If you think news stories about data breaches are a daily occurrence, you could be right. Either data breaches are becoming more frequent, or something else is happening in the world of cyber security. Could it be that corporate and personal data breaches appear more common simply because stronger data privacy laws are enforcing the way we report such incidents?
From the early 2000’s lawmakers across the globe have introduced legislation that requires businesses and organizations to report data breaches to an appointed data privacy regulator. Before that time, it was possible for a company to avoid any embarrassment by ‘keeping schtum’ about a data breach occurrence.
However, in 2018, a radical shift in privacy laws in North America, Europe and the Asia Pacific region meant that any organization suffering a data breach, high risk or not, would be required to notify individuals affected by the breach as soon as possible, and also report the incident to the appropriate regulatory authority.
In Europe, the United Kingdom was quick to adopt the General Data Protection Regulation (GDPR) on 14 April 2016, and became enforceable beginning 25 May 2018. As the GDPR is a regulation, not a directive, it is directly binding and applicable, but does provide flexibility for certain aspects of the regulation to be adjusted by individual member states.
Before the GDPR, the UK already had The Data Protection Act of 1998 – a United Kingdom Act of Parliament designed to protect personal data stored on computers or in an organized paper filing system. Now that the UK is no longer part of the EU, the GDPR has been replaced by the UK Data Protection Act 2018 (sometimes known as UK GDPR).
The Information Commissioners Office (ICO) states that organizations must report a notifiable breach within 72 hours after becoming aware of the breach.
Meanwhile, in the United States, California was the first state to regulate the disclosure of data breaches in 2003, and in 2018, began updating its legislation by adopting the GDPR as a model for what was to become the California Consumer Privacy Act (CCPA).
All of the world’s national and state-level privacy laws can impose punitive fines on organizations that fail to comply, with some laws affording individuals the right to seek damages through private lawsuits.
Before we consider some of the preventative measures that can be taken to minimize the risk of a data breach, it’s important to understand how a data breach can occur in the first place.
How Does a Data Breach Occur?
A data breach often occurs when a hacker successfully gains access to a data source and extracts sensitive information. Originally, the term “hacker” meant any skilled computer expert that uses their technical knowledge to overcome a problem. But, while “hacker” can refer to any skilled computer programmer, the term has become more commonly associated with someone who, with their technical knowledge, uses bugs or exploits to break into computer systems.
In many instances a hacker seeks to steal data just to prove the fact that he or she can. This can be done by physically accessing a computer to steal locally stored files, or by remotely circumventing network security. The following steps are commonly taken by hackers when attempting to access a computer or network remotely:
- RESEARCH
The hacker searches for security weaknesses in computer systems or networks. - STAGE ATTACK
The hacker uses network, system, and software application weaknesses in order to infiltrate a company’s network. A social attack involves tricking an employee into giving access to the company’s network. In these cases an employee is fooled into disclosing their login details. Alternatively, they can inadvertently open a malicious attachment to an email. - EXFILTRATION
Once the hacker gains access to one computer, they can proceed to attack other devices on the company’s network and “tunnel” their way through to multiple sources of confidential information. At this point, the hacker can download the data.
There are a number of ways in which a hacker, or more specifically, a “cyber-criminal” can break in and steal confidential data. The five most common methods are as follows:
Mis-configured, or broken access controls can render private files and folders ‘public’. For example, a network administrator, or someone with admin rights on the network could make a folder containing sensitive data, such as customers’ credit card details, private. But if the administrator fails to make any related sub-folders private as well, it’s like locking your front door but leaving a window open, allowing a burglar to enter and steal your property.
Spyware is a type of malware (software) that aims to collect information about a person or organization – usually without their knowledge – that may send such information to another entity without the user’s consent. Spyware can also get into a computer as a secondary infection via a Trojan such as Emotet. Once a computer system is infected, the spyware can send all of the user’s personal data back to the Command and Control (C&C) servers operated by the cyber-criminals.
A SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into a data entry field for execution (e.g. to dump the database contents to the attacker). SQL injection is mostly known as an attack vector for websites, but it can also be used to attack any type of SQL database.
SQL injection attacks allow attackers to spoof identity, tamper with existing data, void transactions, change balances, allow complete disclosure of all data on the system, destroy the data or make it unavailable, and become administrators of the database server.
SQL injection is one of the least sophisticated attacks to carry out, requiring minimal technical knowledge. Cyber-criminals can even use automated programs to carry out attacks for them.
An Exploit attack uses pre-existing bugs or other vulnerabilities in order to gain unauthorized access to a computer or server and its data. Commonly exploited software includes the computer’s operating system, web browsers, and Microsoft Office applications.
Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication. Typically carried out by email spoofing or instant messaging, it often directs users to enter personal information at a fake website which matches the look and feel of the legitimate website.
Phishing is an example of social engineering techniques being used to deceive users, who are often lured by communications purporting to be from trusted parties such as social web sites, auction sites, banks, online payment processors or IT administrators.
Typically, a phishing attack begins with a fake email that appears to have come from someone the user knows, or a company the user does business with. The email will usually contain demanding language requiring the user to take some kind of action, such as verifying a payment or purchases the user never made. By clicking the supplied link, the user is directed to a malicious login page that captures the user’s username and password. Without multi-factor authentication (MFA) enabled, the cyber-criminals have everything they need to access the user’s account.
Protect your business and reduce the risk of Data Breach
It makes perfect sense to be diligent and proactive when it comes to data security, as the consequences of a data breach can be enormous. So how can a data breach be avoided in the first place?
Professional hackers are becoming ever more skilled at gaining access to computers and networks. However, there are certain safeguards that can be applied in order to minimize potential risks.
Following a risk assessment, internet security company Malwarebytes recommends the following measures:
- Practice data segmentation. On a flat data network, cybercriminals are free to move around your network and steal every byte of valuable data. By putting data segmentation into place, you slow criminals down, buying extra time during an attack, and limiting compromised data. Data segmentation also helps with our next tip.
- Enforce the principle of least privilege (PolP). PolP means each user account only has enough access to do its job and nothing more. If one user account is compromised, cybercriminals won’t have access to your entire network.
- Invest in a good cybersecurity program. If you have the misfortune of clicking a malicious link or opening a bad attachment, a good cybersecurity program will be able to detect the threat, stop the download, and prevent malware from getting onto your network.
The primary target for data breaches is the commercial sector and large organizations. But it’s perfectly natural for the general public to be concerned, not only for their personal data held by the organizations they deal with, but also for the data stored on their own computers and connected devices.
What Should Private Individuals Do To Protect Their Personal Information To Reduce Risk?
Whether your personal data held by an organization has been compromised or you are concerned about the data you have stored on your own devices, the following guidelines from Malwarebytes are well worth noting:
- Reset your password for the compromised account and any other accounts sharing the same password. Really though, you shouldn’t reuse passwords across sites. Granted, remembering a unique alphanumeric password for all of your online accounts and services is impossible—unless you’re good with mnemonics or, better yet, you have a hard drive implanted in your head like Johnny Mnemonic. For everyone else, consider using a password manager like 1Password. Password managers have the added benefit of alerting you when you land on a spoofed website. While that login page for Google or Facebook might look real, your password manager won’t recognize the URL and won’t fill in your username and password for you.
- Monitor your credit accounts. Look for any suspicious activity. Remember you get a free credit report, one from each of the three major credit bureaus, every year at annualcreditreport.com. This is the only US Federal Trade Commission authorized site for obtaining free credit reports.
- Consider a credit freeze. A credit freeze makes it harder to open up a line of credit under your name by restricting access to your credit report. You can lift or stop the freeze at any time. The only hassle is that you must contact each credit bureau individually to enact or remove a freeze.
- Watch your inbox carefully. Opportunistic cyber-criminals know that millions of victims of any given data breach are expecting some kind of communication regarding hacked accounts. These scammers will take the opportunity to send out phishing emails spoofed to look like they’re coming from those hacked accounts in an attempt to get you to give up personal information. Read our tips on how to spot a phishing email.
- Consider credit monitoring services. Should you sign up? Often times, after a data breach, affected companies and organizations will offer victims free identity theft monitoring services. It’s worth noting that services like LifeLock et al. will notify you if someone opens up a line of credit in your name, but they can’t protect your data from being stolen in the first place. Bottom line—if the service is free, go ahead and sign up. Otherwise, think twice.
- Use multi-factor authentication (MFA). Two-factor authentication is the simplest form of MFA, meaning you need your password and one other form of authentication to prove that you are who you say you are and not a cyber-criminal attempting to hack your account. For example, a website might ask you to enter your login credentials and enter a separate authentication code sent via text to your phone.
Did You Know?
Approximately 90 percent of all data breaches are attributed to phishing attacks. Next week we will feature an article on how to identify a potential phishing scam and what you can do to protect your company.
NOTE: This article is provided for information purposes only and does not constitute legal or professional advice. The Data Privacy Group recommends that businesses engage the services of an experienced data privacy practitioner and/or data privacy attorney when preparing for compliance with any data protection and privacy legislation.
Sources: Malwarebytes, TrendMicro, Wikipedia