Did you know that financial services employees were found to have access to about 11 million files or more and that around 60% of companies have hundreds of passwords that never expire?  

At the same time, cybercriminals are constantly sharpening their tools and are considered capable of gaining access to most company networks. These and other worrying statistics tell the story of how dangerous data breaches can be, how much data they can compromise, and what financial losses they can lead to.  

In this two-part blog post, we will explore what exactly a data breach is, how breaches occur, and what can be done about them. Here’s all you need to know about data breaches! 

Defining the threat: What is a data breach? 

A data breach is a form of cyber attack that seeks to access, leak, modify or delete sensitive or confidential information without authorization. Such information can be: 

  • Personally identifiable information (PII) includes a person’s name, biometric data, social security number, or other personal identification, etc. 
  • Protected health information (PHI) includes an individual’s past, present, or expected future physical and mental health 
  • Personal or organizational financial information such as credit card numbers, bank details, tax forms, financial statements, invoices, etc. 
  • Confidential business information such as contracts, trade secrets, business plans and strategies, customer lists, communications, and more 
  • Intellectual property such as software code, prototypes, blueprints, patents, etc. 
  • All kinds of other data which is not intended to be public 

Given the possibly severe consequences of attackers becoming privy to any of the above information, there are strict regulations and laws that govern how sensitive data must be protected, and what measures must be taken when a data breach occurs. 

Such laws include the European General Data Protection Regulation (GDPR) or the U.S. Cyber Incident Reporting for Critical Infrastructure Act which came into effect in 2022. These laws specify how organizations must respond if a data breach has occurred.  

In addition, there are laws and industry standards that specify how different types of PII and PHI must be handled and secured. These include the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and others.  

These laws and regulations also specify the measures that may be taken against an organization that has been breached and has lost sensitive data. Apart from the damage done by the breach itself, such an organization may also face fines and legal action and is likely to suffer reputational damages as well. 

Over the years, there have been some data breaches that have affected billions of users. The Yahoo data breaches of 2013 and 2014 are considered the biggest to date and exposed a total of 3 billion user accounts. Similarly, in 2019, a total of 1.1 billion user records were found to have been scraped from Alibaba. So how is it possible for such breaches to occur? 

How do data breaches happen? 

There are many methods through which a data breach can be achieved. Some are entirely accidental but most are deliberate and exploit a vulnerability in a system or target individuals through social engineering. Here are the main ways in which data breaches occur: 

  • Accidental insider: Using someone else’s device and reading files that one usually does not have access to or using an unauthorized personal device can be considered a data breach, even if it does not lead to losses or damages. Poor password management and falling prey to phishing attacks are also considered accidental causes of a data breach. 
  • Theft or loss of hardware: Unsecured and unlocked devices such as laptops or mobile phones, as well as hard drives, USB drives, and even paper documents can also be a source of a breach. While not the most common source, these still constitute a threat and can be accidental or intentional. 
  • Breach of a physical location: Breaking into a location where important data is stored is also used as a method though not commonly. 
  • Payment card skimming and point-of-sale intrusions: These methods seek to collect payment card information remotely or through the use of physical skimming devices. 
  • Social engineering: Phishing, as well as other forms of social engineering, is a very common tactic to gain unauthorized access to a system, usually to communication or collaboration tools but also social media and online banking accounts. It relies on fooling victims to click on a link that injects malware or on being fooled into sharing sensitive information. 
  • Malware, ransomware, and code injections: These forms of attacks rely on vulnerabilities in systems to inject some kind of malicious software or malicious code which compromises a system and provides access to data. An SQL injection is an example of this kind of attack. 
  • Man-in-the-middle attacks (MITM): The MITM attack allows attackers to eavesdrop on communications. It is usually paired with other forms of attack that enable attackers to decrypt data on the move and obtain authentication details, hijack sessions, and more.  
  • Distributed denial of service (DDoS): These attacks cannot lead to a data breach in themselves but are sometimes used as a distraction and diversion so that another attack can be launched in order to achieve a data breach. 
  • Brute force attacks: Because many passwords are fairly simple and easy to guess, brute force attacks are used to crack passwords and gain access. If proper password management and multi-factor authentication are absent, password guessing can be very effective.  
  • Malicious insider: Apart from the accidental insider, there is also the malicious insider, someone who deliberately steals or leaks data, or creates the possibility for an outside attack to succeed. Such actors misuse the privileges and authorizations granted to them within a system. 

The stages of a data breach 

Regardless of the method utilized by attackers to breach a system and obtain data, the process itself usually goes through several stages. Typically these stages are Research, Creating an entry point, Infiltrating the system, and Exfiltrating the data. 

During the research stage, attackers research the company and its systems and examine aspects such as employee behavior. When researching employees, they will gather personal data that may be useful in guessing passwords and will also probe employees’ susceptibility to phishing attacks. When researching systems, they will probe ports, check for missing updates and vulnerabilities to be exploited, and even launch a few basic attacks to check the response. 

Once they have conducted enough research, attackers will use the intelligence they have gathered to zoom in on possible vulnerabilities and entry points and slowly attempt to gain initial access to a system. This may include launching various attacks that will ultimately allow them to steal credentials or hijack sessions. At this stage, they must not alert the security team, in order to increase the probability of success. 

After creating an entry point, attackers will usually begin to move laterally through the breached network to locate the database and prepare for the extraction of data. This may include altering a system’s security processes, creating new accounts, escalating privileges to gain greater access, and more.  

Finally, after infiltrating the system deeply enough and gaining access to the desired data, attackers will begin to exfiltrate it. This is achieved by creating hidden copies within the system and transferring these outside of the system without drawing attention. Alternatively, attackers may encrypt the data, in order to request a ransom for it in return.  

Get help for your data protection needs from AMATAS 

Are you looking for a trusted partner to help you with protecting your organization’s and customers’ data? AMATAS has extensive experience in assisting companies in storing, securing, and caring for data as well as in responding efficiently to data breach events.  

Our Virtual Data Protection Officer (DPO) service is there to help you pick the best approach toward securing your data and keeping it safe. Get in touch to learn more about how we can help you with your data protection needs!  

Stay tuned for part two of this blog post in which we will explore which vulnerabilities create opportunities for data breaches, how to respond to breaches, and what you can do to prevent them! 


Ralitsa Kosturska in AMATAS