Data Breach

A data breach is a breach of security as a result of a cyber-attack or otherwise unlawful loss or disclosure of confidential data from a computer system or network. Cybercriminals typically cause data breaches to steal:

• Names
• Email addresses
• Usernames
• Passwords
• Credit card numbers

In many instances, an organisation or company won’t even know that there has been a data breach until long after the incident.

Common cyber-attacks used to cause a data breach include Spyware and Phishing.

How data breaches occur

There are many ways that data breaches can occur, including:

• Sensitive information is lost or stolen from the company
• Employee negligence.
• External hack into a company’s network or database
• Unauthorised employees accessing sensitive information on their own devices (BYOD)
• Malware attacks against internal computers

Some companies have even been breached as a result of third parties not adhering to regulations, such as improper disposal of paper documents containing sensitive data leading to identity fraud and subsequent loss of reputation and revenue.

Types of data breaches

There are many different types of data breaches that can occur. The most common are:

• Human error (e.g. loss or theft of documents)
• Phishing (e.g. emails with links to malicious websites)
• Malware (e.g. spyware accessing confidential information on a computer)
• Exploit kit (e.g. malware downloads and installs viruses and key loggers onto your device without you knowing – these then record all your passwords, usernames and credit card details etc.)
• Ransomware (an attacker locks out access to a company’s files until ransomed for payment)
• DDoS attack & hacking  (which involves taking down a whole server or website by flooding it with too many requests, or by cracking its security)

How to prevent data breaches

There are a number of measures that you can put in place to help prevent data breaches from occurring:

• Educate staff members on the importance of security and privacy. For example, don’t leave passwords posted around or in plain site where other individuals can see them. Also, ensure your employees know what actions to take if they come across anything suspicious (e.g. phishing emails).
• Don’t store sensitive information on laptops and USBs – they’re not secure devices and can easily be lost or stolen during transport. If you must use these types of devices, encrypt all files before transporting them away from the office environment so that even if the device does get lost or stolen, it won’t cause a data breach because the information is protected.
• Enable firewalls to help prevent external attacks from occurring. Make sure your software and operating system are kept up-to-date with the latest security patches, so that in the event of a breach, you can easily patch things up afterwards and do as little damage control as possible. Use encryption when processing credit card transactions (e.g. data stored on a database) or using payment systems online – this way if hackers get hold of the data later, they won’t be able to use it to make purchases etc. Finally, run regular audits to check for vulnerabilities in the system and plug any loopholes before an attack can take place.

The consequences of a data breach

There are many consequences of a data breach, and they can be very costly for companies. Some examples include:

• Loss of customer confidence. This can result in a loss in sales, as customers may choose to use other retailers instead of yours.
• Lost revenue resulting from identity theft and credit card fraud.
• Potential legal action and fines from your industry’s data privacy authorities.
• Increased security expenses – companies need to take extra precautions to ensure that future attacks don’t occur (e.g. buying expensive security software or hiring cyber-security experts).
• Corrective advertising costs after announcements have been made by the media announcing information about the breach (e.g. emails containing all users’ addresses being leaked on social media, so corrections are required).
• Insurance costs, such as those incurred if an individual brings a successful claim against you as a result of the breach.
• The reputation penalty – failure to address a data breach quickly and effectively can result in a loss of public reputation for the business, which means your customers might start to look elsewhere for services.

How to respond to a data breach

If you suspect that your business has been the victim of an attack and confidential information may have been stolen, act quickly in investigating what’s happened. You should also alert law enforcement authorities as soon as possible. Here are some tips on how to proceed:

• Preparation – firstly identify all potential sources of data leakage (e.g. social media accounts), then define a protocol for handling the release of any sensitive information (keep these protocols up-to-date). Remember – the sooner you know about a data breach, the sooner you can stop it from spreading than if you do nothing until after it’s happened.
• Notification – decide whether to contact customers about the breach once it’s happened or if you should wait for a certain period of time so that sufficient information can be gathered and analysed first (e.g. analysing all payments made using your system to see how much money was stolen etc.). Consider hiring an IT security expert or specialist firm to assist with the investigation, because this will allow you to get information from a wider range of sources than would normally be available in-house.
• Provide information – give users as much relevant information as possible when communicating about a data breach, but don’t overwhelm them with too much technical detail, which may confuse customers further. For example, provide contact details for reporting queries and include an easy-to-read section called “What we’re doing to fix it”, which explains what the business is doing to resolve the problem.
• Don’t give out any unnecessary information about the breach – don’t communicate on social media (e.g. posted status updates), or in emails, without firstly getting some legal advice about whether you should do so (or if it’s legally required). For example, never say anything like “We will find whoever hacked our system and make them pay for everything they’ve done”. Also, before sending emails about a data breach to customers’ individual email addresses, check that there’s no reason why you shouldn’t be contacting them directly – e.g. because of data protection laws.
• Clear communication – ensure that customer service representatives are well briefed before responding to the public about a data breach, and are only allowed to distribute information from pre-approved sources (e.g. your website) when doing so (that way, you can control what is said). If a potential breach has occurred but hasn’t yet been confirmed, it’s important to communicate by being open and honest with customers, but without scaring them unnecessarily either!

Businesses shouldn’t be scared of reporting data breaches because they might not happen often – this isn’t necessarily true, as many businesses are breached multiple times every month due to social engineering or technical attacks. For example, an online betting company was subject to a cyberattack that allowed attackers access to its online and mobile platforms, resulting in the compromise of personal information relating to tens of thousands of users. The scale of attacks on business is ever-increasing, so reporting breaches should be expected as part of being prepared for the worst.

As with any major organization’s system, if you’ve got information worth protecting then it can only benefit your company as a whole by being wary about the security measures which are put into place.