Product Code Database
A data breach, also known as data leakage, is "the unauthorized exposure, disclosure, or loss of personal information". Attackers have a variety of motives, from financial gain to hacktivism, political repression, and espionage. There are several technical root causes of data breaches, including accidental or intentional disclosure of information by insiders, loss or theft of encryption devices, hacking into a system by exploiting software vulnerabilities, and social engineering attacks such as phishing where insiders are tricked into disclosing information. Although prevention efforts can reduce the risk of a data breach, they cannot eliminate it.
A large number of data breaches are never detected. If a breach becomes known to the company holding the data, post-breach efforts commonly include containing the breach, investigating its scope and cause, and notifications to people whose records were compromised, as required by law in many jurisdictions. Law enforcement agencies may investigate breaches, although the hackers responsible are rarely caught.
Criminals often sell data obtained in breaches on the dark web. Thus, people whose personal data was compromised are at elevated risk of identity theft for years afterwards and a significant number will become victims of this crime. Data breach notification laws in many jurisdictions, including all states of the United States and European Union member states, require the notification of people whose data has been breached. Lawsuits against the company that was breached are common, although few victims receive money from them. There is little empirical evidence of economic harm to firms from breaches except the direct cost, although there is some evidence suggesting a temporary, short-term decline in share price.
Vulnerabilities vary in their ability to be exploited by malicious actors. The most valuable allow the attacker to code injection and run their own code (called malware), without the user being aware of it. Some malware is downloaded by users via clicking on a malicious link, but it is also possible for malicious web applications to download malware just from visiting the website (drive-by download). Keyloggers, a type of malware that records a user's keystrokes, are often used in data breaches. Hash function is also a good solution for keeping safe from brute-force attacks, but only if the algorithm is sufficiently secure.
Many data breaches occur on the hardware operated by a partner of the organization targeted—including the 2013 Target data breach and 2014 JPMorgan Chase data breach. Outsourcing work to a third party leads to a risk of data breach if that company has lower security standards; in particular, small companies often lack the resources to take as many security precautions. As a result, outsourcing agreements often include security guarantees and provisions for what happens in the event of a data breach.
Another source of breaches is accidental disclosure of information, for example publishing information that should be kept private. With the increase in remote work and bring your own device policies, large amounts of corporate data is stored on personal devices of employees. Via carelessness or disregard of company security policies, these devices can be lost or stolen. Technical solutions can prevent many causes of human error, such as encrypting all sensitive data, preventing employees from using insecure passwords, installing antivirus software to prevent malware, and implementing a robust patching system to ensure that all devices are kept up to date.
The architecture of a company's systems plays a key role in deterring attackers. Daswani and Elbayadi recommend having only one means of authentication, avoiding redundant systems, and making the most secure setting default. Defense in depth and distributed privilege—requiring multiple authentications to perform an operation—can make systems more difficult to compromise. Giving employees and software the least amount of access necessary to fulfill their functions (principle of least privilege) limits the likelihood and damage of breaches. Several data breaches were enabled by reliance on security by obscurity; the victims had put access credentials in publicly accessible files. Nevertheless, prioritizing ease of use is also important because otherwise users might circumvent the security systems. Rigorous software testing, including penetration testing, can reduce software vulnerabilities, and must be performed prior to each release even if the company is using a continuous integration/continuous deployment model where new versions are constantly being rolled out.
The principle of least persistence—avoiding the collection of data that is not necessary and destruction of data that is no longer necessary—can mitigate the harm from breaches. The challenge is that destroying data can be more complex with modern database systems.
To stop exfiltration of data, common strategies include shutting down affected servers, taking them offline, software patch the vulnerability, and Software build. Once the exact way that the data was compromised is identified, there is typically only one or two technical vulnerabilities that need to be addressed in order to contain the breach and prevent it from reoccurring. A penetration test can then verify that the fix is working as expected. If malware is involved, the organization must investigate and close all infiltration and exfiltration vectors, as well as locate and remove all malware from its systems. If data was posted on the dark web, companies may attempt to have it taken down. Containing the breach can compromise investigation, and some tactics (such as shutting down servers) can violate the company's contractual obligations.
