How Data Breaches Happen?

08
OCTOBER, 2019by Michiel Mulders

Preamble

You’ve probably seen some recent articles asserting that the world’s most valuable resource is no longer oil—it’s data. New internet titans like Google, Amazon, Apple, Facebook, and Microsoft look unstoppable. In fact, these internet titans are listed as the five most valuable firms in the world.These companies are evaluated so highly because of the services they offer. We use Google’s search engine numerous times a day for free. We use Facebook to stay connected with our friends for free.But are these “free” services actually free? No!Users pay for these so-called free services with their data—whether it’s buying behavior or location data. All of the info these giants collect can be used to make better predictions about users’ personality and the things they like (and therefore might buy).Despite the risks a data breach poses to both companies and consumers, many websites and companies do not value the security of the data we give them. In this post, we’re going to take a deeper look at data breaches and how they happen. 

What Is a Data Breach?

As technology rapidly evolves, more and more information is stored digitally. As a result, cyberattacks and data breaches have increased over the past ten years.A data breach is a security incident in which information is accessed without authorization. They can hurt businesses and consumers in a variety of ways. Data breaches are a costly expense that can damage lives and reputations. And they take time to repair.Globally, the average total cost to a company of a data breach is $3.86 million, according to a study by the Ponemon Institute. Another study by Ponemon Institute, sponsored by IBM Security shows that each stolen record is worth $148 on average. Online crime is a real threat to anyone on the internet.According to Symantec‘s yearly threat report, data breaches mostly involve personally identifiable information like name, address, date of birth, or credit card numbers. Personally-identifiable information is the most valuable information, as a malicious person can misuse it to steal someone’s identity or even money from a credit card. Often, they sell this type of data on malicious marketplaces on the dark web.

Case Study: Ashley Madison

In July 2015, a group calling itself “The Impact Team” stole the user data of Ashley Madison, a commercial website billed as enabling extramarital affairs. The group was able to get access to personal information of thousands of users of the website.Next, they threatened to release all information if the Ashley Madison website didn’t shut down immediately. One month later, the group leaked more than 25 gigabytes of company data, including user details.Although the hacker group had more or less good intentions, they upset many lives by releasing personal information about the users. Some users even lost their job or experienced public shaming for being affiliated with a website like Ashley Madison.However, Ashley Madison’s site policy stated that they don’t delete users’ personal information like names, addresses, credit card transaction records, and even search history. This is absolutely wrong. Unused data should be deleted as soon as possible when it’s no longer in use. Every company should have a policy for information management and when to delete data.As you can see, many things went wrong with the Ashley Madison data breach. The combination of an incorrect data management policy and inappropriate software security has lead to one of the most impactful data breaches in the history of the internet.

How Do Data Breaches Occur?

So now that we understand what a data breach is and have seen an example of one, you’re probably wondering how data breaches occur.First of all, as I said at the beginning of this post—your data is expensive. If our data is worth a lot of money for companies, it’s also very profitable for hackers to steal personally identifiable information.But how do hackers get access to your data?There are five primary causes for a data breach:
  • Exploiting system vulnerabilities.
  • Weak passwords.
  • Drive-by downloads.
  • Human error.
Next, let’s take a deeper look at each of them.

Exploiting System Vulnerabilities

The far most common issue related to system vulnerabilities is out-of-data software.So why is out-of-date software is so interesting to hackers?Out-of-date software often has had many updates to patch security holes. When a user doesn’t update their software regularly, the attacker can abuse this hole and potentially install malware on the user’s machine.

Weak Passwords

We’ve all heard warnings against passwords like ‘123456’ or ‘myname123’. Whenever attackers breach a database which holds all your information, a hacker can easily find your name. Then they just try out some easy combinations like your name appended by ‘123’. (I’m assuming here that the database hashed all passwords and the hackers have to try to decrypt the passwords.)That’s why many websites force you to create more complex passwords that contain a mixture of letters and numbers or symbols like $, %, and &.Experts advise you to never use simple passwords. On top of that, they recommend using password management tools that generate unique passwords for you so you don’t have to remember them.

Drive-By Downloads

Some compromised web pages can force your browser to download a file unwillingly. With a drive-by download, an attacker can install malicious software on your machine that gives them access to your computer.Similarly, never download file attachments in an email from an unfamiliar source. Doing so can infect your computer with some sort of malware.

