What is a Data Breach?
As technology continues to advance, businesses both large and small are collecting data from their customers in exponentially increasing volumes. “Big Data” is the term used to describe the vast amounts of data that is being collected by organisations today, which might amount to as much as several exabytes (an exabyte is one billion gigabytes).
These almost unimaginably large data sets can be mined to spot business trends, to predict customer behaviour, and to achieve greater understanding for organisations in all sectors. However, with increased possibility comes increased responsibility.
As well as implementing procedures to collect all this data, steps must be taken to ensure safe and secure storage. Data breaches cost Australian businesses over $29 billion every year, as well as damaging consumer trust and brand reputation.
To mitigate this damage, it’s vital for organisations of any size to understand the real risk and impact of data breaches, and how they can work to prevent them. It is also important that business owners understand how to recover quickly from breaches which are non-preventable.
Data Breach: A Definition
To take steps towards preventing data breaches, we first need to recognise exactly what a data breach is.
In a data breach incident, the company’s data protection systems fail and information is accessed or taken without authorisation. This may be business data or customer data, and may include sensitive details such as credit card numbers or confidential information.
Data breaches can be accidental (such as an employee emailing confidential information to the wrong person), or malicious (external hacking or malware attacks, or internal attacks by a disgruntled employee).
Sometimes data breaches can happen without any adverse consequences or without even being noticed. In other cases, a serious data breach could have dire consequences for a company in terms of finances, operations, or reputation.
Why Do Data Breaches Occur?
Sometimes data breaches happen unintentionally, and this is usually caused by human or system error. Common unintended data breaches include:
- Employees accidentally sending information to the wrong users
- Losing hardware such as a laptop or tablet that has sensitive data stored on it
- Leaving a computer on without password protection somewhere where others may see what’s on the screen or access other information
- User accounts becoming compromised after a hardware or software upgrade
Even though these kinds of data breaches are not malicious in nature, they can still be extremely damaging to company reputation and customer trust.
Targeted data breaches usually occur because a malicious third-party wants to gain information, profit financially, or discredit the company publicly. Examples of this type of data breaches include:
- Stealing credit card numbers to use them fraudulently
- Rival companies accessing sensitive company information (cyber espionage)
- Stealing personal information for identity theft or blackmail
- Demonstrating data security flaws to damage the reputation of the company.
The Phases of a Data Breach
Targeted data breaches tend to follow the same pattern, which looks like the following:
- Research – A hacker or an individual looks for weak points in the system, which can then be exploited. This might be something as simple as a poor employee password, or they might test the system or network for a weakness.
- Attack – After identifying where the company data security system can be breached, the hacker will start their attack. This might be via the company network in the form of an SQL injection, which attacks the database directly; malware, which can be used to steal passwords and gain access to other information; or a social attack, to fool employees into giving up their login credentials or personal information (this might be something as simple as sending a phishing email claiming to be from IT support).
- Exfiltration – Once they’ve successfully gained access to the network, the hacker can access, download, damage, or delete valuable data. In some cases this unauthorised access may go unnoticed for months or years.
Top Causes of Data Breaches
Robust data security policies and procedures are the best way to prevent against a data breach. A system is only as secure as its weakest point, so it’s vital that each individual employee understands his or her role in protecting the company network and data.
Some of the most common causes of data breaches include:
- Outdated software with security vulnerabilities
- Weak passwords
- Human error such as emailing sensitive data to the wrong person, or sharing account information with an unauthorised user
- Physically leaving or losing hardware such as a laptop or USB drive in a public place
- Physical hardware or data storage devices being stolen
- Phishing scams (software or people pretending to be something or someone else to extract passwords and other valuable data from individuals)
- Malware and trojans
- Unauthorised access or use of data by an internal employee or external contractor
- Incorrect configuration of systems (commonly during an upgrade or moving data to a different storage system)
- Direct hacking.
The Impact of a Data Breach
A successful targeted attack or an accidental data breach can have many damaging consequences on an individual or organisation.
When sensitive personal information is stolen, it can be used in many different ways. Identity theft is one of the major concerns, in which criminals use someone else’s identity to fraudulently obtain credit, rent property, or facilitate other crimes.
Credentials may also be stolen from insecure accounts and later used to access sensitive information in different accounts. This is particularly an issue when users share passwords across different accounts, or the password can be obtained with a combination of personal data such as phone number and birthdate.
Individuals may be targeted financially (such as the use of a stolen credit card number), or in other ways. For example, sensitive information may even be used for blackmail.
Companies that are victims of a data breach may lose thousands or even millions of dollars due to legal fines, compensation and lawsuits.
Apart from the financial implications, data breaches can severely damage the reputation of a business. If sensitive internal company information is stolen, perhaps in a case of corporate espionage, this may have a negative impact on contracts and future business plans.
Hackers can also use accounts accessed via a breech to delete or corrupt vital data, or to launch a virus that could bring down your entire system, causing days of lost work hours.
Notable Data Breaches
There have been several significant data breaches including both private and government organisations in Australia and globally.
Global data analytics company Equifax was attacked by hackers in 2017, in a data breach that was thought to affect almost half the US population. People in other countries also had sensitive data stolen, which included names, addresses, birthdates, and social security numbers.
In November 2018 Marriott hotel group confirmed that the Starwood hotel guest database containing details of 500 million customers had been breached. Amazingly, unauthorized access to the database had been continuing unnoticed since 2014.
Australia’s biggest data breach happened in 2016 when 1.3 million medical data records of individuals who had donated blood to the Red Cross were published to a public website. The breach was attributed to human error.
