What Is A Data Breach?

You probably hear the term “data breach” weekly, but what does it really mean for you and your finances?

By
&
Aliza Vigderman Gabe Turner Chief Editor
Last Updated on Jan 25, 2021
By Aliza Vigderman & Gabe Turner on Jan 25, 2021

In the data economy where we hold a world of information in the palm of our hands, data breaches are as ubiquitous as iPhones. In this guide, we’ll tell you all about data breaches: what they are, how to prevent them, and other useful information. Let’s get started!

Windscribe Data Logging Policy
Windscribe Data Logging Policy

What Is A Data Breach?

Taking it back to basics, let’s first define “data breach”.

Definition

A data breach is a security incident in which a third party accesses data without the consent of the data’s owner, which could be either a business, its customers, or both.

Causes and Methods

There are a few different ways that people can breach data, whether intentionally or accidentally:

  • By exploiting system vulnerabilities from out of date software and injecting systems with malware
  • By guessing weak or repeated passwords
  • By accidentally downloading viruses or malware, a process also called drive-by downloads
  • By sending malware via phishing and spam emails1
  • By making a mistake like losing paperwork or sending an email to the wrong recipient
  • By losing devices or having them stolen.2

Targets

Typically, data breaches happen to businesses small and large, but since businesses hold customer information, they can also affect customers. We’ll tell you more about how to prevent data breaches as both an individual and a business in a little bit, but first let’s talk about what the breaches actually entail.

Phases

Data breaches occur in five major phases, according to cyber security company Cygilant:3

  • Target researched: First, hackers research a business: what hardware and software it uses, how much they spend on cyber security by looking at court records and financial filings, and how they can use partners as entry points.
  • Vulnerabilities scanned: Next, the hackers scan systems and their open ports, enumerating all devices and accounts on networks to find points of entry.
  • Vulnerabilities exploited: After they find these points, they run exploit code.
  • Payload delivered: Next, the hackers will either upload malware, take over accounts, hijack servers, or breach data using another method.
  • Data extracted: Finally, the hackers download the data they want, be it intellectual property, medical information, or financial information.

What Are The Consequences of Data Breaches?

There are many different negative consequences of a data breach, which include but are not limited to:

McAfee Identity Protection Menu
McAfee Identity Protection Menu
  • Identity theft: Using customers’ PII, or personally identifiable information, hackers will commit identity theft to file tax returns, secure bank loans or other actions that require PII.
  • Financial losses: In 2020, the average cost of a data breach in the U.S was $3.86 million. Now, keep in mind that this includes data breaches from huge companies like Microsoft and Walgreens, which is why the number is so high. Still, it’s clear that data breaches can have pretty extreme financial consequences.
  • Loss of productivity: Once a data breach occurs, businesses need to find and fix the vulnerabilities, which can take away from other lucrative pursuits. On average, it takes businesses 280 days to identify and contain data breaches,4 or about three-quarters of a year.
  • Ruined credit: For individuals who have had their identities stolen, their credit score may tank, resulting in difficulty getting bank loans, jobs or even rental agreements.
Experian Credit Reports
Experian Credit Reports
  • Lack of privacy: Depending on the type of information, data breaches may reveal information that people wanted to keep private (like the breach of Ashley Madison, a dating website for people seeking affairs).
  • Losing customers: For businesses, data breaches may cause distrust in customers, who may switch to a competitor.
  • Damage to reputation: Moreover, data breaches may turn off potential customers from doing business with organizations.
  • Loss of intellectual property: The hackers may steal intellectual property, which can result in financial losses and/or expensive lawsuits.
  • Online vandalism: Once hackers breach a website, they may vandalize it, which requires more time, money and energy to restore.
  • Ransoms: Ransomware is malware that the hacker refuses to remove unless the breached business pays a monetary ransom.

How Can I Prevent Data Breaches?

Scared? Don’t be. Although there’s no way to 100 percent prevent data breaches from occurring, there are several best practices that decrease the likelihood of a breach.

General Best Practices

Whether you’re an individual or a business, here are a few ways you can help to prevent data breaches:

  • Password hygiene: Each of your online accounts should have a strong, complicated and unique password. To see if your password is up to snuff, use our password strength tool.
  • Software updates: If you don’t update your software as soon as updates are available, then you are making your system vulnerable to breaches.
  • Monitoring financial accounts: Either monitor your financial and bank accounts manually, or automatically with the best identity theft protection services.
  • Monitor credit: Again, you can either monitor your credit from all three major credit-reporting bureaus manually or with automatic credit monitoring software.
Credit Sesame Identity Protection Alerts
Credit Sesame Identity Protection Alerts

FYI: The majority of most identity theft protection services will monitor your credit scores and reports on Experian, TransUnion, and Equifax, so you probably won’t need a separate credit monitoring software.