Phishing

Next, phishing is one of the more commonly known attacks as it regularly pops up in the media. Attackers use fake emails or websites to make you believe it’s real. With phishing, malicious attackers try to trick you to reveal your credit card details or password for a particular website.

Human Error

Human error is often unavoidable. Users make mistakes, also with the way we handle data. For example, we might save a user’s medical record in the wrong storage which is publicly accessible (for example in your Test Environments). This can even be a design flaw by a developer which gives a malicious person access to a database full of personally identifiable information (PII). Human error can happen in many forms.

7 Tips to Prevent Data Breaches

We have just learned that there are five primary causes of data breaches. Let’s take a deeper look at the prevention of data breaches. Here are seven simple tips to protect yourself from data breaches:
  1. Keep only data that you really need and delete unused data.
  2. Educate employees on how to handle data safely.
  3. Keep security software up to date.
  4. Pay attention to security: computer security, network security, etc.
  5. Encrypt (or mask) all data!
In case of a data breach, the data will be mostly unusable due to the obfuscation.
  1. Deploy intrusion detection and prevention mechanisms.
  2. Stop drive-by downloads via content filtering.
These are simple tips to improve your overall data security. For GDPR reasons in Europe, it’s even mandatory to delete data you won’t use anymore. To protect yourself, you should consider partnering with a company like Enov8 to analyze your vulnerabilities and keep you in compliance with the latest regulations. Besides that, a golden tip is to have a backup plan in place that regularly makes a copy of all your companies’ data to a separate secure server. In case attackers comprise your companies’ data, you still have this data backup which you can restore.

Data Security in a Nutshell

Data security is very important nowadays. As our lives become more digitized, we store more and more personal data in the cloud. This also means we have to improve our data security and prevent data breaches from happening.A data breach can have a big impact on a user’s life—as we saw in the Ashley Madison hack, which caused people to lose their jobs.Luckily, data breaches can be prevented by encrypting data in the first place. Additionally, it’s very important to update software regularly. Finally, always make sure you make secure backups of your companies’ data.
Michiel MuldersMichiel is a passionate blockchain developer who loves writing technical content. Besides that, he loves learning about marketing, UX psychology, and entrepreneurship. When he’s not writing, he’s probably enjoying a Belgian beer!

Relevant Articles

The Crucial Role of Runsheets in Disaster Recovery

The Crucial Role of Runsheets in Disaster Recovery

March,  2024 by Jane Temov.   Author Jane Temov Jane Temov is an IT Environments Evangelist at Enov8, specializing in IT and Test Environment Management, Test Data Management, Data Security, Disaster Recovery, Release Management, Service Resilience, Configuration...

Establishing a Paved Road for IT Ops & Development

Establishing a Paved Road for IT Ops & Development

March,  2024 by Jane Temov.   Author Jane Temov Jane Temov is an IT Environments Evangelist at Enov8, specializing in IT and Test Environment Management, Test Data Management, Data Security, Disaster Recovery, Release Management, Service Resilience, Configuration...

Why Release Management Matters?

Why Release Management Matters?

February,  2024 by Jane Temov.   Author Jane Temov Jane Temov is an IT Environments Evangelist at Enov8, specializing in IT and Test Environment Management, Test Data Management, Data Security, Disaster Recovery, Release Management, Service Resilience,...

Unveiling the ROI of Test Data Management

Unveiling the ROI of Test Data Management

February,  2024 by Andrew Walker.   Author Andrew Walker Andrew Walker is a software architect with 10+ years of experience. Andrew is passionate about his craft, and he loves using his skills to design enterprise solutions for Enov8, in the areas of IT...

Streamlining Test Environment Management with GitOps and Enov8

Streamlining Test Environment Management with GitOps and Enov8

February,  2024 by Jane Temov.   Author Jane Temov Jane Temov is an IT Environments Evangelist at Enov8, specializing in IT and Test Environment Management, Test Data Management, Data Security, Disaster Recovery, Release Management, Service Resilience,...

Generative AI for Data Synthetics – Will it Change Testing

Generative AI for Data Synthetics – Will it Change Testing

January,  2024 by Jane Temov.   Author Jane Temov Jane Temov is an IT Environments Evangelist at Enov8, specializing in IT and Test Environment Management, Test Data Management, Data Security, Disaster Recovery, Release Management, Service Resilience,...