In a more recent data breach, at the end of 2018, Australia’s Nova Entertainment informed 250,000 users that their personal information had been compromised including home addresses, phone numbers, birthdates, and passwords.
The Federal Parliament was also hacked in February 2019 in a sophisticated cyber attack that was thought to be sponsored by an unidentified foreign government. While there was no evidence that data had been accessed, there are fears that such an attack may have been designed to discredit political parties or undermine public trust in Parliament.
How to Check if Your Data Has Been Breached
Individuals can check if their personal email has been involved in a known breach by using the tools at the website haveIbeenpwned.com.
Businesses sometimes do not know about a data breach until they are contacted by the hacker or until the information is leaked publicly. It takes 197 days – over six months – for the average business to discover a data breach, in which time the damage caused could be irreparable.
Obviously this is a less than ideal situation, so it’s vital for organisations to monitor how the network is being used and who is accessing data, so that potential data breaches can be identified.
Some warning signs of a data breach include:
- Unusual network traffic
- Unknown IP addresses on your network
- Multiple failed login attempts
- Suspicious activity on the network – particularly out of normal business hours
- Random unexplained system reboots
- Unusually slow computers or network
- Files or databases appear to have been tampered with
- Locked out accounts
- High number of blocked accesses on enterprise firewalls
- Applications launching automatically.
Data breach detection software and cyber security services can speed up detection time of data breaches. Staff awareness training can also help individuals to spot the signs of a data breach and take appropriate steps – data protection should be everyone’s concern.
What to Do in the Event of a Data Breach
The best way to deal with data breaches is to prevent them from occurring in the first place. Updating software regularly, developing robust security operations, and investing in employee security training are some of the ways in which businesses can reduce their risk of incurring a data breach.
However, sometimes, breaches still occur, even when recommended data security procedures have been followed. If your business experiences a data breach it’s important to act quickly to limit the size and scale of the breach and limit any potential damage.
Protect user accounts as soon as the breach is identified
If a database of user information has been compromised, it’s vital to protect those accounts immediately before they are accessed. The standard procedure here is usually to force a password reset.
Disclose the data breach to affected individuals
By law, some Australian businesses must disclose data breaches of a certain nature to individuals and the OAIC (see below). However, in most cases, it’s in an organisation’s best interests to disclose a data breach even if they’re not legally obliged to do so.
Attempting to cover up a data breach is an abuse of customer trust, and, if discovered, this could damage your company reputation beyond repair.
In the event of a breach it’s usually best to put your hands up, admit you made a mistake, inform users of the breach as soon as possible (including its scope and the type of data involved), and inform them of the steps you’ve taken to secure their data. This also ensures that individuals can take their own actions to protect accounts such as changing passwords.
Being transparent is always the best course of action, and ensures that details surrounding the breach are based on facts and not speculation. For example the Australian Red Cross released a statement with details of a 2016 data breach, explained how they were dealing with the breach, and apologised to the individuals who were affected.
Review the breach and adapt your procedures
Once a data breach has occurred, you must identify how it happened and how you can prevent it from happening again.
Vulnerability management systems can be used to help you identify weak points in your systems and improve them. You can also improve your security overall with steps such as two-step authentication, advanced firewalls, and AI-powered suspicious activity monitoring software.
The Australian Privacy Act and How it Relates to Data Breaches
It is now law for businesses regulated by the Australian Privacy Act to report data breaches with “a risk of serious harm” to the Office of the Australian Information Commissioner (OAIC) and to the individuals affected.
This Notifiable Data Breaches scheme was implemented in February 2018 and applies to all Australian businesses and organisations with an annual turnover of $3 million or more.
Notification is not required for all data breaches – only those that involve personal information that has the potential to affect individuals and cause serious harm. Assessing this involves considering the type and sensitivity of the data, the scale and nature of data breach, and the likelihood that the data may be used for malicious purposes.
Examples of data breaches which may be covered by this regulation include:
- Sensitive information such as health data
- Personal information that may be taken for identity fraud
- Financial information
- Breaches involving the data of vulnerable individuals
- Breaches involving data of large groups of individuals
- Data breaches that are not detected and blocked immediately
- Data that is unencrypted or anonymised
The OAIC was notified of 262 data breaches in the period from 1 October – 31 December 2018, 64% of which were malicious attacks.
Developing a Response Plan for a Data Breach
The OAIC publishes a data breach preparation and response guide, which organisations can use to develop their own policy for dealing with data breaches in order to limit negative consequences as far as is possible.
The faster your business responds to a data breach, the better chance you have of limiting damage. This is why it’s important to have a plan in place for responding to a data breach and to make sure it is adequately contained. This also ensures that you’re complying with legal obligations.
Your data breach response plan should be in the form of a written document that every employee has access to and is familiar with. You should also review your plan regularly to ensure it still meets the needs of your organisation.
Your plan should include:
- A definition of what a data breach is, including examples, and how to identify when one has occurred.
- Action steps that should be taken to contain the data breach and mitigate any damage it may cause.
- Any legal and contractual requirements for identifying organisations and individuals about the breach.
- Define who is responsible for reporting a breach and assessing risk
- How you will document data breaches
- Post-data-breach review process to identify how and why it occurred and what steps you can take to ensure it doesn’t happen again.
Defend Against Data Breaches with GA Systems
We use the latest cognitive security technologies to build bespoke systems to serve our clients and protect data for individuals and businesses alike. Contact us to find out more about how we can improve your security systems and protect your sensitive data.