What Is A Data Breach?
You probably hear the term “data breach” weekly, but what does it really mean for you and your finances?
In the data economy where we hold a world of information in the palm of our hands, data breaches are as ubiquitous as iPhones. In this guide, we’ll tell you all about data breaches: what they are, how to prevent them, and other useful information. Let’s get started!
What Is A Data Breach?
Taking it back to basics, let’s first define “data breach”.
A data breach is a security incident in which a third party accesses data without the consent of the data’s owner, which could be either a business, its customers, or both.
Causes and Methods
There are a few different ways that people can breach data, whether intentionally or accidentally:
- By exploiting system vulnerabilities from out of date software and injecting systems with malware
- By guessing weak or repeated passwords
- By accidentally downloading viruses or malware, a process also called drive-by downloads
- By sending malware via phishing and spam emails1
- By making a mistake like losing paperwork or sending an email to the wrong recipient
- By losing devices or having them stolen.2
Typically, data breaches happen to businesses small and large, but since businesses hold customer information, they can also affect customers. We’ll tell you more about how to prevent data breaches as both an individual and a business in a little bit, but first, let’s talk about what the breaches actually entail.
Data breaches occur in five major phases, according to cyber security company Cygilant:3
- Target researched: First, hackers research a business: what hardware and software it uses, how much they spend on cyber security by looking at court records and financial filings, and how they can use partners as entry points.
- Vulnerabilities scanned: Next, the hackers scan systems and their open ports, enumerating all devices and accounts on networks to find points of entry.
- Vulnerabilities exploited: After they find these points, they run exploit code.
- Payload delivered: Next, the hackers will either upload malware, take over accounts, hijack servers, or breach data using another method.
- Data extracted: Finally, the hackers download the data they want, be it intellectual property, medical information, or financial information.
What Are The Consequences of Data Breaches?
There are many different negative consequences of a data breach, which include but are not limited to:
- Identity theft: Using customers’ PII, or personally identifiable information, hackers will commit identity theft to file tax returns, secure bank loans or other actions that require PII.
- Financial losses: In 2020, the average cost of a data breach in the U.S was $3.86 million. Now, keep in mind that this includes data breaches from huge companies like Microsoft and Walgreens, which is why the number is so high. Still, it’s clear that data breaches can have pretty extreme financial consequences.
- Loss of productivity: Once a data breach occurs, businesses need to find and fix the vulnerabilities, which can take away from other lucrative pursuits. On average, it takes businesses 280 days to identify and contain data breaches,4 or about three-quarters of a year.
- Ruined credit: For individuals who have had their identities stolen, their credit score may tank, resulting in difficulty getting bank loans, jobs, or even rental agreements.
- Lack of privacy: Depending on the type of information, data breaches may reveal information that people wanted to keep private (like the breach of Ashley Madison, a dating website for people seeking affairs).
- Losing customers: For businesses, data breaches may cause distrust in customers, who may switch to a competitor.
- Damage to reputation: Moreover, data breaches may turn off potential customers from doing business with organizations.
- Loss of intellectual property: The hackers may steal intellectual property, which can result in financial losses and/or expensive lawsuits.
- Online vandalism: Once hackers breach a website, they may vandalize it, which requires more time, money, and energy to restore.
- Ransoms: Ransomware is malware that the hacker refuses to remove unless the breached business pays a monetary ransom.
How Can I Prevent Data Breaches?
Scared? Don’t be. Although there’s no way to 100 percent prevent data breaches from occurring, there are several best practices that decrease the likelihood of a breach.
General Best Practices
Whether you’re an individual or a business, here are a few ways you can help to prevent data breaches:
- Password hygiene: Each of your online accounts should have a strong, complicated, and unique password. To see if your password is up to snuff, use our password strength tool.
- Software updates: If you don’t update your software as soon as updates are available, then you are making your system vulnerable to breaches.
- Monitoring financial accounts: Either monitor your financial and bank accounts manually or automatically with the best identity theft protection services.
- Monitor credit: Again, you can either monitor your credit from all three major credit-reporting bureaus manually or with automatic credit monitoring software.
- Secure file storage: Make sure that you store any sensitive information in encrypted vaults, ideally password protected with advanced authentication to prevent unauthorized access.
- Clean up social media: Sometimes, we don’t realize how much information we reveal on social media. From names and birthdays to addresses, make sure that your PII is kept to a minimum on social media and that your accounts are set to private.
- VPNs: VPNs increase your online safety by encrypting your web activity and IP addresses, which makes it harder for hackers to glean any of your online activity.
