Data Breach Analysis - What is a breach? + examples

What is a Data Breach? What happens?

A data breach is a security issue where files and documents which are supposed to be secure are accessed. A criminal organization may gain access through a virus, they may shut down access to a service. Disrupting the flows of business. Data can be stolen and removed from the organization to be circulated on the internet, or it could be held hostage with the organization demanding a fee for its release (more on ransomware coming up).

Data being accidently accessed by a employee of the company who does not have clearing is a different thing.

Why Are Data Breaches bad?

Ultimately, a data breach ruins many reputations. Data breaches harm customers, businesses, and industries. They may even put a nations national security at threat. The financial costs of these threats is increasing yearly. Whilst each data breaches makes it clear that a company, organization, or government is susceptible to criminals, with flaws in their security system. Therefore making them more susceptible to attacks by bigger, more experienced networks.

At worse, customers may be put in a difficult situation if their personal data is made public. In some cases, such as Ashley Madison (2015), the company may have to pay out damages to its customers in order to rectify harm. In other cases, such as EasyJet where it looks as though a company may have been trying to hide a data breach, the company was fined. Other companies fined by the GDPR include British Airways, Yahoo and Marriott’s.

The biggest problem a business tends to face after a data breach is financially. A risk security research found a company can face a loss of up to 20% in a year where there has been a data breach. But how do they know there has been a breach?

Not all data breaches include the foreign source making themselves known. Many small businesses. for example, do not put a Cyber policy in place until it is too late. Unknowingly, by this time they may have already experienced a data breach.

Inevitably, after a data breach a business will have to work overtime to strengthen itself, and to reposition itself. Things were not right before so they have to use it to learn.

What is a Data Privacy Breach?

A data privacy breach is not the same as a data breach. A data privacy breach is when classified documents are accessed by an individual who does not have clearance to view them. A company should have a policy in place which allows employees to be accessed case by case. In incidents where it was an accident, usually all continue as normal. In circumstance where it seems deliberate, an employee may be fired.

Parameters for data privacy issue are typically outlined in your employment contract.

Different Types of Data Breaches

Employee Negligence and/or Error

One of the more ‘innocent’ types of data breaches employee negligence/error occurs when an employee wrongly sends an important document to the wrong person. One of the best ways to avoid this happening is to ensure your staff members are adequately trained to work on all software. Companies should also have protocols in place so employees know what to do when such a mistake takes place. Accountability is essential.

According to Shred-it’s 2018 State of the Industry report, 47% of data breaches are a result of employee negligence and/or error, a further 27% reported data breaches as result of employee theft or sabotage. Employee negligence is a security issue. If it looks as though the breach was intentional and it has the potential to damage the reputation of the company, the employer can sue. 30% of companies in the UK have fired employees due to data breaches.

Employee Whistleblowing

Employee whistleblowing takes place when an employee exposes private information to the public. 20% of whistleblowers get their reported behaviour ceased once going public. Due to their difficult past there are laws in place to help them. No company sees it as innocent when their employee becomes a whistleblower.

Some organizations rely upon whistleblowers. Most companies for example, when they experience a data breach instinctively try to hide it from the public. The ICO and GDPR regularly receive reports from employees informing on their employers.

Employee whistleblowing is illegal in most countries, and the most common reprisal is to have your contract terminated. Drastic increases and/or decreases in workload have also been noted by ex whistleblowers.

Stolen Information

Physical theft can be done when a criminal removes classified documents from a company. Or, gains access to a computer and sends themselves classified documents. You can also hack an organizations activity. This is all criminal activity.

One of the best ways for a business to protect themselves from criminals attempting to steal their information is to have a strong security system in place. Trying to see if someone can hack into it is a good way to see how good it is. Whilst also ensuring secure documents are kept well away from those who are not employees of the organization.

Password Attacks

Password guessing, is a form of password attack, another form of data breach. It is a technique utilized to try and gain access to systems. Usually, these attacks focus on expired or insecure passwords hoping to gain access to accounts. Program’s have been developed which aid hackers find passwords. Password guessing and password cracking are not the same thing.

In some cases, a lookout has been utilized to stop a hacker from being caught attempting to break into a system.

