Data breaches are cyber attacks or security incidents that expose information without authorization. Let’s take a closer look at how data breaches can occur, and how a breach could impact you. Got a breach notification? Read on for resources to guide you.
Data breaches are a growing problem. According to the Identity Theft Resource Center, the number of data compromises rose more than 68 percent from 2020 to 2021.
But what exactly is a data breach?
There are a few ways a database of information could be wrongfully exposed, and it can happen intentionally or accidentally.
Let’s take a closer look at how data breaches may occur, and what it could mean if your information gets exposed.
What is a data breach?
When a database of information is accessed without authorization, that’s a data breach.
If a company or organization that stores customer data experiences a breach, personal information can wind up exposed — a scenario that’s become all too familiar.
How can a data breach impact you?
Wondering how a data breach might impact you? Here are three real-world examples of large-scale data breaches from the last decade, including the customer information that was exposed:
Yahoo in 2016: An unauthorized third party stole data associated with more than 1 billion accounts — including email addresses, phone numbers, dates of birth, and in some cases, encrypted or unencrypted security questions and answers.
Equifax in 2017: Hackers attacked the credit bureau’s systems, exposing the personal information of 147 million people. Exposed details included full names, dates of birth, Social Security numbers, physical addresses, and other personal information.
Marriott in 2018: Cybercriminals got unauthorized access to up to 500 million guest records that included arrival and departure information, reservation dates, mailing addresses, phone numbers, email addresses, passport numbers, and more.
What type of information could be exposed in a data breach?
Here are some examples of personally identifiable information (PII) that may be attractive to cybercriminals:
Date of birth
Social Security number
Physical mailing address
All of the above could be exposed in a data breach.
Medical information — such as healthcare records, Medicare numbers, and insurance member IDs — is also highly valuable. Fraudsters can use health data to commit medical identity theft, a scheme that involves obtaining medical services, prescription drugs, or other health care in someone else’s name.
Here’s another thing fraudsters want: financial information. Stolen checking, savings, retirement, or credit card account information can be used by criminals for their own monetary gain.
How do data breaches happen?
Let’s take a look at some common ways a data breach may occur.
Here are just a few of the tactics cybercriminals may use to steal data:
Malware: When malware (which is short for “malicious software”) is installed on a device or server, it can collect data and send it back to the cybercriminals who initiated the attack.
Ransomware: One common type of malware is ransomware, which encrypts files and makes them unusable. In a ransomware attack, bad actors typically demand a fee in exchange for decryption.
Denial-of-service attack: In this scenario, cybercriminals attempt to crash a network by flooding it with traffic. The goal may be to disrupt operations: once a network is overwhelmed, legitimate users may be unable to access information systems or process requests. This can act as a diversion, or even crash a firewall or security system, making it easier for hackers to pull off a data breach.
SQL injection attack (or SQLi): This type of attack “injects” or inserts malicious SQL code into a website or web application’s database. SQL or Structured Query Language is a programming language commonly used in databases, so attackers sometimes use SQL injection attacks to bypass the site or app's security measures and get access to unauthorized data.
Without proper training, an employee may not follow best practices for online safety — which can lead to the unauthorized exposure of information.
Phishing: Keep in mind that phishing messages may include links or attachments that contain malware. Sometimes, hackers target individual employees in order to gain access to a company or organization’s data.
Weak passwords: Similarly, if a hacker’s able to guess or decipher an employee’s credentials, they may be able to access the employer’s systems. Sometimes, cybercriminals use trial and error to guess login information — a tactic known as a brute force attack. That’s one reason why strong passwords are key, for both work and personal accounts.
When files or devices fall into the wrong hands, the information they contain may be at risk.
Stolen or lost computers, phones, or any other files — digital or otherwise — that contain information: If a company device is lost or stolen, hackers may be able to gain access to confidential data or systems.
One more thing to consider. Imagine you own a company that relies on a third-party vendor — such as a payment processor — and that vendor experiences a data breach involving your company’s information. This is a common happening, and it’s known as a third-party data breach.
How to know if you’ve been affected by a data breach
According to the National Council of State Legislatures (NCSL), all 50 states have laws that require private businesses — and in most states, governmental entities as well — to notify individuals of security breaches of information involving personally identifiable information.
These notifications, also known as data breach responses, may include more information about what specific data was compromised.
Some data breaches come to light long after the actual incident occurred — so take note of any notice of a breach that you receive, even if it happened many months ago.
If you receive such communication, it’s important to understand that you’re not necessarily experiencing identity theft. But, data breaches can leave your personally identifiable information exposed, which can make you more vulnerable to fraud in the future.
Got a data breach notification? We’re here to guide you on what to do next.