What Is Data Theft?
Data theft is the act of stealing information stored on corporate databases, devices, and servers. This form of corporate theft is a significant risk for businesses of all sizes and can originate both inside and outside an organisation.
The term data theft can give the impression that this kind of breach is based on malicious intent, but this is not always the case: data theft can also be an unintentional act. An employee may, for example, take home information on an unsecured flash drive or retain access to information after their contract has ended.
The malicious theft of employee data often occurs without the victims ever knowing about it, as a result of their accounts or personal devices being compromised by hackers capitalising on poor password management or unsecure networks. Bad actors that gain access to companies’ systems can lurk inside networks, pretending to be a legitimate user for days, weeks, or years. By remaining undetected, they can gain additional access rights to increasingly sensitive corporate datasets and pose a growing threat to unaware businesses.
Why data theft matters
Financial gain is the primary motivator of corporate data theft, and has been identified as the cause for at least 86% of breaches. By stealing data and selling it to other bad actors, attackers can reap the benefits of exploiting a company’s security vulnerabilities.
For businesses, the impact of data breaches can be devastating, both in terms of financial cost and reputational damage. The average cost of a data breach was more than $1.2 million in 2018, an increase of 24% from the previous year. Smaller organisations that don’t have the resources to respond to and recover from the impacts of data theft are particularly at risk: 60% of small businesses that suffer an attack go out of business within six months.
But the repercussions of data theft go beyond the immediate financial impact for companies. Businesses experiencing a theft can suffer:
- Ransomware demands from attackers: Organisations can have their information held hostage by cybercriminals, and paying to get it back isn’t a guaranteed solution.
- Steep recovery costs: Data recovery can vary in cost depending on the system originally used to store a backup, and patching systems after a breach can send that bill even higher.
- Reputational damage and customer attrition: Existing customers can and will leave in the event of data theft, and it can be hard for brands with a history of breaches to attract new business.
- Lawsuits from customers whose data was exposed: In the event that data was mishandled, companies are left open to the possibility of legal action from affected users.
- Downtime while data is recovered: Data theft can result in companies being unable to use their existing systems while the breach is corrected, and a loss of employee productivity can hit organisations as hard as a theft.
- Fines from regulatory bodies: Depending on the industry, a company can face steep financial repercussions for failing to meet security mandates.
With much data theft happening as a result of simple employee negligence, companies need to protect themselves from information loss and exploitation.
How does data theft occur?
Attackers use many methods to steal data from organisations. Companies can leave the door open to data theft in the following ways.
- Ineffective passwords: Attackers aim to steal passwords largely because it is a cost-effective and simple technique that reaps huge rewards.
- Poor email hygiene and basic security failures: Common data theft methodologies include email-based attacks like phishing, creating fake websites or Wi-Fi networks, and infecting USB drives. These tactics are used to steal and encrypt data in order to hold a business to ransom or simply damage their IT systems.
- Faulty networks: The ever-increasing sophistication of devices and technology is also enhancing the potential for data theft. The rise of the Internet of Things, in particular, is creating new opportunities for hackers to target a growing number of internet-connected devices and endpoints. Complex industrial machines that contain network and software sensors and healthcare systems that contain sensitive information have become lucrative targets for corporate theft.
- Unpatched servers: There is always room for further improvement in security processes, and developers are often posting fixes to existing bugs in server applications. But it’s up to administrators to implement these patches: companies that fail to check for and roll out server updates leave their systems open to exploitation.
- Publicly available information: It’s not just technology that hackers use to commit company theft. Social networks and publicly available information are increasingly important in helping cybercriminals not only target individuals, but also garner the details they need to access corporate systems and carry out employee data theft.
- Insider threats: Departing users are a major risk for companies: 69% of organisations suffer data loss when employees leave their business. This data is often highly sensitive, such as customer and prospect information or proprietary code. But even in-house employees pose a threat: disgruntled users could be inclined to steal corporate data for personal or financial gain.
Examples of data theft
Cybersecurity breaches that compromise large amounts of data are always big news—but they used to be infrequent. Now, incidents that affect thousands or millions of people are a regular occurrence. Here are four examples of data theft that were felt around the world.
- Yahoo!: The largest data breach in history at the time involved the theft of personal details from internet giant Yahoo!’s three billion user accounts. In September 2016, the company revealed that 500 million users had been compromised in a 2014 breach. Yahoo! claimed the data theft was as a result of an unauthorised party forging cookies to access users’ accounts without requiring a password.
