In today’s world, data breaches are becoming increasingly common and pose a threat to companies and people in most industries. In fact, during the third quarter of 2022, approximately 15 million data records were exposed worldwide through data breaches. This is an increase of 37% compared to the previous quarter.
Because of this ever-present threat, it is critical to understand how data breaches happen and what steps can be taken to prevent them. This guide is designed to help you with just that.
Here we will explore what exactly is a data breach, how data breaches happen, the largest data breaches and statistics from the past year, the associated consequences and strategies to safeguard your data.
What is a data breach?
A data breach is when sensitive or confidential information owned by a company or person is accessed or exposed without authorisation. It can include financial data, health information, trade secrets, and more.
While the term "data breach" is sometimes used interchangeably with "cyberattack," not all cyberattacks result in a data breach. For a breach to occur, the attack must compromise the confidentiality of sensitive data. For example, an attack to disrupt a website and make it unavailable is not a data breach. But if data is collected from the website and held at ransom with the threat of selling it, that is considered a data breach.
Data breaches are one of the main topics covered by information security laws and regulations. One of the most well-known privacy laws, the General Data Protection Regulation (GDPR), highlights the importance of protecting against data breaches and what companies need to do in the event of a breach.
What does the GDPR say about data breaches?
The General Data Protection Regulation (GDPR) is an EU data protection and privacy law. It provides rules and guidelines for the collection, processing, and storage of the personal data of EU citizens.
The GDPR defines a data breach as a "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed."
According to this regulation, companies must report data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach. It requires that companies inform affected people about the data breach if it is likely to put their rights and freedoms at high risk.
The notification must be made without delay and include specific information like
- The nature of the breach,
- The types of data affected,
- And the steps the company is taking to address the breach.
Failing to comply with the GDPR's reporting requirements can result in significant fines and penalties.
Complying with regulations like the GDPR helps to protect data and reduce the consequences of breaches. As you do this, staying updated on the global landscape of data breaches is also important.
Important data breach statistics
When compared with the previous year, 2022 had significantly fewer data breaches. Although this is a good sign, it is not a reason for companies to reduce their defences. Here’s why:
- As technology advances, malicious actors can find more complex ways to hack into security systems, so current cybersecurity systems are quickly becoming obsolete - Global Risks Report 2022
- Phishing attacks increased by 61% in 2022, and a total of 3 million phishing attacks were observed in the third quarter - The Anti-Phishing Working Group (APWG)
- Ransomware is a constant threat in all sectors, and the percentage of users impacted by targeted ransomware doubled in the first 10 months of 2022 - Kaspersky Lab
- The UK had the highest number of cybercrime victims per million internet users at 4783 in 2022 – up 40% over 2020 figures - AAG
- The five countries with the most significant data leaks in 2022 were Russia, China, the US, France, and Indonesia - Surfshark
- The global average cost per data breach as of 2022 is USD 4.35 million. The country with the highest average data breach cost is the US - Statista
- The healthcare industry currently has the highest average cost of a data breach, followed by the finance industry - Beyond Identity
- Stolen or compromised credentials remain the most common cause of data breaches. These breaches had an average cost of USD 4.50 million in 2022 - IBM
- 45% of data breaches in 2022 were cloud-based - IBM
Year over year we see data breaches in various industries, even in companies with information security protocols already in place. But what is the reason for this?
Why do data breaches happen?
Data breaches can occur due to various reasons, but the most common reasons are:
- Human error - Not all data breaches result from malicious attacks by cybercriminals. Innocent mistakes, like accidentally sending sensitive information to the wrong person or leaving a mobile device or laptop unlocked can also result in a data breach. Studies have shown that human error is the primary cause of data breaches.
- Malicious insiders - These are individuals with access to sensitive data who misuse it for personal gain or to harm the company. They can be employees, contractors, and business partners who may steal, modify, or delete data or create vulnerabilities for external attackers.
Detecting malicious insiders is challenging because they have authorised access and knowledge of security protocols. Strong security measures such as access controls, monitoring, training, and assessments can help prevent and detect malicious insider activity.
