Data Breach
What Is a Data Breach?
A data breach is an incident in which confidential, sensitive, or protected information stored in a computer system, network, or database is exposed to someone without authorized access to view that information.
Common causes of data breaches include malware (for example, ransomware attacks), weak or stolen credentials, application vulnerabilities, social engineering (like phishing attacks), and insider threats.
Data breaches can expose personal, financial, and other confidential information, which can result in reputational damage, identity theft, operational downtime, legal repercussions, and other negative outcomes for organizations and individuals affected by the breach.
Third-party definition
A data breach is any unauthorized access to, movement of, or disclosure of sensitive or personal data. – Data Progress
Difference Between a Data Breach and a Data Leak
Although the two terms are often used interchangeably, they mean slightly different things.
Whereas data breaches are generally caused by cyber attacks and are typically intentional and malicious, data leaks are often accidental.
For example, in 2016, an attacker used a security vulnerability to hack the contact information of 1.5 million Verizon enterprise customers, which was a data breach. Conversely, when, in 2017, a misconfigured security setting on a cloud server led to Verizon customer data being leaked online, that was a data leak.
Biggest Data Breaches of the 21st Century
Here are some of the biggest security breaches of the 21st century (note that this is not a comprehensive list):
- Yahoo. In 2016, Yahoo announced that it suffered two breaches in 2013-2014, with the 2014 breach affecting about 500 million Yahoo user accounts and the 2013 breach affecting about 3+ billion accounts. Breached information included names, phone numbers, email addresses, dates of birth, hashed passwords, and encrypted/unencrypted security questions and answers.
- FriendFinder Networks. After FriendFinder Networks was hacked, 412+ million user accounts from Adultfriendfinder.com, Penthouse.com, Cams.com, iCams.com, Stripshow.com, and an unknown domain were compromised, potentially including deleted accounts.
- Equifax. The 2017 Equifax breach compromised the sensitive information of about 147 million Americans. Compromised data included names, addresses, birth dates, and Social Security numbers. In some cases, cybercriminals also accessed credit card numbers, driver’s license numbers, and documents with personally identifiable information (PII). Following the breach, Equifax agreed to a global settlement to help those affected.
- MyFitnessPal. The health and fitness tracking app MyFitnessPal was breached in 2018, but luckily, sensitive data does not appear to have been compromised. That said, login credentials and email addresses might have been compromised.
- Marriott Starwood hotels. In 2018, the Marriott hotel chain announced its reservation systems had been breached in 2014 (but only spotted four years later), with about 500 million guest records, including credit card and passport numbers, compromised (though some records were likely duplicates).
- eBay. In 2014, hackers accessed 145 million eBay customer records, including email addresses, passwords, and other personal information (financial information, such as credit card and bank account details, was not affected).
- Home Depot. In 2014, a cybersecurity data breach at the home improvement retailer Home Depot led to hackers accessing payment card information belonging to 40 million customers.
What Kind of Companies Are At Risk of Data Breaches?
If you knew the answer to this question, you could avoid doing business with these companies and prevent data breaches from impacting you. If only it were that simple.
The truth is that every organization, regardless of size (from small businesses to large enterprises) and industry (tech, law enforcement, healthcare, credit monitoring, etc.) is at risk of being breached.
That said, companies that collect and store a lot of personal information are at a particularly high risk from cyber threats.
For example, data brokers, companies that collect and store a tonne of information about individuals, are commonly hacked. Organizations that gather sensitive data, such as health information, and don’t always have the best data security controls are also attractive targets for criminals.
Effect of Data Breaches On Individuals’ Privacy
Depending on the kind of information that is exposed, a data breach can have severe consequences for individuals, including financial loss, identity theft, damaged credit scores, and emotional distress.
If breached information ends up on the dark web, it can also be used to carry out future cyber attacks against individuals, like targeted phishing scams.
How to See If Your Data Was Involved In a Data Breach
One of the easiest ways to see if you were part of any data breaches is to visit the HaveIBeenPwned website. You can also subscribe to breach notifications to receive alerts when your data is involved in any breaches.
Sometimes, breached organizations also send out data breach notifications.
If you were part of a data breach, you should change your passwords (consider also using a password manager) and set up multi-factor authentication.
Depending on what kind of personal data was exposed in the breach, you might also need to contact financial or government institutions and file an Identity Theft Report with the Federal Trade Commission.