To prevent password attacks, you can put in a place a delayed time for logging in e.g. after 3 failed attempts wait 30 minutes. As an individual, you can make sure to keep a variety of passwords rather than reusing one, and making sure it is a strong password. This is known as an account lockout. For a password attack to be successful, the password must be weak, a company can force password rules to ensure password strength.

Phishing

Phishing attacks can take place in two ways, through online systems, or through persons attempting to gain information. The aim of the attack is always to steal data.

Emails or phones calls from someone trying to gain information, usually they will do this under the pretense of being a big company e.g. Amazon, Paypal, etc.

Companies can train their employees to be able to spot fraudulent emails, and sending reminders to customers that they will never email them for bank details or other personal data.

Malware, Viruses

Any type of software created to disrupt or disorganize or gain access to information, files, a computer, or data. These software’s may record you or your voice, or send information on your search history for example. At worse they may shut down your computer.

Any piece of software which is fulfilling a purpose you do not explicitly know about is malware.

Antivirus is supposed to stop malware from accessing your files.

Types: Trojan Horse, Spyware, Scareware, Ransomware,

Ransomware

Ransomware is a type of crypto virology. The two most popular types of Ransomware are Crypto and Locker. Crypto encrypts all of the files on a computer forcing the user to pay to re-access them. Locker, locks the user out of a computer forcing them to pay for the computer to be unlocked.

One example is when hospitals need to access time sensitive documents and find that the system has been hacked. If the hospital do not pay, the system is wiped. There a numerous ways for ransomware to end up on a computer but the most popular way is by sending an email and attaching the virus as a file.

Bitcoin and cryptocurrencies are usually used to pay the ransom, ideal as these currencies are difficult to trace.

Denial of Services (DoS)

Denial of Services is a type of attack which stops a service from being able to function. For example, a website which sells clothes may not be able to do so. Although websites are the most likely victim of this attack, other entities have also been attacked. What happens is that the traffic to a website is so strong, that no one else can access anything until this traffic has been dealt with.

Another way to disrupt the service, is to send some requests e.g. feedback page. That the organizations business data availability is filled up.

Some malware has the capability to also launch DoS attacks. The reasons behind carrying out a DoS attack vary from financial gain to simply holding a grudge. Whilst there are countermeasures there are costly. Those who are behind DoS attacks used to be quite specialized but now criminal programmes exist.

Popular Data Breaches

Throughout history there have been some very popular data breaches which exemplify what happens when things go wrong.

Ashley Madison (2015) Ashley Madison was a dating site facilitating extra marital affairs. It also had a sister site, Established Men where young beautiful women establish relationships with older financially secure men. In July 2015, the Impact Team made contact with them stating if they did not close down the websites information would be released. Ashley Madison did not close either website and in August 2015, data was released.

Users had to pay to delete their Ashley Madison accounts. But, it was found prior to the leak that the company never deleted user data. Therefore, the addresses, credit card details, search history, and occupations of 39 million people were leaked. Ashley Madison ended up paying out $11 million due to the data breach and has strengthened their security measures since. 2 ex users committed suicide.

Research by Annalee Newitz was carried out on the data highlighting some saddening findings. It seemed many of the female accounts on the site were fake as they seemed to be coming from one IP address. But also, for every one woman who checked her messages 13,000+ men checked theirs. In fact on the website, 5 million men had sent messages, in opposition to 9000 women. Yet, there were over a million users.

So this is where things get interesting. In 2020, the Impact Team came back to say they were going to hack Ashley Madison again. However, internet reports now link the group to sextortion schemes and believe a more personal approach maybe taking place. Some analyst say they first learnt how to get the data. now they are learning how to turn the data into money.

EasyJet (2020) EasyJet is a low cost flight airline based in Europe. In May 2020, EasyJet admitted that the data of 9million passages had been stolen, the company became aware of the attack January 2020. The data breach was described as a ‘highly sophisticated cyber attack’.

The company was fined £183 million due to the breach.

Conclusion

Hopefully, this article has aided you in becoming more knowledgeable on data breaches. You can now tell the difference between a data breach and a data privacy breach. You recognize that breaches come in a number of forms and are constantly evolving.

Criminals gain a lot by accessing files so they are always looking for new ways to increase their revenues. whilst businesses are always fighting to try and keep their data safe.