Data breaches aren't just a fleeting concern. They can change people's lives and cause trouble for businesses, governments, or anyone when private information gets out.
Moreover, data breaches cost a lot of money. Research from IBM says the average money lost from a data breach is about $4 million. This doesn't even count the harm done to a company's good name, which is hard to measure in dollars.
In big data breaches, these costs can be huge. For instance, Yahoo had data breaches from 2012 to 2016, where about 3 billion users' information was leaked. Yahoo agreed to pay a huge $117.5 million because of claims it didn't do enough to protect against and respond to these breaches.
Data breaches can also cause big problems for regular people. People can have their identities stolen, privacy invaded, money lost, or credit harmed.
This data breach prevention guide will delve into several aspects of data breaches, including:
The adverse effects of data breaches
How data breaches happen and the methods used
The kind of information that attackers want and why they want it
How to stop data breaches
What to do if you have been affected by a data breach
Let's get started.
A data breach refers to an event in which protected, confidential, or sensitive information has been viewed, obtained, or utilized by an individual or entity without the necessary permissions.
The data can include credit card numbers, social security numbers, health records, or secret business information. Data breaches often happen because of weak security, flaws in a system, or tricks like phishing — when someone is fooled into giving out their information.
Sometimes, a data breach can happen from inside an organization (by accident or on purpose). For example, a worker might accidentally let out sensitive information or do it intentionally to sell this information to someone else.
Data breaches can significantly hurt businesses. Organizations can lose money, and people might trust them less as a result. Also, businesses could get in legal trouble because there are strict rules about keeping data private.
Data breaches are when private, sensitive, or protected information is exposed without permission.
Recently, many big companies have had data breaches. These major incidents show how serious and damaging data breaches can be and why data breach prevention is so important. Let's look at some examples:
One of Yahoo’s data breaches happened in 2013, impacting all 3 billion user accounts. Another took place in 2014, affecting 500 million accounts. These breaches led to the theft of user data, like names and email addresses. For the 2014 incident, Yahoo said hackers made fake web cookies to pretend to be the account holders.
In May 2019, this major insurance company had a huge data breach, leading to the exposure of over 885 million sensitive records. The leaked data included bank account numbers, mortgage records, driver's license pictures, Social Security numbers, and more.
In December 2019, data from nearly 267 million Facebook accounts was found on the dark web. This included names, phone numbers, and Facebook IDs.
Then, in March 2020, another server with data on an extra 42 million users was discovered. By April 2021, data from 530 million Facebook users was posted on a hacking forum. This data seems to have been taken from Facebook in 2019 when hackers found a flaw in Facebook’s system.
In 2018, this hotel company announced that its Starwood properties' reservation database was hacked, impacting up to 500 million guests. The name, addresses, phone numbers, email addresses, and passport numbers of about 327 million of these guests were exposed.
Twitter, in 2018, asked its 330 million users to change their passwords. This request was due to a glitch that made passwords visible. The breach happened because of an error with Twitter's process to keep user passwords secure. The social media platform fixed the glitch, but this incident shows how these vulnerabilities can be exploited.
These examples of data breaches highlight how serious these incidents can be and the potential damage they can cause.
Data breaches can cause a lot of damage. They can lead to financial loss, hurt a person's reputation, result in penalties, and have long-term effects on the people involved.
The effects of data breaches on individuals can vary depending on what kind of information was stolen. Here's what could happen:
Identity Theft: This is often the worst outcome of a data breach. Suppose someone steals personal details like Social Security numbers, birth dates, or driver's licenses. In that case, criminals can use this information to pretend to be the person they stole from and commit illegal activities.
Financial Loss: If credit card numbers or bank account information are leaked in a breach, unauthorized transactions or withdrawals could occur. While the person whose information was stolen isn't always held responsible for these charges, fixing the issue can be hard and stressful.
Credit Damage: If a criminal uses someone's stolen identity to open new credit card accounts in their name and then doesn't pay the bills, the victim's credit score could drop. This could make it difficult for them to get loans or credit cards in the future.
Phishing Attacks and Scams: After a data breach, victims may be targeted by criminals trying to trick them into giving out more information. They might receive emails or calls from people pretending to be from the company that had the data breach or a bank.