Gathering data about the breach can facilitate later litigation or criminal prosecution, but only if the data is gathered according to legal standards and the chain of custody is maintained. Database forensics can narrow down the records involved, limiting the scope of the incident. Extensive investigation may be undertaken, which can be even more expensive than litigation. In the United States, breaches may be investigated by government agencies such as the Office for Civil Rights, the United States Department of Health and Human Services, and the Federal Trade Commission (FTC). Law enforcement agencies may investigate breaches although the hackers responsible are rarely caught.
Notifications are typically sent out as required by law. Many companies offer free credit monitoring to people affected by a data breach, although only around 5 percent of those eligible take advantage of the service. Issuing new credit cards to consumers, although expensive, is an effective strategy to reduce the risk of credit card fraud. Companies try to restore trust in their business operations and take steps to prevent a breach from reoccurring.
This information may be used for a variety of purposes, such as spamming, obtaining products with a victim's loyalty or payment information, identity theft, drug fraud, or insurance fraud. The threat of data breach or revealing information obtained in a data breach can be used for extortion.
Consumers may suffer various forms of tangible or intangible harm from the theft of their personal data, or not notice any harm. A significant portion of those affected by a data breach become victims of identity theft. A person's identifying information often circulates on the dark web for years, causing an increased risk of identity theft regardless of remediation efforts. Even if a customer does not end up footing the bill for credit card fraud or identity theft, they have to spend time resolving the situation. Intangible harms include doxxing (publicly revealing someone's personal information), for example medication usage or personal photos.
Estimating the cost of data breaches is difficult, both because not all breaches are reported and also because calculating the impact of breaches in financial terms is not straightforward. There are multiple ways of calculating the cost to businesses, especially when it comes to personnel time dedicated to dealing with the breach. Author Kevvie Fowler estimates that more than half the direct cost incurred by companies is in the form of litigation expenses and services provided to affected individuals, with the remaining cost split between notification and detection, including forensics and investigation. He argues that these costs are reduced if the organization has invested in security prior to the breach or has previous experience with breaches. The more data records involved, the more expensive a breach typically will be. In 2016, researcher Sasha Romanosky estimated that while the mean breach cost around the targeted firm $5 million, this figure was inflated by a few highly expensive breaches, and the typical data breach was much less costly, around $200,000. Romanosky estimated the total annual cost to corporations in the United States to be around $10 billion. It was estimated a 2025 data breach at cryptocurrency exchange Coinbase lead to as much as $400 million in total loss including damage to customers, a ransom demanded by hackers, legal costs, lost crypto assets, reputational fallout, and compliance.
In healthcare, the HIPAA Breach Notification Rule, enacted as part of the HITECH Act in 2009, requires covered entity and business associates to notify affected individuals within 60 days of discovering a breach of unsecured protected health information (PHI). Breaches affecting 500 or more individuals must also be reported to the Office for Civil Rights (OCR) and to prominent media outlets, and are posted publicly on the HHS Breach Portal, informally known as the "Wall of Shame". The February 2024 Change Healthcare cyberattack, which exposed the data of approximately 100 million individuals, highlighted the scale of healthcare data breach risks and led to increased scrutiny of cybersecurity practices across the healthcare sector.
, Thomas on Data Breach listed 62 United Nations member states that are covered by data breach notification laws. Some other countries require breach notification in more general data protection laws. Shortly after the first reported data breach in April 2002, California passed a law requiring notification when an individual's personal information was breached. In the United States, notification laws proliferated after the February 2005 ChoicePoint data breach, widely publicized in part because of the large number of people affected (more than 140,000) and also because of outrage that the company initially informed only affected people in California. In 2018, the European Union's General Data Protection Regulation (GDPR) took effect. The GDPR requires notification within 72 hours, with very high fines possible for large companies not in compliance. This regulation also stimulated the tightening of data privacy laws elsewhere. , the only United States federal law requiring notification for data breaches is limited to medical data regulated under HIPAA, but all 50 states (since Alabama passed a law in 2018) have their own general data breach notification laws.
|
|
