Data breaches are a major security concern because sensitive data is constantly being transmitted across the internet. This continuous transfer of information allows attackers anywhere to attempt a data breach against almost any person or company they choose.
Data is also stored in digital form by companies all over the world. The servers that store data are often vulnerable to various forms of cyberattack.
Who is typically targeted for data breaches?
Large corporations are prime targets for attackers attempting to cause data breaches because they offer such a large payload. This payload can include millions of users' personal and financial information, such as login credentials and credit card numbers. All of this data can be resold in underground markets.
However, attackers target anyone and everyone from whom they can extract data. All personal or confidential data is valuable to cybercriminals – there is usually someone in the world willing to pay for it.
Therefore:
What are some of the main ways a data breach can occur?
- Lost or stolen credentials – The simplest way to expose private data online is to use someone else's login credentials to log in to a service. To this end, attackers use a combination of strategies to obtain people's login information and passwords. These include brute force attacks and on-path attacks.
- Lost or stolen equipment – A lost computer or smartphone that contains confidential information can be very dangerous if it falls into the wrong hands.
- Social engineering attacks – Social engineering involves using psychological manipulation to trick people into handing over sensitive information. For example, an attacker may pretend to be an IRS agent and call victims on the phone in an attempt to convince them to share their bank account information.
- Insider threats – These involve people who have access to protected information and intentionally expose that data, often for personal gain. Examples include a restaurant server copying customers' credit card numbers as well as high-level government employees selling secrets to foreign countries. (Learn more about insider threats.)
- Exploiting vulnerabilities – Nearly every company in the world uses a variety of different software products. Because software is highly complex, it often contains flaws known as “vulnerabilities”. An attacker can exploit these vulnerabilities in order to gain unauthorized access and view or copy confidential data.
- Malware infections – Many malicious programs are designed to steal data or track user activity, sending the information they collect to a server controlled by the attacker.
- Physical point-of-sale attacks – These attacks target credit and debit card information and often involve devices that scan and read these cards. For example, someone could create a fake ATM or even install a scanner on a legitimate ATM in hopes of collecting card numbers and PINs.
- Credential stuffing – After someone's login credentials are exposed in a data breach, an attacker may try to reuse the same credentials on dozens of other platforms. If that user logged in with the same username and password across multiple services, the attacker may be able to gain access to the victim's email and/or social media and/or online banking accounts.
- Lack of encryption – If a website that collects personal or financial data does not use SSL/TLS encryption, anyone monitoring transmissions between the user and the website can view that data in plain text.
- Misconfigured web application or server – If a website, application, or web server is not set up properly, it may leave data exposed to anyone with an internet connection. Confidential data can be seen by users who stumble upon it accidentally, or by attackers who seek it out intentionally.
Also:
What does a data breach look like in the real world?
The Equifax data breach in 2017 is one of the primary examples of a large-scale data breach. Equifax is an American credit bureau. Between May and June 2017, malicious parties were able to access private records within Equifax's servers for nearly 150 million Americans, approximately 15 million British citizens, and approximately 19,000 Canadian citizens. The attack was made possible because Equifax failed to apply a patch to a software vulnerability in their system.
Small-scale data breaches can also have a significant impact. In 2020, attackers hijacked Twitter accounts belonging to several celebrities and influencers. The attack was made possible by an initial social engineering attack that enabled the attackers to gain access to Twitter's internal administrative tools. Starting from this initial breach, the attackers were able to take over the accounts of many individuals and promote a scam that collected nearly $117,000 in Bitcoin.
Also:
One of the most notorious data breaches in recent decades was the cyberattack launched against major retailer Target in 2013. The combination of strategies used to pull off this attack was somewhat complex. The attack involved a social engineering attack, hijacking a third-party vendor, and a large-scale attack on physical point-of-sale devices.
Also:
The attack began with a phishing operation targeting employees at an air conditioning company that was supplying HVAC units to Target stores. These air conditioners were connected to computers on Target's network to monitor energy usage, and the attackers compromised the air conditioning company's software to gain access to Target's system. Ultimately, the attackers were able to reprogram the credit card scanners in Target stores to supply the attackers with customers' credit card data. These scanners were not connected to the internet, but were programmed to periodically dump saved credit card data to an access point monitored by the attackers. The attack was successful and resulted in the compromise of the data of an estimated 110 million Target customers.
How can companies prevent data breaches?
Because data breaches come in many forms, there is no single solution to stopping data breaches, and a comprehensive approach is required. Some key steps companies can take include the following:
Access control: Employers can help combat data breaches by ensuring that their employees have only the minimum access and permissions necessary to do their jobs.
Also:
Encryption: Companies should encrypt their websites and the data they receive using SSL/TLS encryption. Companies should also encrypt data at rest, when it is stored on their servers or on employee devices.
Also:
Web security solutions: A web application firewall (WAF) can protect businesses from several types of application attacks and vulnerability exploits that aim to create data breaches. In fact, it is believed that a properly configured WAF would have prevented the major data breach attack on Equifax in 2017.
Network security: In addition to their web properties, companies should protect their internal networks from intrusion. Firewalls, DDoS protection, secure web gateways, and data loss prevention (DLP) can help keep networks secure.
Update software and hardware: Outdated software versions are dangerous. Software always contains vulnerabilities that allow attackers to access sensitive data when properly exploited. Software vendors regularly release security patches or entirely new versions of their software to fix vulnerabilities. If these patches and updates are not installed, attackers will be able to penetrate those systems – as happened in the Equifax breach. After a certain point, vendors will no longer support a software product – leaving that software completely open to any new vulnerabilities that are discovered.
Preparation:
Companies should prepare a response plan that is activated in the event of a data breach, with the goal of minimizing or containing the information leak. For example, companies should maintain backups of important databases.
Training:
Social engineering is one of the most common causes of data breaches. Train employees to recognize and respond to social engineering attacks.
Therefore:
How can users protect themselves from data breaches?
Here are some tips for protecting your data, although these measures alone do not guarantee data security:
Use unique passwords for each service:
Many users reuse passwords across multiple online services. The result is that when one of those services has a data breach, attackers can use those credentials to breach the user's other accounts as well.
Use two-factor authentication:
Two-factor authentication (2FA) is the use of more than one verification method to confirm a user's identity before allowing them to log in. One of the most common forms of two-factor authentication is when a user enters a unique one-time code sent via text message to their phone in addition to their password. Users who implement two-factor authentication (2FA) are less vulnerable to data breaches that expose login credentials, because their password alone is not sufficient to allow an attacker to steal their accounts.
Only send personal information on HTTPS sites: A site that does not use SSL encryption will only have “http://” in its URL, not “https://”. Unencrypted websites leave any data entered on that site exposed, from usernames and passwords to search queries and credit card numbers.
Keep software and hardware up to date:
This suggestion applies to users as well as companies.
Encrypt hard drives: In the event of a user's device being stolen, encryption prevents the attacker from viewing files stored locally on that device. However, this does not prevent attackers who have managed to gain remote access to the device through malware infection or otherwise.
Only install apps and open files from reputable sources:
Users accidentally download and install malware every day. Make sure that any files or apps you open, download, or install are indeed from a legitimate source. Additionally, users should avoid opening unexpected email attachments – attackers often hide malware inside seemingly harmless files attached to emails.