Long-Term Vigilance: One of the hardest parts of a data breach is that the effects can last for years. Stolen information could be sold or used long after the breach, meaning victims must continually check their accounts and credit reports for suspicious activity.
The effects of a data breach on individuals can be severe, from financial fraud to violation of privacy.
Companies also face serious problems if a data breach occurs. These issues can be both immediate and long-lasting. Here's what could happen:
Financial Losses: Data breaches are often very costly. As noted earlier, IBM reported that the average cost of a data breach is $4.35 million. This could include immediate expenses to investigate the breach and secure the systems, legal fees, potential government fines, and compensation for affected customers. There are also hidden costs, such as increased insurance premiums and the resources needed to manage the breach's aftermath.
Reputation Damage: A data breach can harm a company's image. Customers and clients trust companies with their personal information, and a breach can undermine this trust. This could result in losing customers, difficulty attracting new ones, and a decrease in the company's stock value.
Website Damage: If hackers infiltrate a website, they might cause harm, which requires additional time, money, and effort to repair.
Business Disruption: A data breach can disrupt business operations, especially if critical systems or data are compromised. This disruption could lead to decreased productivity and impact the company's profits.
Legal Problems: Depending on the company's location and the type of data involved, companies might face legal action from affected customers or government fines. The fines can be substantial in regions with strict data protection laws, like the European Union (under GDPR).
Increased Scrutiny: After a data breach, companies often face increased attention from regulatory bodies and may be required to demonstrate improved data security.
Loss of Unique Information: In some instances, data breaches can involve the theft of a company's unique information, such as patents, trade secrets, or other proprietary business data. The loss could weaken the company's competitive position and have long-term effects.
A data breach isn't just a problem with technology. It's a big concern for the whole business.
Data breaches can impact government bodies in unique ways. Here are some potential results:
National Security Risks: Governments handle a lot of sensitive data, such as details about military operations or important infrastructure. If this gets disclosed, it can risk national security.
Public Safety Risks: Governments also store personal data about citizens. This data can include Social Security numbers, health records, or driving license information. If a data breach happens and this data gets exposed, it can lead to critical issues. Identity theft and other types of fraud could happen, harming public safety.
Financial Costs: The costs could involve responding to the breach and securing the breached systems. They may also include investigating the incident. Governments could also face lawsuits or claims from people who were affected.
Damage to Reputation: If citizens think their data isn't safe with the government, they might lose confidence. As a result, their trust in other government services and programs will diminish.
Impacts on Policies: This is especially true for policies associated with cybersecurity and data protection. Such an incident could lead to stricter laws and regulations and broadly affect businesses and individuals.
Service Disruptions: If a data breach happens in a social services department, it could cause delays. People might have to wait longer for benefits or support.
A data breach can deeply shake the public's trust in government bodies.
Data breaches can happen in many ways. Let's look at the most common methods:
Targeted attacks happen when attackers focus on a specific person, group, or system. They use tech skills and manipulation to take advantage of weak points in security.
Phishing Attacks: Attackers send fake emails or messages to trick people. They get them to share personal info like passwords or to download harmful software.
Malware: Attackers use malicious software to break into a system and get unauthorized access to data. This can be through viruses, worms, Trojans, or ransomware. Drive-by downloads are a common way malware gets installed on computers.
Vulnerability Exploits: Cybercriminals find and use weak points in a company's hardware or software. They do this before the company knows about these weaknesses.
Brute Force Attacks: Hackers guess passwords using software tools. They try all possible passwords until they get it right. The hack can take time, but as computers get faster, so do these attacks. Attackers usually infect systems with malware to obtain passwords.
SQL Injection: Attackers use weaknesses in a website's database to get unauthorized access to the stored data.
Cross-Site Scripting (XSS): Cybercriminals put harmful scripts into websites. These scripts then run on the user's device and capture sensitive data.
Man-in-the-Middle (MitM) Attacks: Attackers intercept the communication of two or more parties to obtain sensitive information.
Zero-Day Exploits: These attacks use unknown weaknesses in software or hardware. The attack happens on "day zero" before the software or hardware creators know about the problem and can fix it.
