A data breach happens when cybercriminals gain unauthorized access to a system or network, allowing them to search for sensitive data pertaining to a business and its customers, and using it to extract some form of illegal value. Attackers might sell this data on the dark web, directly engage in fraud, hold the information for ransom, or use it to inflict damage on their victim’s operations.
The types of data compromised in a breach include personally identifiable information (PII), protected health information (PHI), credential information, credit card numbers and other financial data, intellectual property, trade secrets, and classified documents.
How do data breaches occur?
Data breaches happen in a variety of ways, depending on a company’s unique points of vulnerability.
- They can take place through an exploit—a code vulnerability that the system administrators never noticed. Capitalizing on this, a cybercriminal might directly inject their own malicious code into a web application.
- Employees can fall for phishing emails that appear to be legitimate and of interest, which could lead them to inadvertently share their credentials or download spyware. These emails and download links may have been crafted using tactics known as “social engineering:” the traps through which users are psychologically manipulated into taking actions that might not be in their best interests.
- Leaked or stolen credentials can be employed in widespread attacks like credential stuffing, which capitalize on the fact that many users employ the same login details across multiple accounts.
- A technical misconfiguration can expose sensitive data or make the system accessible to the wrong people. An organization is at a heightened level of risk for a data breach if it doesn’t use protections like adaptive multi-factor authentication (AMFA).
Breaches are defined by three main stages.
- Research: Data breaches usually begin with a cybercriminal selecting a target. These criminals can be highly methodical as they look for ways to exploit either the system itself or the employees who access that system.
- Attack: Next, the cybercriminal attacks the system using one or more methods. Once they’re in, they might spend a considerable amount of time searching the infiltrated system for the most valuable data.
- Exfiltrate: In the final phase, the attacker extracts data and moves on to the commercial or malicious exploitation of that information. They might even escalate their attacks on the system or organization, armed with new information or credentials.
How does data exfiltration happen?
In the face of such concentrated evaluation and planning on the part of cybercriminals, organizations need to do some evaluation and planning of their own. That often begins by identifying points of vulnerability and securing their systems, users, and devices so that the data exfiltration never occurs.
Here are some areas of potential exploitation for cybersecurity breaches:
Insecure account authentication
As customers access different applications, websites, and digital services, they need digital accounts that are within their control. But cybercriminals also want to gain control over these accounts: they’re actively looking for ways in, and they’re becoming alarmingly successful at it. In 2018, on average 291 records were stolen every second.
Cybercriminals can sometimes use stolen information to access multiple accounts, which is almost effortless if the customer uses the same password consistently across services and doesn’t rely on additional authentication factors. Through credential stuffing, cybercriminals can automatically apply the revealed credential pairs to other websites or digital services.
Broken authentication protocols can lead to insecure account authentication, so updating customer identity and access management (CIAM) procedures can help companies protect themselves from outdated systems. Companies can also help to defend against illegitimate account takeovers by implementing adaptive MFA and integrating robust security into the user experience as seamlessly as possible. This can be done with modern technologies like biometrics, social sign-on, and email magic links.
Misplaced employee credentials
Sometimes, cybersecurity threats can come from within. These internal vulnerabilities can be exacerbated if employees have access to more sensitive information than they need to. Even if an employee doesn’t have sinister motives, giving them access to sensitive datasets increases the possibility that someone will accidentally take an action that results in a cyber breach.
To limit employee and third-party access to sensitive data, organizations can implement rigorous authentication and authorization processes so users can securely log in to their apps via single sign-on (SSO) and validate their identity via adaptive MFA. Ideally, organizations should adopt secure, phishing-proof factors that follow the WebAuthn standard to reduce the probability of a data breach.
Employees are also being targeted through spear phishing campaigns. These differ from broad-based campaigns because they’re more targeted and selective, using personal details on the victim to disguise cybercriminals while they evade automated filters and bait high-value targets. And privileged accounts see a high percentage of attacks: 59% of respondents to a recent threat report by Oracle and KPMG noted that privileged cloud accounts at their organization have been compromised by spear-phishing attacks.
Misconfigured server resources
When it comes to the cloud, in most cases, the critical issue isn’t in the security of the cloud itself. Rather, the problem is how the cloud is being configured and used. Gartner estimates that through 2025, 99% of cloud security failures will be caused by customers. And the Oracle and KPMG report revealed that 92% of IT professionals believe their organization is unable to effectively secure their public cloud services.
The responsibility for data security is shared, and there are flaws in many setups. For example, through Secure Shell (SSH), a cryptographic network protocol, it’s possible to secure system administration and file transfers over insecure networks, but an IT security survey showed that 90% of respondents don’t have a complete and accurate inventory of SSH keys.
A Cybersecurity Insiders report found that critical mistakes are being made in cloud security configurations. According to survey respondents, the biggest vulnerabilities are unauthorized access and insecure interfaces/APIs.
API security requires active monitoring and an emphasis not just on authorization, but also on authentication. Applications are continually evolving. In many cases, API design just isn’t keeping up and there aren’t enough limitations on the data that can be requested by a given user. As APIs gain popularity and support various use cases, the security risk goes up.
The consequences of data breaches
A report from 2019 shows that the cost of data breaches is rising and the financial impact of a breach may be felt for years afterwards. On the dark web, cybercriminals traffic in various illegal goods, including personal data: even old data might make the rounds and find a buyer. It’s not a place where any business or customer would want their information to end up. Yet this may be the end result of insufficient cybersecurity practices.
