A data breach has the potential to have a severe impact on a company. Ranging from financial loss to reputational damage, it is important you put in place measures to avoid falling victim to one.
What is a Data Breach?
A data breach is any unauthorised access of personal information. Confidential and protected information such as bank account, names, addresses, passwords and emails can all be exposed through a breach. At its root, it is about the loss or theft of personal data. A data breach can be intentional (e.g. a hacker holds your company at ransom through ransomware) or unintentional (e.g. an employee has sent confidential information to the wrong email).
In the first half of 2019 alone, data breaches exposed 4.1 billion records.
In this article, we’ll outline the major causes of a data breach to help you stay safe and secure.
The 5 Major Causes of a Data Breach
Human error remains one of the biggest reasons for a data breach. Cybsafes’s analysis of data from the ICO showed that human error caused 90% of cyber data breaches in 2019. In addition, research from Gallagher indicates that up to 60% of businesses in the UK have suffered from a data breach because of human error. (quotation)
What does a data breach caused by human error look like?
Sending an email to the wrong recipient, loss of paperwork, disclosing confidential information by mistake or not using bcc when sending an email to a large group are all examples of a data breach caused by human error.
Big and small companies alike are fallible to this type of data breach. For example, Virgin Media was recently subjected to an investigation after they admitted to exposing the personal details of 900,000 customers. The breach was caused by human error when an employee didn’t follow the correct procedures. The database which stored personal information was “incorrectly configured.” Consequently, the database was left unsecured for ten months.
Another example worth noting is the first UK organisation to be fined under GDPR. In 2019, Doorstep Dispensaree Ltd was fined £275,000 by the ICO for failing to protect the data of their patients. The pharmacy which supplies medicines to care homes and other customers left about 500,000 documents in unlocked containers at the back of their office in Edgeware.
Another popular cause of a data breach is using weak passwords. Using passwords like “1234”, “welcome” or any easily identifiable details like your name, birth date is not advisable. In addition, using the same password across different sites places you at greater risk if the password is weak. If one account is successfully hacked, this can be used to gain access to other accounts.
A recent study by Google found that 66% of those polled said they use the same password for more than one online account. (quotation marks)
We recommend using a password manager such as LastPass or 1Password if you’re struggling to keep track of different passwords. Additionally, when creating passwords, use symbols, uppercase and lowercase letters to make it strong. Read our article on Bad Password Habits to stay protected.
Application vulnerabilities are flaws or weaknesses in a system e.g. mobile phone, and laptop software. When a vulnerability is not patched, it can be exploited by hackers to compromise the security of the software. An example of how an application vulnerability could lead to a data breach is through delayed updates. For example, Equifax experienced a data breach in 2017 affecting close to 145 million people. According to the House oversight report, the breach could have been avoided if the company had patched a disclosed vulnerability in Apache Struts, an open-source web server. The hackers took advantage of this vulnerability on their website to access an unencrypted file of passwords on a server. This further gave them entry to unencrypted consumer data. As we mentioned earlier, data breaches are extremely costly. The Equifax data breach cost the company over $4 billion in total.
You can prevent this type of data breach through measures such as firewalls, installing security patches and updates in a timely fashion. It is also important for you to have an audit strategy that helps to identify security risks.
Phishing scams are also extremely common! Hackers use this method to gain access to sensitive information. It involves sending fraudulent emails with the objective of recipients clicking or downloading malicious links and attachments. This is then used to steal information. For example, the Protected Health Information of nearly 650,000 clients of the Oregon Department of Human Services was exposed through a phishing scam. Nine employees reportedly opened a phishing email, clicking on an internet link that gave the sender access to their email accounts.
To protect against these types of attacks, be wary of clicking on links or downloading attachments unless you are sure about the source. Also, watch out for shortened links and take the time to double-check for simple things like logo and spelling mistakes. Absolutely avoid sharing sensitive data through emails and be wary of urgent requests that demand things like changing your password.
Malware and Ransomware
Malware which is short for malicious software is also a common method for a data breach. The aim of malware is to infect your device and trick you into downloading infected files. A common example of malware are warnings against harmful software. Downloading software or files of this nature exposes you to viruses that can hijack your computer.
A form of malware is ransomware where hackers gain access to your network and obstruct entry until a ransom is paid. This is usually in the form of cryptocurrency.
Protect yourself against malware by installing antivirus software on all devices and keeping it up to date. Regular security checks will give prompts when there is a huge security issue to be addressed. In addition, avoid downloading files or clicking on links from unknown sources. Use tools to detect infected websites and lastly, regularly back up data to minimise loss of information if you are attacked.
To conclude, it is important to make sure you have “robust breach detection, investigation and internal reporting procedures” in place.
As part of our award-winning advice and consultancy service at Kazient Privacy Experts, we help our clients to safeguard their organisation’s data from unauthorised access. Our risk management process will help you to avoid unacceptable data protection and privacy risks.
What is the impact of a data breach?
Under GDPR, a data breach must be reported to the Information Commissioner’s Office (ICO). This subjects you to an investigation. Following the investigation, if a company is found liable for the breach through inadequate security measures, the ICO has the power to fine the organisation up to 4% of annual global turnover. Aside from the monetary cost, reputation is a currency that affects the standing of a lot of organisations. A data breach also subjects a company’s clients to various ill effects including identity theft, mortgage fraud and fake credit card transactions.
Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.