Denial-of-service (DoS) Attack: Attackers flood a network or website with fake requests, stopping real users from accessing the site. Also, the system may crash or get damaged. Criminals can also use botnets (computer networks) to launch DDoS attacks.
Credential Stuffing: Attackers automatically input pairs of usernames and passwords into a website. They keep doing this until they find a match.
Social Engineering: Besides phishing, hackers can use other ways to trick people into revealing confidential information. They pretend to be trustworthy or exploit people's natural curiosity.
Physical Theft: Sometimes, data breaches happen when physical items, like laptops or hard drives, get stolen. If these items aren't locked or encrypted, anyone who finds them can steal the information. Even locked devices can be broken into by skilled attackers.
Targeted attacks focus specifically on a particular person, business, or system.
Data breaches aren't always due to malicious actions. IBM reports that only half (52%) of breaches come from harmful attacks. Thus, simple mistakes can lead to breaches too. For example, a person may accidentally leave sensitive data unprotected or send it to the wrong person.
Other times, someone uses a colleague's computer and unintentionally views files they aren't supposed to see. Even though they didn't mean to and didn't share the data, it's still a data breach because an unauthorized person saw the information.
Almost half of data breaches are accidental.
An insider attack is a data breach intentionally caused by an employee. This employee (a malicious insider) purposely accesses or steals data to harm the organization or another employee.
The malicious insider may, for instance, have access to sensitive financial information or a list of clients. They could transfer or sell this information to a competitor. The attacker might also gather data about high-risk individuals within the organization or obtain password details. In addition, they could sell this information to a hacker to make money.
An insider attack is a data breach initiated by an employee who intentionally leaks data to a third party.
Targeted data breaches usually follow a structured pattern. They happen in several steps or phases, each with its own goal. Let's go through the usual order of these phases:
Reconnaissance: When attackers learn about systems, networks, public websites, open network ports, and employee information. They will then try to spot any weaknesses.
Initial Breach: Attackers make their first move after getting enough information. They might trick someone into giving up their user credentials through social engineering tactics like spear phishing. Or, they might take advantage of a weak spot in a software program.
Establishment of Foothold: After the first breach, attackers aim to get a solid grip inside the system. To do so, they might install harmful software like backdoors. This practice could give them regular access and control over the compromised systems.
Privilege Escalation: Attackers try to get more access or privileges within the system. They might exploit more weaknesses or gain admin-level credentials. With this, they can reach sensitive information or take control of important systems.
Lateral Movement: With more privileges, attackers may navigate across the network. They aim to reach other systems or places where data is stored. What they can achieve includes gathering more credentials, taking advantage of system trust relationships, and exploiting more software weaknesses.
Data Exfiltration: When they find the data they want, attackers try to take it out, or "exfiltrate" it. They usually encrypt the data to avoid being noticed and send it to an external system they control.
Persistence and Covering Tracks: After getting what they want, attackers often ensure they can reaccess the system in the future. They also aim to hide their activities. To achieve this, they might create more unauthorized access points, erase activity records, or do other things to make it harder to spot the security breach or understand what happened.
Exploitation: This is the final stage. The attacker uses the stolen information for their planned purpose. They might sell the information, use it to impersonate someone else, spy on businesses, or do other harmful things.
Targeted data breaches usually happen organized, with each step leading to the next.
In data breaches, hackers usually target the information they can use for their benefit. Let's look at the most common types of data they go after:
Personal Identification Information (PII): This data includes names, Social Security numbers, passport details, driver's license numbers, and addresses. Hackers can use this for identity theft, fraud, or other harmful actions.
Financial Data: Data may comprise credit card numbers, bank account details, and other financial information. Attackers often target this data to commit financial fraud.
Healthcare Data: Medical records contain sensitive data, such as medical histories and insurance details. Cybercriminals can use this information for insurance fraud or sell it illegally.
Access Credentials: Usernames and passwords are common targets because they can access other systems or services. Hackers may use these credentials for more attacks or trade them with other criminals.
Business Data: This could include many types of data. Examples are customer databases, intellectual property, trade secrets, business plans, and other sensitive internal data. Hackers often go after this type of data for spying or to trick people through fake business emails.
Governmental Data: Attackers, especially those supported by a state, often target government databases to collect intelligence, disrupt operations, or achieve other goals for their state.