  • Secure file storage: Make sure that you store any sensitive information in encrypted vaults, ideally password protected with advanced authentication to prevent unauthorized access.
  • Clean up social media: Sometimes, we don’t realize how much information we reveal on social media. From names and birthdays to addresses, make sure that your PII is kept to a minimum on social media and that your accounts are set to private.
Surfshark Browser
Surfshark Browser
  • VPNs: VPNs increase your online safety by encrypting your web activity and IP addresses, which makes it harder for hackers to glean any of your online activity.
  • Antivirus software: Finally, antivirus software detects malware and viruses by scanning your devices for suspicious behaviors that could lead to data breaches.
Kaspersky Antivirus App Home Screen
Kaspersky Antivirus App Home Screen

Best Practices for Businesses

Businesses need to take their digital security to the next level in order to minimize the risk of breaches, taking steps such as:

  • Adhere to state requirements: As you’ll read more below, digital privacy laws differ by state when it comes to storing customer data, so make sure you brush up on your requirements.
  • Only store minimal information needed: As a general rule, you should keep as little customer information as possible and store it securely, be it physical or digital data. Some more tips on storing your data:
    • Lock up any physical records and restrict access to employees that have been background checked. Don’t give access to any temporary workers or vendors, but rather long-term employees that you can trust.
    • Before you throw out any sensitive paper files, shred them. If the data is stored on portable hardware like CDs or DVDs, destroy them before disposal.
    • For any data stored on a hard drive, make sure you completely wipe it or even destroy it before disposal, similar to CDs and DVDs.
    • If you or your employees ever use a photocopy machine to copy sensitive documents, make sure that the settings clear the data after every use.
  • Train employees: Inexperienced or untrained employees are a very frequent cause of data breaches, so make sure to train your employees to:
    • Put away files as soon as they’re done using them.
    • Log out of computers as soon as they’re done using them, even if it’s just to walk to the water cooler for a few minutes.
    • Lock all filing cabinets and offices when not in use.
    • Only use work devices for work purposes and not for things like torrenting or using inappropriate websites or unapproved software.
    • Never leave laptops or phones unattended.
    • Don’t store any personal information on work devices.
    • Use work devices even when working remotely, if possible.
  • Password protect: Again, password protect all devices and turn on time out functions so that devices lock after periods of non-use.
  • Encrypt: All data, including email, should be encrypted both “at rest”, while not in use, and “in motion”, while in use.
  • Avoid using portable media: DVDs, CDs and USB drives should be avoided if you [citaiton id=”5″]can.[/citation]

What To Do If You’ve Been Involved in a Data Breach

Even the most stringent people and businesses can still find themselves involved in data breaches. Don’t panic; with the right steps, you can contain the breach and minimize its financial impact.

For Individuals

For individuals whose information was involved in a data breach, you can protect yourself and your accounts with a few simple steps:

  • Contact financial institutions: First, call your bank, credit card company or credit union and alert them of the breach; they can check your account for suspicious activity and if need be, close your account and open a new one.
  • Freeze credit reports: Freezing your credit report means that identity thieves won’t be able to open accounts in your name. And no, it won’t affect your credit score. To freeze your reports, contact the credit bureaus directly either online or over the phone:

Did You Know: Freezing your credit won’t affect your credit score one way or the other.

Identity Guard - Freeze your Information
Identity Guard – Freeze your Information
  • Depending on which information was exposed: Your actions will differ based on what data of yours was exposed.
    • Social Security number: If your SSN was exposed, first check your credit for unfamiliar accounts or charges. We recommend again, freezing your credit, but if you’d rather not, at least put out a fraud alert. Fraud alerts mean that businesses will need to contact you before issuing credit; they last for a year before you can get a new one. To create a fraud alert, contact the credit bureaus using the above contact information. We also recommend filing your annual tax return as soon as possible so that no one else can file one with your information or use your SSN to secure a job.
    • Online username and/or password: Having your username and password breached is a much better situation than having your SSN breached. All you have to do is change your password and your username, if possible. If you can’t log into your account to change these credentials, contact the company to either recover or shut down your account. As well, if you used the same breached password for any other online accounts, change it so that each account has a unique password. Finally, check your bank and credit card accounts for any suspicious charges that you don’t recognize.
    • Bank account, credit or debit card information: While this scenario may sound scary, all you’ll have to do is contact your bank or credit company to close and replace your account or card.

For Businesses

When it comes to data breaches, things are much more difficult on the side of the business than they are on the side of the customer, so much so that it may be worth it to hire cyber security professionals to help you out. Nevertheless, here’s a brief overview of what’s involved.

  • Fix vulnerabilities: While this may sound obvious, your first step should be to fix the vulnerabilities to prevent further data loss, which again, could require hiring a forensics team or legal counsel.
  • Secure physical areas: Make sure that your office is physically secured and change all access codes.
  • Remove improper information: If your website was vandalized, remove all vandalism and any false or malicious information from other websites by contacting them directly.
  • Interview people who discovered breach: Whoever discovered the breach probably has better insight into its causes than most, so make sure to talk with them about it extensively.
  • Do not destroy the evidence: Hard as it may be, try not to tamper with evidence, as it could be used to catch the perpetrator.
  • Notify affected customers and relevant agencies: You may have to either notify your customers or government agencies about the breach, depending on your state’s laws.

