What Is a Data Breach?

A data breach is a security violation or incident that leads to the theft of sensitive or critical data or its exposure to an unauthorized party. These incidents can be intentional, such as a database hack, or accidental, such as an employee emailing confidential files to the wrong recipient.

What is typically exposed in a data breach incident?

Information that might be stolen or unintentionally exposed to unauthorized viewers includes documents relating to a company's financial dealings, confidential customer data, or a personal medical history.

In a data breach attempt, malicious hackers will often seek to steal personally identifiable information (PII) such as:

  • Names
  • Social Security numbers
  • Home addresses
  • Dates and places of birth
  • Driver's license numbers
  • Passport numbers
  • Bank account numbers

Cybercriminals can use PII to commit identity theft, make illegal purchases with stolen credit card numbers, and steal money from financial accounts. Or they can sell this sensitive data to others, usually on the dark web, who want to commit these crimes.

Companies may also be targeted for their intellectual property. During the global health crisis, for example, hackers were working to steal coronavirus vaccine secrets. Other types of intellectual property that malicious actors might try to steal are research, product designs, and source code. The loss of this data could be very costly for a business.

These malicious actors might be state sponsored, hired by a company's competitor, or independent opportunists. Government agencies are top targets for state-sponsored hackers.

How does a data breach happen?

Data breaches can occur in many ways and for many reasons. In general, malicious actors who want to set up and carry out an attack will:

  • Conduct research. Malicious actors can spend many hours researching their targets. They want to figure out what employees or systems they can potentially exploit and learn whether the targeted data is stored in the cloud, on a hard drive, or on a server in a data center.
  • Choose their attack method. Based on what they learn from their research, malicious actors will decide whether to launch a direct, network-based attack that targets IT infrastructure weaknesses, or execute a campaign that relies on social engineering. Social engineering aims to trick a user into enabling data-stealing malware to enter the company's network or providing direct access to sensitive data.
  • Extract the data. This process is also known as data exfiltration. Once an attacker gains access to the data, they will copy, transfer, or retrieve it from a computer or server. This can be accomplished remotely using malware. Data exfiltration often is carried out gradually so that information leaving the network can be concealed in normal traffic.

How does a malicious insider differ from an external attacker?

If the malicious actor is an insider, they might employ similar methods as an external attacker. Or they might abuse their or others' privileged access to data—for example, by stealing a colleague's legitimate login credentials to access sensitive files from a cloud-based system. An insider might send the compromised information to their personal email address, a cloud storage account, or a portable storage device like a thumb drive.

A "negligent insider" can also cause a data breach. This insider could be an employee or contractor who doesn't follow good cyber hygiene in their workspace, for example by using weak and easy-to-guess passwords like 12345. A negligent insider might also download and then fail to secure sensitive company or customer information on a personal mobile device like a laptop. 

Steps that can help prevent a data breach

Businesses can assess the strength of their current security practices and take preventive measures to reduce their exposure and respond effectively if incidents occur.

Understand the weaknesses that attackers exploit

In today's complex cyberthreat environment, cyberattacks are an inevitability for most organizations—and they can be very costly. In 2020, nearly 3000 businesses in the United States suffered a data breach, according to a report (PDF) from the FBI's Internet Crime Complaint Center. The financial loss from those corporate data breaches was nearly $129 million. And those are just the known and reported incidents.

To prevent a data breach incident, organizations need to understand what weaknesses attackers will typically target to gain unauthorized access to high-value data they want to steal, compromise, or even destroy. This insight can be used to help improve defenses. Attackers might try to:

  • Take advantage of system or device vulnerabilities, like a server with a known vulnerability that hasn't been patched or software that has components that are easy to exploit, like Flash or Java
  • Compromise a webpage so users accessing that page with an out-of-date browser, app, or operating system unintentionally download data-stealing malware—such as keyloggers that can record what a user types on their device, like login credentials
  • Send malware in email attachments (for example, Word documents or PDFs)
  • Compromise email accounts that belong to third parties, such as vendors in a company's supply chain
  • Look for opportunities to exploit system misconfigurations or weak or absent data encryption

Update and adopt new technology

Organizations need to make sure the technology they rely on—and where they store sensitive data—is always kept up to date. Some measures that can help businesses significantly improve their security posture and avoid a data breach include: patching vulnerabilities; updating operating systems; securing endpoints, including Internet of Things (IoT) devices; and addressing "shadow IT" risks.

Businesses should also consider implementing technology to bolster identity and access management. Two-factor authentication and secure access solutions for cloud apps make it more difficult for malicious hackers or insiders to compromise users, including those who work remotely or on a contract basis.  

Adopt a zero-trust model

Zero trust is a strategic approach to security that focuses on eliminating trust from an organization's network architecture. A zero-trust approach identifies what data needs to be protected and applies stringent measures to shield it from unauthorized access or exposure.

To achieve zero trust, organizations must secure access across their applications and IT environment from any user, device, and location. It takes time to implement, but leads to establishing trust in every access request—no matter where it comes from—and extending trust to support the enterprise across the distributed network.

Provide user education and training

As noted earlier, attackers will often target users and take advantage not only of their trust but also their poor cyber hygiene practices. These can include using weak passwords, sharing account credentials, not logging off devices or applications after work, and downloading sensitive data to unsecured devices.

Providing high-quality, relevant training and education to employees and other individuals, such as contractors, can help them learn best practices. These efforts can also help users become better at spotting threats, like phishing attacks, and help protect the organization.

Create an incident response plan

Finally, organizations should develop and test a well-thought-out, detailed, and documented incident response plan. This plan should include a:

  • List of roles and responsibilities for the incident response team members. These may include representatives from IT, legal, compliance, corporate communications, and other departments.
  • Business continuity plan. (If the data breach is due to a ransomware attack, for example, the business may be significantly disrupted for an extended period.)
  • Summary of the tools, technologies, and physical resources required to respond.
  • List of critical network and data recovery processes.
  • Plan for communications about a breach, both internal and external.
  • Details about compliance requirements for applicable data breach notification laws.

Businesses may also want to consider engaging an incident response specialist with global reach who can help them create an actionable incident response plan, strengthen their defenses—and be on call to help them respond swiftly to threats.

Follow all data breach notification laws

Data breach notification laws, also known as security breach notification laws, are laws that require businesses, government entities, and others to notify individuals of data breaches that involve exposure of their PII.

If an organization suffers a data breach, it may be under legal obligation to disclose that breach to the affected parties as well as to stakeholders and the public. Failure to comply with these laws—for example, by not notifying individuals within the timeframe outlined in the legislation—can result in hefty fines.

The provisions of these laws vary, from what is considered PII to what constitutes a data breach. The National Conference of State Legislatures website provides a list of data breach notification laws for all 50 U.S. states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands.

There are also country-specific laws and mandates to consider. The European Union's General Data Protection Regulation (GDPR), relating to data protection and privacy, may apply to organizations doing business in or with organizations in the countries covered by these laws.

For details on current data protection laws around the world, see this interactive map and searchable database maintained by a global law firm.