Infrastructure Data: Data about important infrastructure systems (like electrical grids or water treatment facilities) could be targeted by hackers looking to cause large-scale disruption or damage.
In a data breach, cybercriminals look for data they can use to their advantage.
Hackers steal data for reasons that depend on what kind of data they're after and what skills they have. Here are some of the most common motives:
Making Money: Many hackers sell personal and financial details illegally. They can also use stolen credit cards or bank details to commit fraud.
Impersonation: With enough personal data, bad guys can pretend to be someone else. Using their new identity, they can do illegal things, access money, open bank accounts, and more.
Business Spying: Some cybercriminals steal data to get ahead in business. They might steal secrets, business plans, or other important information to help their own business or hurt a rival.
Ransom Demands: Sometimes, hackers steal and encrypt data, demanding payment to unlock it. Or they might threaten to make sensitive information public unless they're paid.
Political Reasons or Spying: Some attackers, backed by a state or a hacktivist group, steal data for political reasons. They might want to disrupt operations, spy on foreign countries, or attack specific targets.
Harming Reputation: Sometimes, attackers steal data to damage a person's or organization's reputation. They might share embarrassing information or reveal shady practices.
Planning Future Attacks: Stolen data, especially usernames and passwords, can be used for more attacks — like accessing other services.
Knowing why hackers steal data can help you better protect against data breaches.
Safeguarding personal data is not just a task for businesses but consumers as well. Read on to learn about practical tips and techniques you can apply to greatly reduce the risk of your personal data being compromised.
Use secure passwords. Your passwords should be hard to guess and different for each account. They should be at least 12 characters long and mix numbers, letters, and special symbols. To check how strong your password is, you can use a password checker tool.
Check your accounts often. Monitor your financial and online accounts for any strange activity. Report anything odd to the service provider right away.
Watch your credit. Regularly review your credit reports for abnormal activity or errors. Every year, you can get one free credit report from each of the three main credit bureaus at AnnualCreditReport.com.
Think about identity theft protection services. These services can monitor different databases and alert you if your personal info is being misused.
Don't fall for phishing. Be careful with messages that ask for personal or private info. Most trustworthy organizations won't ask for this kind of info this way.
Use safe networks. Only do sensitive tasks or access personal accounts on public Wi-Fi networks using a trustworthy VPN.
Keep files secure. Store sensitive info in encrypted vaults that are password-protected to keep unauthorized people out.
Update your software. Keep your device's operating system and apps up-to-date. You might avoid exposing your system to breaches if you update right when updates come out.
Don't share too much personal info. Try to share as little personal info online as possible, and be careful who you share it with.
Watch app permissions. Pay attention to what data access you're giving to apps on your mobile devices.
Limit social media info. We often share too much info on social media without realizing it. Ensure your accounts are private and limit the personal info you share.
Get security software. Use reliable antivirus solutions, such as Bitdefender, Norton, and McAfee, to protect your devices. These antivirus solutions can detect and stop cyber threats before they could lead to a security breach.
Use a Virtual Private Network (VPN). A VPN can make your online activity safer by encrypting your web activity and IP address, making it harder for hackers to see what you're doing online.
Safeguarding personal data is not just a task for businesses but consumers as well.
Companies often become targets for data breaches because they have a lot of valuable data. Here are some steps companies can take to avoid data breaches:
Train employees. Many data breaches start because an employee clicks on a bad link or file. Training can help employees avoid these risks. Good habits include:
Storing files properly after use.
Logging out of computers after use.
Locking offices and file cabinets when not in use.
Only using work devices for work.
Supervising devices like laptops or phones.
Not storing personal info on work devices.
Using work devices when working from home.
Set password policies. Use modern password policies for all applications and services. These can include minimum password lengths, using different characters, lockouts after a few failed attempts and mandatory password changes every so often.
Use Multi-Factor Authentication (MFA). Use MFA in your systems, especially for accessing sensitive data.
Encrypt data. This will make it hard for unauthorized people to access it. That’s because encryption makes data unreadable without the right decryption key.
Back up regularly. Regular backups can help recover data in case of data loss, a server crash, or even a natural disaster. Your IT team should set up automatic remote backups.