- Hackers - These malicious outsiders commit cybercrimes for personal gain. Typically, hackers are motivated by financial gain and may steal credit card numbers, bank accounts, or other financial information to take money from people and companies. They may also steal personally identifiable information like social security numbers and phone numbers to commit identity theft or to sell on the dark web.
Data breaches may not always be financially motivated. Some companies may steal trade secrets from their competitors, while nation-state actors may hack into government systems to access sensitive information related to politics, military operations, or national infrastructure.
Data breaches may sometimes be purely destructive, where hackers access sensitive data to destroy it. These types of attacks, which make up 17 per cent of all breaches according to IBM’s Cost of a Data Breach 2022 report, are often carried out by nation-state actors or hacktivist groups looking to harm a company.
How do data breaches happen?
Generally, data breaches can be described as a three-stage process: research, attack, and compromise.
Stage 1: Research
In the research phase, hackers gather information about the target company, including its infrastructure, employees, and security measures. This may involve scanning the company’s network, social engineering, or reconnaissance of publicly available information.
Stage 2: Attack
Once the hacker has gathered enough information, they will use various techniques to try to exploit vulnerabilities in the target company’s security measures. This can be done by using phishing emails to trick employees into revealing sensitive information, installing malware, exploiting software vulnerabilities, or brute-forcing passwords.
Stage 3: Compromise
Finally, if the attacker successfully gains access to the company's systems, they may be able to steal sensitive data, such as customer information, financial data, or intellectual property.
There are various methods that malicious actors can use to carry out data breaches. These include:
- Stolen or compromised credentials - This is the most common attack method, accounting for 19% of data breaches. Attackers may use brute force attacks, purchase stolen credentials, or trick employees into revealing credentials through social engineering attacks.
- Social engineering - This involves psychologically manipulating people into unknowingly compromising their information security. Phishing is the most common social engineering attack, accounting for 16% of data breaches.
- Ransomware - This type of malware takes an average of 326 days to be identified and contained and can cost companies an average of USD 4.54 million per breach.
- Directly exploiting system vulnerabilities - Cybercriminals may exploit weaknesses in websites, operating systems, endpoints, and commonly used software. They may also use spyware, which records a victim's keystrokes and other sensitive data and sends it back to the hackers.
- SQL injection - SQL (Structured Query Language) is a programming language that is commonly used to manage and manipulate data in a relational database. This method takes advantage of unsecured websites' weaknesses in the SQL databases to obtain private data.
- Human error and IT failures - Hackers may exploit employees' mistakes, such as cloud misconfigurations, or use IT failures to sneak into sensitive databases.
- Physical security failures - Attackers may steal devices, break into company offices, or use skimming devices on physical credit and debit card readers to collect payment card information.
With so many ways to gain access to information systems, companies across the globe continue to fall victim to data breaches. 2022, in particular, saw many industry giants face various data breaches.
What are the most recent notable data breaches?
1,802 data breaches were reported in 2022, but not all of them were large-scale or from multinational companies. However, the most notable ones significantly impacted millions of customers and other stakeholders of those companies.
- FlexBooker data breach
In early 2022, appointment management company FlexBooker suffered a major data breach that impacted approximately three million users. Hackers, known as Uawrongteam, exploited FlexBooker's AWS configuration and installed malware on its servers, giving them full control of the system.
As a result, confidential information such as ID details, driver’s licences, and passwords was stolen and sold on hacking message boards. The incident led to financial losses for the company as many clients left the platform.
- Cash App data breach
In April 2022, a former Cash App employee breached the company's servers and accessed the sensitive financial information of customers, including their names, stock trading information, account numbers, and portfolio values. The company informed over eight million customers about the incident, but no account credentials were stolen, and only a limited amount of identifiable information was taken.
- Twitter data breach
Twitter experienced a security breach that impacted 5.4 million accounts, involving the theft of phone numbers and email addresses. Multiple sources suggest that the data was obtained in December 2021 by exploiting a vulnerability in the Twitter API.