- Sina Weibo: The Chinese social networking site had the data of its 538 million users stolen and put up for sale on the dark web in March 2020. Information including customers’ names and genders, site usernames, and location tracking was lost. Weibo asserted that the data was stolen by matching contacts against its address book API, but there might be more to the story.
- Panera: The baked goods company was responsible for exposing as many as 37 million customer records. How? It failed to address the vulnerabilities that were exposed when a cybersecurity researcher uncovered an unauthenticated API endpoint while researching online delivery portals in the restaurant industry. As a result, hackers were able to access sensitive customer information and build on their data stores.
- Adult Friend Finder: The adult networking site suffered data theft across its 412.2 million accounts in 2016. The stolen data had been amassed over 20 years across six separate adult content website databases, and the attackers stole usernames, email addresses, and passwords. The business theft came as a result of triggering a Local File Inclusion vulnerability on the site’s production servers, which the attacker proved by posting screenshots on Twitter.
Tips for preventing data theft
Data theft prevention relies on companies limiting access to their most critical data and resources, monitoring every data-related action employees take, and establishing cybersecurity policies that are accompanied by clear consequences for violations. To truly protect data from being stolen, businesses must implement a balanced action plan that decreases the risk of company theft.
These tips will help businesses build a robust data theft prevention plan.
Protect access to your networks: In order to protect your corporate and customer data, you need to ensure that only the right people have access to the right resources, at the right time. This Zero Trust mandate can be put into practice with robust authentication policies, as well as context-aware multi-factor authentication, which analyses every login request to validate the identity of your users.
Manage your endpoints: As employees operate remotely and make use of their own devices, it’s vital to enhance your endpoint security posture so that your data is safe in the event that a device is lost or compromised. Okta Devices, for instance, pairs devices with user identities, enables device visibility, and integrates with endpoint security tools to enforce access decisions.
Assess, evaluate, and clarify risk: Knowing where data is and who has access to it is the foundation of any robust cybersecurity strategy. But in order for your organisation to start protecting its information, it’s vital to understand which of your assets are the most likely to be targeted. Conduct a comprehensive risk assessment and create a list of critical systems, which can be used to build a data security governance policy. This list and the resulting policies need to be re-evaluated on a regular basis.
Deploy data loss prevention (DLP) tools and email gateways: DLP tools can be very useful for restoring stolen or damaged data. This is especially important in the event of an employee deleting or tampering with critical corporate data, whether on purpose or by accident. Meanwhile, email gateways help protect your users from potential phishing attacks that could encourage them to share sensitive data.
Monitor employee activity: Having centralised visibility into user access permissions and activity logs will simplify the task of working out what has happened in the aftermath of a cybersecurity incident. Advanced tools such as automated incident response and user entity behaviour analytics (UEBA) can also be used to further protect critical information from insider data theft.
Limit privileged access: Users that have the highest access to corporate resources are the people that need to be monitored most closely: they are an attacker’s most valuable route into your business’s sensitive, highly critical data. Access privileges should be limited to only the information and resources that each employee needs in order to do their job. On top of that, admin accounts should not be used for routine tasks—access rights need to be easily downgraded or revoked completely when required.
Protect your access points: Secure corporate data depends on verifying a user’s identity every time they try to access important information. Business-critical resources need to be secured with enhanced data protection methods and technologies, such as:
Implement policy procedures: Every employee is responsible for preventing data theft. To help them, organisations should create clear and explicit data security policies that hold everyone accountable for securing information. These should center around data privacy, email usage, password protection, and mobile device usage.
Conduct periodic testing: Companies should schedule recurrent tests to assess whether their systems are meeting integrity standards. Whether simulating an attack from a malicious hacker or inspecting apps for flaws, security audits are an important part of keeping systems up to date.
Adapt new security models: In addition to verifying users, businesses must also look to security frameworks such as Forrester’s Zero Trust Extended Ecosystem and Gartner’s continuous adaptive risk and trust assessment (CARTA).
Zero Trust shifts the focus away from securing the traditional network perimeter to instead securing every endpoint, which eliminates the concept of trusted insiders.
CARTA looks at cybersecurity as an adaptive function in which no entities are trusted by default and access requests are always based on the current context. Technologies like anomaly detection, machine learning, and UEBA can help organisations handle incidents that wouldn’t be detected under traditional rule-based solutions.
Protecting your company from data theft takes proactive planning and daily monitoring. For more information about how Okta can help your business reduce the risk of data theft, read our Security Technical Whitepaper.