A data breach is a security violation or incident that leads to the theft of sensitive or critical data or its exposure to an unauthorized party. These incidents can be intentional, such as a database hack, or accidental, such as an employee emailing confidential files to the wrong recipient.
Information that might be stolen or unintentionally exposed to unauthorized viewers includes documents relating to a company's financial dealings, confidential customer data, or a personal medical history.
In a data breach attempt, malicious hackers will often seek to steal personally identifiable information (PII) such as:
Cybercriminals can use PII to commit identity theft, make illegal purchases with stolen credit card numbers, and steal money from financial accounts. Or they can sell this sensitive data to others, usually on the dark web, who want to commit these crimes.
Companies may also be targeted for their intellectual property. During the global health crisis, for example, hackers were working to steal coronavirus vaccine secrets. Other types of intellectual property that malicious actors might try to steal are research, product designs, and source code. The loss of this data could be very costly for a business.
These malicious actors might be state sponsored, hired by a company's competitor, or independent opportunists. Government agencies are top targets for state-sponsored hackers.
Data breaches can occur in many ways and for many reasons. In general, malicious actors who want to set up and carry out an attack will:
If the malicious actor is an insider, they might employ similar methods as an external attacker. Or they might abuse their or others' privileged access to data—for example, by stealing a colleague's legitimate login credentials to access sensitive files from a cloud-based system. An insider might send the compromised information to their personal email address, a cloud storage account, or a portable storage device like a thumb drive.
A "negligent insider" can also cause a data breach. This insider could be an employee or contractor who doesn't follow good cyber hygiene in their workspace, for example by using weak and easy-to-guess passwords like 12345. A negligent insider might also download and then fail to secure sensitive company or customer information on a personal mobile device like a laptop.
Businesses can assess the strength of their current security practices and take preventive measures to reduce their exposure and respond effectively if incidents occur.
In today's complex cyberthreat environment, cyberattacks are an inevitability for most organizations—and they can be very costly. In 2020, nearly 3000 businesses in the United States suffered a data breach, according to a report (PDF) from the FBI's Internet Crime Complaint Center. The financial loss from those corporate data breaches was nearly $129 million. And those are just the known and reported incidents.
To prevent a data breach incident, organizations need to understand what weaknesses attackers will typically target to gain unauthorized access to high-value data they want to steal, compromise, or even destroy. This insight can be used to help improve defenses. Attackers might try to:
Organizations need to make sure the technology they rely on—and where they store sensitive data—is always kept up to date. Some measures that can help businesses significantly improve their security posture and avoid a data breach include: patching vulnerabilities; updating operating systems; securing endpoints, including Internet of Things (IoT) devices; and addressing "shadow IT" risks.
Businesses should also consider implementing technology to bolster identity and access management. Two-factor authentication and secure access solutions for cloud apps make it more difficult for malicious hackers or insiders to compromise users, including those who work remotely or on a contract basis.
Zero trust is a strategic approach to security that focuses on eliminating trust from an organization's network architecture. A zero-trust approach identifies what data needs to be protected and applies stringent measures to shield it from unauthorized access or exposure.
To achieve zero trust, organizations must secure access across their applications and IT environment from any user, device, and location. It takes time to implement, but leads to establishing trust in every access request—no matter where it comes from—and extending trust to support the enterprise across the distributed network.
As noted earlier, attackers will often target users and take advantage not only of their trust but also their poor cyber hygiene practices. These can include using weak passwords, sharing account credentials, not logging off devices or applications after work, and downloading sensitive data to unsecured devices.
Providing high-quality, relevant training and education to employees and other individuals, such as contractors, can help them learn best practices. These efforts can also help users become better at spotting threats, like phishing attacks, and help protect the organization.
Finally, organizations should develop and test a well-thought-out, detailed, and documented incident response plan. This plan should include a:
Businesses may also want to consider engaging an incident response specialist with global reach who can help them create an actionable incident response plan, strengthen their defenses—and be on call to help them respond swiftly to threats.
Data breach notification laws, also known as security breach notification laws, are laws that require businesses, government entities, and others to notify individuals of data breaches that involve exposure of their PII.
If an organization suffers a data breach, it may be under legal obligation to disclose that breach to the affected parties as well as to stakeholders and the public. Failure to comply with these laws—for example, by not notifying individuals within the timeframe outlined in the legislation—can result in hefty fines.
The provisions of these laws vary, from what is considered PII to what constitutes a data breach. The National Conference of State Legislatures website provides a list of data breach notification laws for all 50 U.S. states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands.
There are also country-specific laws and mandates to consider. The European Union's General Data Protection Regulation (GDPR), relating to data protection and privacy, may apply to organizations doing business in or with organizations in the countries covered by these laws.
For details on current data protection laws around the world, see this interactive map and searchable database maintained by a global law firm.