Monitor systems. Regular monitoring can help find unusual activity that might signal a data breach.
Dispose safely. Make sure any items with confidential information are destroyed properly when thrown away. There is software that can permanently delete data from devices.
Protect portable devices. Flash drives, mobile phones, and tablets can be lost or stolen. These devices should have strong passwords, anti-theft apps, and other security measures.
Update and patch systems. Ensure your systems and software are regularly updated. Many data breaches take advantage of known vulnerabilities that haven't been patched.
Use firewalls and intrusion detection/prevention systems. Firewalls can keep out unauthorized access, and detection/prevention systems can quickly identify and respond to threats.
Secure endpoints. Use endpoint security solutions like antivirus software to protect against common internet-based threats.
Control access. Use a principle of least privilege (PoLP) to give employees only the access they need for their jobs.
Do regular security audits. This helps you regularly check your security measures and fix any issues.
Secure third-party vendors. Make sure any third-party vendors with access to data have strong security practices.
Secure the network architecture. Divide your network into segments to limit how far an attacker can get.
Have a response plan. A response plan can help you react quickly and effectively if a data breach does happen.
Hire a security team. A team of security professionals can monitor, prevent, and respond to security threats more effectively than in-house.
Having updated password rules for all apps and services on the company network is super important.
If you've been the victim of a data breach, act quickly to protect your identity and financial information. Here are simple step-by-step guides for both individuals and businesses.
If you find out that your data was leaked, follow these steps to reduce possible harm:
Verify the breach. Make sure the news about the leak is true. You can do this by checking the company that was hacked or by checking the news. You can also use a tool like haveibeenpwned.com, which tells you if your email account has been hacked and what information was leaked.
Find out what was leaked. Find out what data got leaked. This helps you know your risks and what to do next.
Change your passwords. Change your password for the hacked service. If you used the same password for other accounts, change those too.
Watch your accounts. Watch your online and bank accounts for any weird activity. If you see something strange, contact the bank or service right away.
Contact credit bureaus. If important info like your Social Security number got leaked, tell one of the big credit bureaus (Experian, TransUnion, Equifax). They can put a fraud alert on your credit reports.
Freeze credit reports. Freezing your credit report stops people from opening accounts in your name. It doesn't hurt your credit score. You can freeze your reports by contacting the credit bureaus.
File your taxes early. If your Social Security number has leaked, do your taxes early. This way, a hacker can't file a fake tax return in your name.
Stay up-to-date. Keep track of news about the data leak. The company that got hacked should tell you what they're doing about the breach and what you should do.
Always double-check the news about a data leak from a trusted source before you act.
If your business faces a data breach, act quickly and follow proper procedures to limit damage and legal problems. Here's what to do if your business has a data breach:
Stop the breach. This might mean disconnecting affected computers from the internet, changing passwords, or other steps based on what happened.
Find out what happened. Try to understand what data was stolen, how the breach happened, and who did it. This helps you improve your security in the future and to inform the people who were affected.
Tell people who were affected. In many jurisdictions, you have to tell people if their personal information was stolen. It's usually a good idea even if you don't have to.
Tell regulators. Depending on what was stolen and how it happened, you might need to tell certain government bodies. Check the laws where you live to understand what you have to do.
Save the evidence. As hard as it may be, keep all evidence. It could help you find out who started the breach.
Get help. Get advice from legal and cybersecurity experts. They can help you understand what to do next.
Prevent future breaches. Based on what you learn, take steps to stop similar breaches in the future. The steps include updating your software, training your team better, and more.
Watch out for more attacks. Keep a close eye on your systems and accounts after a breach. Hackers might have other ways or try to use the stolen data to attack you again.
Write everything down. Record the breach, your investigation, and what you did about it. This could be important for legal reasons and help you learn from the experience.
Talk to people who found the breach. Those who discovered the breach probably understand it best. Make sure to have an exhaustive conversation with them about what happened.
For businesses, it's important to act quickly and follow proper procedures to limit damage.
Security breach notification laws state that people, businesses, and groups must tell others if a security breach happens. These laws vary depending on the jurisdiction. Different places worldwide have different ideas about what a breach is, what kind of information is important, and who needs to be reported.