- Antivirus software: Finally, antivirus software detects malware and viruses by scanning your devices for suspicious behaviors that could lead to data breaches.
FYI: The majority of most identity theft protection services will monitor your credit scores and reports on Experian, TransUnion, and Equifax, so you probably won’t need a separate credit monitoring software.
Best Practices for Businesses
Businesses need to take their digital security to the next level in order to minimize the risk of breaches, taking steps such as:
- Adhere to state requirements: As you’ll read more below, digital privacy laws differ by state when it comes to storing customer data, so make sure you brush up on your requirements.
- Only store minimal information needed: As a general rule, you should keep as little customer information as possible and store it securely, be it physical or digital data. Some more tips on storing your data:
- Lock up any physical records and restrict access to employees that have been background checked. Don’t give access to any temporary workers or vendors, but rather long-term employees that you can trust.
- Before you throw out any sensitive paper files, shred them. If the data is stored on portable hardware like CDs or DVDs, destroy them before disposal.
- For any data stored on a hard drive, make sure you completely wipe it or even destroy it before disposal, similar to CDs and DVDs.
- If you or your employees ever use a photocopy machine to copy sensitive documents, make sure that the settings clear the data after every use.
- Train employees: Inexperienced or untrained employees are a very frequent cause of data breaches, so make sure to train your employees to:
- Put away files as soon as they’re done using them.
- Log out of computers as soon as they’re done using them, even if it’s just to walk to the water cooler for a few minutes.
- Lock all filing cabinets and offices when not in use.
- Only use work devices for work purposes and not for things like torrenting or using inappropriate websites or unapproved software.
- Never leave laptops or phones unattended.
- Don’t store any personal information on work devices.
- Use work devices even when working remotely, if possible.
- Password protect: Again, password protect all devices and turn on time out functions so that devices lock after periods of non-use.
- Encrypt: All data, including email, should be encrypted both “at rest”, while not in use, and “in motion”, while in use.
- Avoid using portable media: DVDs, CDs, and USB drives should be avoided if you can.5
What To Do If You’ve Been Involved in a Data Breach
Even the most stringent people and businesses can still find themselves involved in data breaches. Don’t panic; with the right steps, you can contain the breach and minimize its financial impact.
For individuals whose information was involved in a data breach, you can protect yourself and your accounts with a few simple steps:
- Contact financial institutions: First, call your bank, credit card company or credit union and alert them of the breach; they can check your account for suspicious activity and if need be, close your account and open a new one.
- Freeze credit reports: Freezing your credit report means that identity thieves won’t be able to open accounts in your name. And no, it won’t affect your credit score. To freeze your reports, contact the credit bureaus directly either online or over the phone:
Did You Know: Freezing your credit won’t affect your credit score one way or the other.
- Depending on which information was exposed: Your actions will differ based on what data of yours was exposed.
- Social Security number: If your SSN was exposed, first check your credit for unfamiliar accounts or charges. We recommend again, freezing your credit, but if you’d rather not, at least put out a fraud alert. Fraud alerts mean that businesses will need to contact you before issuing credit; they last for a year before you can get a new one. To create a fraud alert, contact the credit bureaus using the above contact information. We also recommend filing your annual tax return as soon as possible so that no one else can file one with your information or use your SSN to secure a job.
- Online username and/or password: Having your username and password breached is a much better situation than having your SSN breached. All you have to do is change your password and your username, if possible. If you can’t log into your account to change these credentials, contact the company to either recover or shut down your account. As well, if you used the same breached password for any other online accounts, change it so that each account has a unique password. Finally, check your bank and credit card accounts for any suspicious charges that you don’t recognize.
- Bank account, credit, or debit card information: While this scenario may sound scary, all you’ll have to do is contact your bank or credit company to close and replace your account or card.
When it comes to data breaches, things are much more difficult on the side of the business than they are on the side of the customer, so much so that it may be worth it to hire cyber security professionals to help you out. Nevertheless, here’s a brief overview of what’s involved.
- Fix vulnerabilities: While this may sound obvious, your first step should be to fix the vulnerabilities to prevent further data loss, which again, could require hiring a forensics team or legal counsel.
- Secure physical areas: Make sure that your office is physically secured and change all access codes.
- Remove improper information: If your website was vandalized, remove all vandalism and any false or malicious information from other websites by contacting them directly.
- Interview people who discovered breach: Whoever discovered the breach probably has better insight into its causes than most, so make sure to talk with them about it extensively.
