make a strong password.

Late last year Amex informed millions of customers that their account information may have been “wrongfully accessed” by an “employee attempting to commit fraud.” Morrisons, the UK supermarket giant also played host to a disgruntled employee who leaked the payroll information of 100,000 staff members. The reason? Revenge against a previous disciplinary.

Less malicious cases, but equally as damaging could be employees innocently downloading sensitive data onto their device, medical records misconfigured by staff and system warnings being ignored by employees who don’t know any better.

Speaking of security maintenance, investing in solid security can only safeguard you against any of the aforementioned vulnerabilities. Most companies stay vigilant by taking a reactive approach to potholes and patching flaws as they go. Infamous technology breaches like the one Adobe experienced left 150M email addresses and passwords exposed.

PRO TIP: If you hear that a company you gave your data to has been breached — an online store or a social media platform, for example — change your passwords and update your security measures. Don’t wait for them to contact you directly.

Even the world’s largest organizations can fall victim to a breach, but there are plenty of steps we can all take to protect ourselves.

Shred documents

Get into the habit of destroying letters, bills, documents or anything with pieces of your identity on it. Criminals only need your SSI number, date of birth, and name and address to open credit card accounts and take out loans.

Use secure websites

The tell-tale sign is in the web address bar. A secure website should read as https://www.website.com rather than http://www.website.com, the ‘S’ stands for secure.

Create strong passwords

The most secure passwords use uppercase and lowercase letters, non-sequential numbers, special characters and symbols and use non-dictionary words. Always use a good password manager so you don’t forget your new nonsensical passwords.

Use different passwords on every different account

If a hacker gets hold of the credentials for one of your accounts, they can break into all of your other accounts. A good rule of thumb is to always keep your email password completely different, because attackers can login to your inbox to authenticate themselves and request password changes.

Update your computer and mobile devices

Make sure you’re always running the latest versions of operating systems and applications. Updates aren’t always about shiny new features, they contain vital security fixes designed to protect you from hackers.

Avoid public USB charging stations

Did you know that a regular public USB charging port can carry malware? Now you do. Using public USB ports to spread malware and steal data is called juice jacking. To avoid it, steer clear of the public USB ports you see at airports, or get a USB data blocker designed to link your device to the port and protect it from any malicious codes.

Don’t ignore your statements

Frequently monitor your transactions online to identify any strange transactions. Sometimes hackers will use your details to buy items for $1 or less to begin with, that way your account won’t get flagged for security checks when they do make the big purchase.

Regularly check your credit reports

Your credit report will show if any accounts or loans have been opened in your name. Identity thieves can piece together your identity in minutes. An innocent Instagram photo with your door number and street in the background, unshredded mail from the trash, access to your email or social media accounts – the clues are everywhere for a hacker determined enough to find them.

Avoid data hoarding

The more data you have, the more data you can lose. Avoid accummulating large amounts of digital assets, regularly audit your data, and ensure it’s stored securely. Data hoarding is not a practice you should follow to avoid data leaks.

Don’t panic, there are some simple steps you can take to get everything back on track:

Please try not to click on emails from companies telling you that a breach has occurred. Quite often they’re phishing emails – written by scammers in order to steal your personal information. Instead, call the company directly or wait for them to post it on their website.

If your sensitive information has been exposed there are some quick fixes to regain control – depending on what information it was.

Report it immediately to the IRS. Social security numbers are harder to replace than credit card information or bank details. Your social security number can be used to assume your identity, file fake tax returns, rent or buy properties and commit any number of crimes, all in your name.

If you’re worried about your password or email address being tampered with, you can see if it was exposed here. Change and strengthen your password and security questions immediately. Choose something over 7 characters, make it nonsensical and use a password manager so you don’t forget it.

Immediately change your username and password and double check you haven’t used the same credentials elsewhere. Keep a separate email address to sign into important accounts for your banking, healthcare, social records or university for example. If you use the same credentials for every single account, one breach could give a hacker access to every single account you own.

If your social security number or other personally identifiable information is exposed, monitor your account for the next year at least. When it comes to banking fraud, sometimes a hacker will take miniscule amounts of money from a batch of accounts to go unnoticed. Reputable companies will offer victims free credit monitoring or identity theft protection services, so please take advantage of this by informing them of your compromised data.