This allowed hackers to enter phone numbers and email addresses into the API to get the related Twitter ID. By using this ID, cybercriminals could obtain public data about the account and create a user profile with both confidential and public information.
- Uber data breach
Uber had been found to have covered up a data breach in 2016, which affected 57 million users, and paid $100,000 to the hackers to keep the incident quiet. The company's former chief security officer, Joe Sullivan, has been convicted of concealing a felony and actively hiding the breach from the U.S. Federal Trade Commission.
Sullivan took several measures to hide the breach, including paying off the hackers in exchange for non-disclosure agreements.
Cyber threats are constantly evolving, and companies risk falling victim to data breaches if they don’t have proper information security processes in place.
How can data breaches be prevented or mitigated?
Data breaches can have consequences like financial losses, reputational damage, and legal liabilities for individuals and companies. While it may not be possible to eliminate the risk of a data breach, several steps can be taken to prevent or mitigate their impact.
- Conduct regular security audits - Regularly review and audit security systems and procedures to ensure they are effective and up-to-date.
- Incident response plans - Having a plan in place to quickly and effectively respond to a breach can help minimise the damage and prevent it from escalating. This plan should include procedures for containing the breach, investigating the cause, and notifying affected parties.
- Security AI and automation - Artificial intelligence and automation can be used to monitor networks and identify potential threats in real time. They can also be used to automatically respond to threats by blocking suspicious activity or isolating compromised devices.
- Employee training - Employees are often a target for malicious actors. So it's essential to provide regular training on identifying and avoiding common security threats like phishing emails and social engineering scams.
- Identity and access management (IAM) - Controlling who has access to sensitive data and systems is critical to prevent unauthorised access. IAM solutions can help manage user access and permissions and monitor for suspicious activity.
- A zero-trust security approach - The zero-trust model considers all network traffic untrusted and requires authentication for every access request, regardless of the source. This helps to prevent data breaches by limiting access to sensitive data and systems and implementing strict authentication and authorisation policies.
How can ISO 27001 help reduce data breach risks?
We’ve all seen the shocking headlines high-profile data breaches on the news. Although your business may survive the financial hit, the reputational damage is often much harder to recover from. Relying on sound privacy and information security processes will give you total peace of mind.
ISO 27001 provides a framework for compliance with laws and regulations, such as GDPR. It helps you spot potential risks before they become a problem and avoid costly penalties.
Here are some ways in which ISO 27001 can help reduce data breach risks:
- Risk assessment and management: ISO 27001 requires organisations to identify and assess the risks to their information assets and implement appropriate controls to mitigate or manage those risks. This proactive approach can help prevent data breaches before they occur.
- Policies and procedures: ISO 27001 requires to establish and maintain policies and procedures for information security management. This includes defining roles and responsibilities, implementing access controls, and ensuring data confidentiality, integrity, and availability.
- Employee awareness and training: ISO 27001 requires providing information security awareness training to their employees, contractors, and third-party service providers. This can help ensure that everyone in the organisation understands their role in protecting sensitive information.
- Incident response planning: ISO 27001 requires developing and maintain an incident response plan to detect, respond to, and recover from information security incidents. This can help minimize the impact of a data breach if one does occur.
- Continuous improvement: ISO 27001 also requires to continually monitor and review their information security management system and make improvements as necessary. This can help ensure that the organization stays up-to-date with the latest threats and vulnerabilities, and remains proactive in its efforts to prevent data breaches.
Certify your company for ISO 27001 to ensure that your company is up to date with the latest InfoSec practices. Identify risks and achieve better compliance.
Book a call with us today and get started with ISO 27001 Certification.
Data breaches and cyberattacks can happen to anyone at any time. Companies especially have a responsibility to be prepared and safeguard the data of their customers to not only avoid financial losses but also uphold the company’s integrity.
Learning about data breaches is the first step, after which you can assess your company’s needs and implement the necessary security protocols.