- Do not destroy the evidence: Hard as it may be, try not to tamper with evidence, as it could be used to catch the perpetrator.
- Notify affected customers and relevant agencies: You may have to either notify your customers or government agencies about the breach, depending on your state’s laws.
The Laws Surrounding Data Breaches
Whether you’re preventing a data breach from happening or dealing with the after-effects, make sure you’re adhering to state and federal data breach notification laws.
Most federal data privacy legislation only applies to the healthcare and financial industries; there’s no federal legislation specific to data breach notifications, which are handled at a state level.
Each state has its own unique data breach notification laws, and while all states have some form of this law, the requirements differ state-by-state. For the most part, however, businesses are legally required to inform their state’s residents of data breaches as soon as possible.
|State||Required to Alert Customers of Data Breaches?||Maximum Amount of Time To Notify Customers of Data Breach|
|Alabama||✓||As soon as possible|
|Alaska||✓||As soon as possible|
|Arkansas||✓* if it affected over 1,000 people and had a “reasonable likelihood of harm”||As soon as possible|
|California||✓* if it affected over 500 residents||As soon as possible|
|Connecticut||✓* if breach will likely result in harm||90 days|
|Florida||✓* if it affected 500 people or more||30 days|
|Georgia||✓||As soon as possible|
|Hawaii||✓||As soon as possible|
|Illinois||✓||As soon as possible|
|Indiana||✓||As soon as possible|
|Iowa||✓* if it affected over 500 residents||5 business days|
|Kansas||✓||As soon as possible|
|Kentucky||✓||As soon as possible|
|Maine||✓||As soon as possible|
|Massachusetts||✓||10 business days|
|Michigan||✓||3 business days|
|Minnesota||✓* only applies to government agencies||As soon as possible|
|Mississippi||✓||As soon as possible|
|Missouri||✓||As soon as possible|
|Montana||✓||As soon as possible|
|Nebraska||✓||As soon as possible|
|Nevada||✓||As soon as possible|
|New Hampshire||✓||As soon as possible|
|New Jersey||✓||As soon as possible|
|New Mexico||✓||45 days|
|New York||✓||As soon as possible|
|North Carolina||✓||As soon as possible|
|North Dakota||✓* if it affects 250 or more residents||As soon as possible|
|Oklahoma||✓||As soon as possible|
|Oregon||✓* if it affects 250 or more residents||10 days|
|Pennsylvania||✓||As soon as possible|
|Rhode Island||✓||As soon as possible|
|South Carolina||✓* if it affects 250 or more residents||3 days|
|South Dakota||✓||60 days|
|Texas||✓* if it affects 250 or more residents||60 days|
|Virginia||✓||As soon as possible|
|Washington||✓* if it affects 500 or more residents||30 days|
|West Virginia||✓||As soon as possible|
|Wyoming||✓||As soon as possible|
The Biggest Data Breaches
Even large companies like Facebook aren’t immune to data breaches. Here are the biggest data breaches of the past few years, according to CNBC.6
|Company||Year(s) of Data Breach||Number of Records Breached||Reason for Breach|
|Yahoo||2013, 2014||3 billion, 500 million||Hacking|
|First American Financial Corp||2019||885 million||Poor security|
|2019||540 million||Poor security|
|Marriott International||2018||500 million||Hacking|
|Friend Finder Networks||2016||412.2 million||Poor security, hacking|
And that’s it for our guide to data breaches. To learn more about how to protect yourself online, read our guide to digital security or, for more information on data breaches, keep reading below.
We’ve received a lot of questions about data breaches, so we’re hoping to knock them all out here.
What happens in a data breach?
During a data breach, hackers steal a business’ data, which may include customer information, by breaking into vulnerable systems.
What does “data breach” mean?
“Data breach” means that a company’s database has been compromised, or breached.
What is the most common cause of a data breach?
While we can’t say for sure what is the single most common cause of a data breach, the most common causes are weak credentials, system vulnerabilities and human error.
Why is a data breach bad?
Data breach is bad because it exposes the personal information of customers and businesses, which can be used for identity theft and theft of intellectual property, among other negative consequences.
Norton. (2021). What is a data breach?
Incognito Forensic Foundation. (2021). 7 Major Causes of a Data Breach.
Cygilant. (2016). The 5 Stages of a Data Breach (and How You Can Protect Your Company).
IBM. (2021). How much would a data breach cost your business?
National Council on Identity Theft Protection. (2021). A Complete Guide to Personal and Corporate Data Breaches.
CNBC. (2019). 5 of the biggest data breaches ever.