Data breach

What is a data breach?

The unauthorized access or release of sensitive information, often due to a cyber attack or human error. Breaches occur when data stored in one system (often that of a business or government) ends up in unauthorized hands. A data breach can be harmful to both the owners of the database and the people whose data was released.

A data breach can result from physical theft of hardware, or from sophisticated hacking (sometimes even as an “inside job”). The compromised data is usually sensitive—for example corporate intellectual property, government secrets, or customer data like credit card numbers—and used for financial gain. But the data can also be used for social or political purposes.

How does a data breach happen?

A data breach can occur when a hacker takes advantage of a weakness in a company’s cybersecurity systems. It may be as straightforward as a stolen laptop that contains unsecured sensitive information or access credentials. Or an employee could accidentally release data to the wrong person, or even intentionally leak data to a journalist or other organization. Phishing and social engineering are also commonly used to steal login credentials that provide access to data.

What is the data used for?

Personal data—names, social security numbers, credit card numbers, health and banking info, login credentials, and more—can all be used to steal from a person’s accounts, or be sold online. Corporate and government-classified data might be stolen for purposes of whistleblowing or blackmail. Sometimes stolen data is never actually made public, but the threat of doing so is enough to extort ransom payments.

For a company that experiences a breach, costs can include fines, settlements and legal fees, reputation damage, and loss of customers. According to a recent study, the average cost of a breach to a company is around $1.5 million USD. A ransomware attack can cost even more, since it also includes the ransom price.

Financial costs of a breach are large, but the costs of time and emotional stress on an individual whose personal data is compromised can also add up.

What do organizations do to protect their data?

To protect data, organizations adopt good cybersecurity practices like limiting who has access to sensitive data, and using enhanced login protocols like multi-factor authentication. They’ll also train employees on social engineering threats and how to secure physical devices like laptops or phones.

Recently, there’s been increased pressure on companies to limit the amount of data they collect and store. This has positive effects with regard to both privacy and security. The less data that’s exposed when a breach occurs, the less damage to all involved.

Regulations addressing data breaches

Some governments require notification when a breach is discovered, with varying rules on how quickly the notification is delivered, levels of fines, and remediation available to individuals. These regulations usually do not apply to encrypted data, since encrypted data is not readable and thus not a risk.

Some of the bigger regulations to come about in recent years include:

• GDPR: requires notification of a breach with the governing department within 72 hours, and notification of individuals “without undue delay.” Fines for failure to do so can be 10 million or 20 million euros, or higher, and vary based on “nature, gravity and duration” of the breach.
• CCPA: requires notification within 72 hours to individuals, and to the government if it affects a sufficiently large population. Fines are payable directly to affected individuals, and thus can accumulate significantly if the data breach is large.
• HIPAA: requires notification to the US Department of Health and Human Services and individuals within 60 days. Fines are based on severity and number of individuals involved, and range from $100 to $50,000 per individual violation, up to $1.5 million.
• CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act): a US act that requires certain business sectors to notify Homeland Security within 72 hours of a breach.

What to do if you receive a breach notification

If you receive a letter or email that your personal data may have been involved in a breach, the first step is to make sure it’s legitimate, and not a phishing scam. If it’s real, then you should take the suggested actions, and sign up for any free credit monitoring that may be offered. In addition, make sure to do the following:

• Change your password on that site immediately, as well as on any other sites where you use the same password. Change PINs on credit or debit cards affected, and any other cards that have the same PIN. And set strong, unique passwords and PINs going forward.
• Check the date of the breach, and review the activity of affected accounts on or after that date. Look for unusual activity like a change of address, phone number, or billing details.
• Note that not all breaches are found quickly—there may be a lag between when your accounts were compromised and when you were notified. So you should periodically repeat this review of account activity, and keep an eye out for future unusual activity by closely checking monthly statements.
• Keep the data-breach notification letter, in case you need proof in the future that your data was compromised.
• File fraud alerts with major credit bureaus to protect against someone using stolen data to get a loan or credit card in your name.

How can I protect my personal information?

There’s not much you as an individual can do to protect your data once it’s in someone else’s database—generally, you have to rely on the owner of the data to practice good cybersecurity. However, you can exercise care about where and when to supply your personal data, so it’s less exposed to a data breach in the first place:

• Use different passwords for every site and app. Use a password manager to securely store all your passwords, and to generate random, unique passwords for every account and website you access. If all of your passwords are different, a breach that exposes a password will only compromise that account.
• Minimize the number of places your data is stored, to thus reduce possible exposure to data theft. For instance, set up automatic payments through your bank’s bill pay system rather than at each account website. This reduces the number of databases your bank account information is stored on.
• Enable two-factor authentication (2FA), or multi-factor authentication, on every account that supports it. (This is usually a unique, one-time numeric code that’s also required before you can gain access to your account on a site or app). Even if a data breach exposes your password, those who get your password won’t have your second factor and thus will still be blocked from accessing your accounts.

Using a browser with strong privacy and security protections, such as the Brave browser, will also limit the risk of your data getting into the wrong hands:

• The Brave browser includes Safe Browsing, which can help prevent data breaches by protecting against malicious websites.
• Brave’s built-in ad blocker—Brave Shields—can block malicious and deceptive advertising, partly through the use of filter lists. It’s also more secure than browser extensions, which can themselves introduce new security risks.
• Brave automatically upgrades connections to the more secure HTTPS. Look for the lock icon in your browser’s address bar, or check that the URL begins with https:// (not “http://”). These signs indicate that your data is encrypted during transfer. This isn’t a guarantee your data is stored encrypted, but it might improve the odds.