Here are some of the big security breach laws in different parts of the world:
United States: In the U.S., there isn't one law for all businesses about informing people about data breaches. But all 50 states and some territories have their own laws. These laws say businesses or government groups must tell people if a security breach involves personal information.
European Union: The General Data Protection Regulation (GDPR) states businesses have to inform a supervisory authority about some types of personal data breaches. If they can, they have to do this within 72 hours of finding out about the breach. If the breach might cause a big risk to people's rights and freedoms, businesses have to tell those people immediately.
Australia: There's a system called the Notifiable Data Breaches (NDB) scheme in Australia. It says groups and agencies must inform people about a data breach that could seriously harm them. Organizations also have to suggest what steps people can take after the breach. The Australian Information Commissioner must be notified, as well.
Canada: Since November 2018, there has been a law called the Personal Information Protection and Electronic Documents Act (PIPEDA). This law states that, in some cases, organizations have to tell people and the Privacy Commissioner of Canada about privacy breaches.
Security breach notification laws can be very different depending on where you are.
We've answered some of the most searched questions about data breaches.
There are different ways data breaches can happen. Here are a few types:
Hacking: Hacking is when someone gets into a system or network without permission to take data. They do this by finding weaknesses in the system or using stolen login info.
Phishing Attacks: In a phishing attack, a scammer tricks people into giving out sensitive data. They do this by pretending to be someone trustworthy via emails, text messages, or phone calls.
Malware Breaches: Malware is bad software like viruses or spyware. In a malware breach, this software collects data without the user knowing.
Physical Theft: This is when hard drives, laptops, or paper records with sensitive information end up in the wrong hands.
Insider Threats: An insider threat happens when someone inside an organization uses their access to take or expose sensitive data.
Unintended Disclosure: This is when sensitive data is accidentally given to people who aren't supposed to have it. This incident can happen because of a mistake or because data security wasn't good enough.
According to the General Data Protection Regulation (GDPR), a data breach means there's been a security problem. This problem could cause personal data to be destroyed, lost, changed, revealed, or accessed without permission.
The GDPR says businesses must tell the proper authorities about some types of data breaches within 72 hours of discovering them. If the breach could seriously harm people's rights and freedoms, the business must tell the affected people as soon as possible. If a business doesn't comply, they could be fined a lot of money.
Yes, a data breach can be very risky for people and businesses. For people, a data breach could lead to identity theft, loss of money, and privacy violation.
If a person's data gets breached, they might have to change passwords, keep an eye on their bank accounts for unusual activity, or even freeze their credit to prevent more damage.
For businesses, a data breach could be even more harmful. They could be fined, especially under laws like the GDPR, and their reputation could be seriously damaged. This could make customers lose trust in them. Additionally, lawsuits from the people or groups affected by the breach can occur.
All in all, businesses need to have good cybersecurity to lower these risks. A robust cybersecurity plan always includes using a reliable cybersecurity suite, such as Bitdefender and Norton. Visit our antivirus comparison page for in-depth information on the best antivirus available for your business.
The three main parts of a data breach are access, acquisition, and harm:
Access happens when someone who doesn't have permission gets into a system with sensitive information. They can do this in many ways, like hacking, tricking people into giving them information or even stealing physical items.
Acquisition is the next part, where the person who shouldn't have access takes the data from the system. This is the actual data breach.
Harm is the breach's negative impact on people or businesses. Problems can include identity theft, losing money, or damaging a business's reputation.
Yes, a data breach is a type of cybercrime. Cybercrime means doing something illegal by getting into digital systems or networks to steal, change, or destroy data. There are many ways to do this, from complex hacking to simple tricks like phishing, which often exploits human psychology.
But a data breach isn't just getting unauthorized access or stealing data. It also includes selling or using stolen data to do more illegal things, like stealing someone's identity or committing fraud. That’s why we need strong cybersecurity, legal action, and countries working together to fight against cybercrime and data breaches.
Octav Fedor (Cybersecurity Editor)
Octav is a cybersecurity researcher and writer at AntivirusGuide. When he’s not publishing his honest opinions about security software online, he likes to learn about programming, watch astronomy documentaries, and participate in general knowledge competitions.