A data breach is a cybersecurity incident that involves a malicious actor gaining unauthorized access to private data.
The mode and style of attacks used in data breaches vary widely, but the end result is almost always the same: People or entities who have no right to access your data are able to see it, and in most cases, steal it.
There have been some massive, highly disruptive data breaches in recent years. They affect the public’s trust in famous brands and public institutions. They threaten to make millions of consumers the victims of fraud.
Defenses against data breaches are improving, though there is still much work to be done to protect data against unauthorized (and unlawful) breach.
Is a data breach just a “breach”?
The word “breach” has several connotations, but cybersecurity has borrowed the military meaning.
A military “breach” refers to a gap, a break in a defensive wall. Military history is full of examples of famous breaches, such as the Romans breaching the walls of the ancient city of Jerusalem in 70AD or the Trojans breaching the walls of Troy in ancient Greece.
Yet the break-in is just the first part of a data breach. After the break-in comes an internal exploration of data assets by the attacker, followed by stealthy takeovers of target systems.
In order to steal data, it’s usually necessary to:
- First, assume the identity of a user with access to the data.
- Then, examine and remove (i.e. “exfiltration”) the data.
How can a data breach happen?
Hackers employ a number of different techniques to breach the defenses of a target and steal its data. Typically, the attacker penetrates the target system through an external point of entry.
How do they manage this? Many options present themselves, but often they simply log in from a remote location using stolen credentials. With “social engineering,” a talented hacker can impersonate IT personnel, for example, and learn a real system user’s credentials.
Spear phishing, where the attacker pretends to be a friend or coworker, is a notoriously effective way for hackers to steal login credentials. And, more often than most people want to admit, hackers can just use known default (i.e. factory set) logins that were never changed after the system was deployed.
Other times, the penetration is more technically sophisticated. Hackers look for vulnerabilities in networks, often finding seemingly minor holes in defenses that let them slip in undetected.
For example, some network security appliances cache login credentials. If the cache is not cleared, the attacker may be able to steal the credentials and use them in a breach.
Alternatively, and this is a big problem, IT managers neglect to apply security patches to systems and appliances. Attackers are then able to break into systems using known, but unpatched, exploits.
Data breaches can also occur with eavesdropping. If the hacker is able to insert himself into the middle of a message stream in the target network, it is possible to harvest data from the message traffic. This can also happen in external (e.g. Internet) communication links.
Phases of a data breach
Most data breaches follow a familiar progression of three events: examination, the break-in, and infiltration.
Phase One: Examination
First, the attacker examines the target. This usually means mapping the network and systemic infrastructure.
For example, before attacking, the hacker is going to want to know which applications, operating systems and databases the target is using. The techniques for breaching a Microsoft SQL Server database will be different from those used to crack an Oracle database running on the Linux platform.
Reconnaissance usually also involves learning about the people who are responsible for securing and administering the data. For this, hackers use social engineering as well as public and semi-public mechanisms like Facebook and LinkedIn. Publicly available personal details allow hackers to impersonate users as required to break in.
Phase Two: Break-in
Then, there is the actual break-in. Once inside, the attacker must get into the database itself.
This is not a big problem unless the attacker doesn’t want to be detected. Many data breaches take place over months, with the target completely unaware that an attacker is inside their network, copying and exfiltrating terabytes of confidential information. To achieve this goal, the attacker usually has to gain “root” or super administrator access to the target system.
From this position, the attacker can create a fake user account for himself or herself. A skilled hacker can also use such root access to mask their activities.
Phase Three: Exfiltration
Finally, there is the exfiltration or unauthorized copy of the data. By encrypting the stolen data, the hacker can send it out of the network in a virtually invisible state.
What types of data are stolen?
Just about any information you can imagine is a target for a data breach. Data that may not seem important might be valuable to someone.
Many of the worst data breaches are suspected to be the work of foreign intelligence services. They steal information with strategic value but low monetary worth.
In one scenario, the theft of millions of Federal government employee records left some observers puzzled. Why would anyone want the names, addresses and job titles of government workers?
Well, if you are the Chinese Ministry of Intelligence, to which this breach was attributed, you may want a roadmap of who is who in the federal government, including CIA employees, military officers and so forth.
The Equifax breach followed a similar pattern, according to many experts. The data seemed to vanish, rather than be used in an expected wave of identity theft. This happened, evidently, because the hackers were government spies, not criminals.
Key sectors at risk for data breaches include:
Hackers want to steal customer lists, trade secrets, credit card information and other intellectual property. Motivations include profit and a desire to embarrass the business—a type of attack called “hacktivism.”
Breaches at Target, Sony Pictures and Home Depot are notable examples.
Healthcare providers store confidential, often sensitive information about their patients. Data breaches can target patients’ financial records, personally identifying information (PII), prescription histories and so forth. Such records can be valuable to hackers who sell them on the “Dark Web,” the Internet’s black market. The Anthem/Blue Cross hack was one notable example.
The Dark Web is very extensive, with analysts identifying dozens of categories of illegal commerce occuring outside the reach of most law enforcement agencies. Illicit data products for sale on the Dark Web include bank logs, credit card data, passports, “DDoS for hire” and much more.
Government agencies are favorites for data breaches, especially by foreign intelligence services. Due to the scale of government and its distributed nature, hackers often find gaps in security that enable them to steal military secrets, weapons designs, secret codes and so forth.
The Office of Personnel Management is a good example of such an attack.
Banks usually have tight security, so they are harder to breach than other entities. However, it is possible, and attackers are highly motivated. After all, banks can be lucrative targets.
The hacking of the SWIFT international bank transfer system is an example.
Educational institutions are targets for breaches, and they are often the least defended of any kind of entity. However, universities may be storing personal data on
students and teachers as well as intellectual property that is actually quite valuable to hackers.
Other notable data breaches include thefts of user data from Facebook and Google in 2018. Previously, Yahoo suffered what was arguably the largest data breach in history. British Airways, and many, many other businesses, have experienced significant breaches in recent years.
Data breach laws
Given the consequences of data breaches concerning privacy, crime and national security, the government has passed laws dealing with the handling of data breaches.
In the United States, this has been taken up by the states, not the federal government. A federal data breach law is expected at some point in the future, however. The state laws generally require that companies notify victims of data breaches within a specified period of time.
In some cases, the law may mandate that the company provide protections for credit reporting and identity theft as well as other financial penalties for carelessness with private data.
In the European Union (EU), data breach laws are growing far more serious. The most notable example is the EU’s General Data Protection Regulation (GDPR). GDPR allows for major fines against companies that allow private consumer data to be breached. It also requires strict notification procedures in the event of a breach.
Use data breach laws to stay prepared
Data breaches are a serious risk for any organization. Not only are there potentially serious costs for remediating a breach – they can also put you in violation of the law. Robust cybersecurity countermeasures can help protect you from the threat of a breach.
However, achieving a strong security posture regarding breaches is about more than just installing tools and staffing security operations. Being protected means adopting a diligent mindset and be constantly vigilant.
Data breaches are a very serious matter. Every entity is vulnerable. It’s wise to expect to suffer a breach… the challenge is to be ready for it.
Better defenses always help, but given today’s threat landscape, it may be impossible to defend all of your data assets equally well.
Be sure to review all of the data that your organization stores. Do you need all of it? Can you live without some of it? The less data you have, the less damaging a breach could be.
Alternatively, what data can or should be encrypted at rest and in transit? If you work from the assumption that unencrypted data will be stolen, you can gauge the sensitivity of different data types and secure accordingly.