And the consequences of a major data breach can be stark.
- Take bread and baked goods brand Panera as an example. A cybersecurity researcher first noticed Panera’s unauthenticated API endpoint while researching online delivery portals in the restaurant industry. He reported it to the company but they didn’t fix the vulnerability quickly enough: the company exposed as many as 37 million customer records with their innaction.
- Desjardins, the largest federation of credit unions in North America, suffered a data breach that was the result of an employee improperly accessing and sharing information. That breach affected roughly 2.7 million people and 173,000 businesses.
- There were reports that Houseparty, a social networking app for video chats, had undergone a data breach, but the company denies this. Whatever the case may be, the app reportedly allowed users to choose passwords like 12345, which would be music to a cybercriminal’s ears.
- Cybersecurity researchers recently uncovered significant data exposure in the United Kingdom. Historical data from numerous consulting firms was left publicly viewable, with no authentication, as the result of a misconfigured AWS server.
And these are just the major data breaches and repercussions we know about.
Data breach laws
Data breach legislation varies from country to country, and from state to state. But as a general rule, companies affected by data breaches should quickly disclose the matter to affected parties and they should notify the appropriate government or state attorney general.
While the United States does not have a national law regarding data breach disclosures, all of its states do have relevant regulations. These all share commonalities including:
- Requirements to inform those affected as soon as the breach is discovered
- A need to inform the government
- Penalties such as fines
Many of these legislations have been based on the precedent set by California. As a result of California S.B. 1386, entities conducting business in California must notify state residents if their unencrypted personal information has been potentially acquired by an unauthorized person. Under that law, victims can sue for up to $750 per breach and companies can be fined up to $7,500 per victim.
Within the U.S., there are also rules that span industries. In healthcare, the Health Insurance Portability and Accountability Act (HIPAA) doesn’t just protect patient data, it also has specific requirements for reporting healthcare related data breaches in its Health Information Technology for Economic and Clinical Health (HITECH) Act.
In Europe, the General Data Protection Regulation (GDPR) established strict parameters for how businesses should respond to security breaches. Companies are now required to:
- Provide data breach notifications
- Appoint a data-protection officer
- Require user consent for data processing
- Anonymize data for privacy
Not following these rules can have steep financial consequences, especially if companies wait too long to report a breach.
These regulations are in place to protect individuals. But what should your organization do in the event of a breach?
What to do if you’ve been breached
It’s best if organizations have incident response plans prepared in advance of a breach, given the disturbing frequency with which they're occurring. After becoming aware of a data compromise, an organization should quickly:
- Stop the outflow of information: ensure your company isn’t still leaking critical data
- Determine which systems were affected: assess the severity and scope of the breach
- Inform affected customers: for both legal and reputational reasons, notifying customers of a breach is a critical step in recovery
- Evaluate and improve security systems: plot a clear security course so that a breach of that nature can never occur again
How to prevent data breaches
You can work to prevent a data breach in your organization by:
- Limiting access to sensitive data. There’s no reason for a backend developer to have access to HR records, and partitioning records is one way to narrow the pool of employees who might accidentally click on a link or cause a data leak.
- Investing in security awareness training. Employees open suspicious emails every day. Classes on email best practices, password hygiene, and common phishing methods will bring security awareness top of mind for teams. And once is not enough: regular training will keep employees from returning to their desks and unthinkingly clicking on a suspect link.
- Conducting asset inventories and security audits. Organizations are dynamic, and the ways they handle information security can—and should—change. Checking for flaws in existing management processes, security mechanisms, applications, and file backups can let a company find its vulnerabilities before they become liabilities.
- Developing preparedness and post-breach plans. Every team should know exactly what to do in the event of a breach before it ever happens. Plan everything from how teams will identify the extent of a breach to how they’ll notify customers, so that you don’t create lengthy gaps between a data compromise and its resolution.
Make sure that you’re, at the very least, compliant with security standards. Then, ideally, rise above those standards.
- Protecting your data with secure authentication mechanisms like SSO and adaptive MFA can help to prevent account takeovers and can solve the rampant problem of duplicate or easily guessable passwords. This should apply to both on-premises and cloud-based servers and applications—at the end of the day, to a cybercriminal, the data you host within your network is just as valuable as what’s on the cloud.
- If you can, consider going passwordless. As we’ve discussed, password breaches can wreak havoc on an organization, and the best way to mitigate this vulnerability is to eliminate it completely. At Okta, we’ve recently introduced Okta FastPass, which stores user and device relationships in the Universal Directory to make passwordless access decisions for your employees. WebAuthn is also a helpful standard here: its encrypted client server token flow ensures secure authentication.
- As the API economy continues to grow, securing your APIs is also crucial. Enabling your teams with robust authentication and authorization processes, API gateways, and identity-driven policies will be crucial to reducing the threat vector posed by APIs.
Given the different types of sophisticated attacks and the risk of exponential fallout, it’s more important than ever for companies to implement authentication best practices and ensure that users really are who they say they are.
To learn more about how Okta thinks about data breaches and information security, read the Okta Security Technical Whitepaper. And find out how Okta can help further your security efforts in our CIO eGuide to preventing data breaches.