Speaking of…

The Laws Surrounding Data Breaches

Whether you’re preventing a data breach from happening or dealing with the after-effects, make sure you’re adhering to state and federal data breach notification laws.

Federal

Most federal data privacy legislation only applies to the healthcare and financial industries; there’s no federal legislation specific to data breach notifications, which are handled at a state level.

State

Each state has its own unique data breach notification laws, and while all states have some form of this law, the requirements differ state-by-state. For the most part, however, businesses are legally required to inform their state’s residents of data breaches as soon as possible.

State Required to Alert Customers of Data Breaches? Maximum Amount of Time To Notify Customers of Data Breach
Alabama As soon as possible
Alaska As soon as possible
Arizona 45 days
Arkansas ✓* if it affected over 1,000 people and had a “reasonable likelihood of harm” As soon as possible
California ✓* if it affected over 500 residents As soon as possible
Colorado 30 days
Connecticut ✓* if breach will likely result in harm 90 days
Delaware 60 days
Florida ✓* if it affected 500 people or more 30 days
Georgia As soon as possible
Hawaii As soon as possible
Idaho 1 day
Illinois As soon as possible
Indiana As soon as possible
Iowa ✓* if it affected over 500 residents 5 business days
Kansas As soon as possible
Kentucky As soon as possible
Louisiana 60 days
Maine As soon as possible
Maryland 45 days
Massachusetts 10 business days
Michigan 3 business days
Minnesota ✓* only applies to government agencies As soon as possible
Mississippi As soon as possible
Missouri As soon as possible
Montana As soon as possible
Nebraska As soon as possible
Nevada As soon as possible
New Hampshire As soon as possible
New Jersey As soon as possible
New Mexico 45 days
New York As soon as possible
North Carolina As soon as possible
North Dakota ✓* if it affects 250 or more residents As soon as possible
Ohio 45 days
Oklahoma As soon as possible
Oregon ✓* if it affects 250 or more residents 10 days
Pennsylvania As soon as possible
Rhode Island As soon as possible
South Carolina ✓* if it affects 250 or more residents 3 days
South Dakota 60 days
Tennessee 45 days
Texas ✓* if it affects 250 or more residents 60 days
Utah 20 days
Vermont 45 days
Virginia As soon as possible
Washington ✓* if it affects 500 or more residents 30 days
West Virginia As soon as possible
Wisconsin 45 days
Wyoming As soon as possible

The Biggest Data Breaches

Even large companies like Facebook aren’t immune to data breaches. Here are the biggest data breaches of the past few years, according to CNBC.6

Company Year(s) of Data Breach Number of Records Breached Reason for Breach
Yahoo 2013, 2014 3 billion, 500 million Hacking
First American Financial Corp 2019 885 million Poor security
Facebook 2019 540 million Poor security
Marriott International 2018 500 million Hacking
Friend Finder Networks 2016 412.2 million Poor security, hacking

Recap

And that’s it for our guide to data breaches. To learn more about how to protect yourself online, read our guide to digital security or, for more information on data breaches, keep reading below.

FAQs

We’ve received a lot of questions about data breaches, so we’re hoping to knock them all out here.

  • What happens in a data breach?

    During a data breach, hackers steal a business’ data, which may include customer information, by breaking into vulnerable systems.

  • What does “data breach” mean?

    “Data breach” means that a company’s database has been compromised, or breached.

  • What is the most common cause of a data breach?

    While we can’t say for sure what is the single most common cause of a data breach, the most common causes are weak credentials, system vulnerabilities and human error.

  • Why is a data breach bad?

    Data breach is bad because it exposes the personal information of customers and businesses, which can be used for identity theft and theft of intellectual property, among other negative consequences.

Citations
  1. Norton. (2021). What is a data breach?
    us.norton.com/internetsecurity-privacy-data-breaches-what-you-need-to-know.html

  2. Incognito Forensic Foundation. (2021). 7 Major Causes of a Data Breach.
    ifflab.org/7-major-causes-of-a-data-breach/

  3. Cygilant. (2016). The 5 Stages of a Data Breach (and How You Can Protect Your Company).
    blog.cygilant.com/blog/the-5-stages-of-a-data-breach-and-how-you-can-protect-your-company

  4. IBM. (2021). How much would a data breach cost your business?
    ibm.com/security/data-breach

  5. Central Insurance Companies. (2019). Preventing a Data Breach.
    central-insurance.com/docs/tips-DataBreach.htm

  6. CNBC. (2019). 5 of the biggest data breaches ever.
    cnbc.com/2019/07/30/five-of-the-biggest-data-breaches-ever.html