DATA BREACHES

What are they, and why do they happen?

We recently wrote about the digital pandemic that accompanied the COVID-19 global crisis. With the shift of millions of office workers to remote working, cybersecurity was often compromised by inadequate endpoint protection, unsecured WiFi networks, phishing and spearfishing attacks, etc. A cyberattack is not the same as a data breach, but data breaches usually happen in the wake of an attack. Therefore, when cyberattacks are on the increase, so are data breaches. In this article, we’ll look at what exactly a data breach is, the different types of data breaches, some examples, and how you can protect your network.

What is a data breach?

A data breach is any cyber “event” that exposes confidential data to an unauthorised party – either a lone hacker or an organised – possibly state-sponsored – entity. A data breach is a serious threat to personal information, but individuals are not generally targeted (although it does happen). They are usually the victims of attacks on large organisations that hold thousands or even millions of records containing sensitive information. A data breach happens when an entry point into a network is left unguarded, and the cybercriminal gains access to data belonging to customers, users, patients, employees, etc. As a rule, the hacker wants access to this data to commit fraud. Credit card details enable theft. Sensitive information such as sexual preferences may be used for blackmail purposes. Remember the Ashley Madison scandal?

In a ransomware attack, a company’s data is literally held to ransom; the organisation is unable to retrieve its own data until it pays the amount – usually very large – demanded by the hacker. In this case, the objective is financial extortion; but the victim often pays the ransom to avoid the data being compromised – and the company’s reputation with it.

Types of data breaches

A data breach is not synonymous with a cyberattack. The breach is what happens as a result of the attack. It may also happen inadvertently or when a device is lost or stolen. It is not always the action of a hacker. Therefore, there are many different types of data breaches and multiple causes. A breach may be accidental, or it may be malicious. It may be caused by hacking, social engineering, or weak passwords. Very generally speaking, data breaches happen either due to weaknesses in technology or errors in human behaviour. Within those two broad categories, there are different types of data breaches. Let’s look at the main types.

  1. Insider action: this can be either accidental or intentional. A deliberate insider breach might be caused by a disgruntled employee (or ex-employee) who shares company data without permission – even if they themselves have authorised access to it – with the aim of damaging the company’s reputation or share price. An accidental insider breach might occur when an employee uses a colleague’s device or access codes for legitimate purposes and gains access to files for which they don’t hold the relevant authorisation levels. Even if they do nothing untoward with the data, the integrity of the data has been breached because the user is not authorised.
  2. Outside intruders: these are criminals or hackers who are intent on gaining access to data for malicious purposes. These events are what we think of as cyberattacks and take various forms, which we have touched on above:
    • Phishing/spearphishing: Phishing is social engineering. Victims receive emails or other social media messages (WhatsApp is increasingly targeted) from people they trust with malicious links enclosed. Because the email or message appears to come from someone the recipient trusts, suspicions are not raised, and the link is accessed. Then malware is either installed on the recipient’s device, or the hacker gains access to the network by other means. Spearphishing is a precisely targeted version of phishing. An individual receives an email from a very trusted contact, such as a superior or supplier. A South African university fell prey to an attack involving invoices that appeared to come from known suppliers. Needless to say, the attachments were bogus, but a busy procurement department can hardly be blamed for trusting its business partners.
    • Malware: When there are lapses in security in the network operating system, software or servers, cybercriminals exploit these gaps for the purposes of inserting their malware. These malicious programmes are often so clever (hence often called “spyware”) they can evade detection for months.
    • Brute force attacks: In a brute force attack, the hacker inputs repeatedly passwords until they hit upon the correct password. The process is automated: multiple scripts are run concurrently to “guess” passwords. Hackers can use other devices via malware infections to crack passwords faster. The common practice of re-using passwords makes the hacker’s job easy. (In this case, fallible human behaviour is a part of the cause.)

3. Lost or stolen devices: A number of years ago, there was a famous incident in the UK in which the financial regulator levied a large fine on the Nationwide Building Society for security breaches following the theft of an employee’s laptop. The employee had put details of nearly 11 million customers on the device without adequate security. This happened in 2007 and is very unlikely to occur today, as organisations are much more security-conscious, training is better, and new privacy legislation ensures tighter control of personal data. But it highlights the risks that arise when devices go missing. Cell phones are stolen all the time, and most of us keep a raft of sensitive data on our phones.

Some examples

While major cyberattacks make global headlines, such as the ransomware attack on sports device manufacturer Garmin last year, there are thousands of data breaches every year. They affect companies large and small, hospitals, municipalities, universities, even high-level government departments. Most of them don’t make the news unless you follow industry websites.

Insider action: You may think your staff are trustworthy, but mistakes happen, and rogue employees exist. A large supermarket chain in the UK called Morrison’s experienced an internal attack that resulted in a breach of 100,000 employees’ personal details. An employee leaked the workforce payroll data, including bank account details and salaries. The attack cost the company £2 million (nearly R40 million) in compensation. The employee is currently serving a prison sentence. This breach happened because staff enjoyed too much access to sensitive information.

Hackers: In March of this year, it was reported that hackers had obtained sensitive documents relating to British aid projects run by the UK’s Foreign, Commonwealth and Development Office (FCDO). The agency informed companies and individuals involved in tenders for government projects that their personal data had been compromised, including names, work and contact details, locations and nationalities. It is not known (publicly at least) if the breach was caused by an individual or a group.

Weak passwords: In 2012, the professionals’ social media platform, LinkedIn, fell victim to an attack that compromised the personal information of 165 million users. The data was allegedly offered for sale a few years later on the dark web. Although this was not a brute force attack, the data breach was deemed to be the result of weak user passwords, coupled with LinkedIn’s failure to salt the data, a technique that adds a unique, random string of characters known only to the site to each password for better security.

Protect your data with NEWORDER

Data breaches may not be 100% avoidable – there are simply too many access points, and cybercriminals are always one step ahead of the cybersecurity industry. But there is a lot you can do to significantly reduce your risk of falling victim to a data breach. Hopefully, you are already implementing best practices to avoid such an occurrence. NEWORDER can assess the state of your IT security and advise you on any gaps you may have in your armour and how to rectify them.

Use patches and update software: It is essential that patches are kept up to date, and software updates are applied as they become available. Our partnership with Alert Logic can help with this.

Endpoint protection: Secure your Internet of Things (IoT) devices. These are often vulnerable points in your network that hackers love to exploit. We work with market-leading IoT security provider Securolytics to keep your IoT devices safe.

Ensure sensitive data is encrypted: If you hold customer or user data, it should be encrypted to a high standard, so if a hacker does access your network, the data is of no use to them.

Device security: All devices in your organisation must be upgraded when the software falls outside of the manufacturer’s support period. Furthermore, in this era of remote working, if employees are using their own devices, install a business-grade VPN service and antivirus protection on all non-company equipment.

Passwords and personal behaviour: Insist on strong credentials and multi-factor authentication before employees can access company data. Set your systems to reject passwords that don’t meet security standards. Train your employees on cybersecurity and ensure they know how to recognise and avoid phishing attacks – a common entry point. NEWORDER can provide assistance with employee training.

Your one-stop-shop for data protection and cybersecurity

NEWORDER is one of Africa’s leading information security and corporate threat protection services. We can assess your security and help you put best practices in place to minimise your risk of a data breach.