What Is a Data Breach and How Do You Avoid It?
A data breach occurs when cybercriminals steal information from an organization’s database without permission from the owner or administrator. Data breaches are extremely common.
Cybercriminals can steal a lot of sensitive information during a data breach, including personally identifiable information (PII), personal health information (PHI), company trade secrets, and credit card numbers. When that information gets into the wrong hands, cybercriminals can use it for personal gain.
Just because we live in an increasingly connected world doesn’t mean we have to make theft easy for hackers. There are several ways to protect yourself from data breaches, and it all starts with understanding how they happen.
Why do data breaches happen?
Our personal data is extremely valuable, which is why cybercriminals want it so bad and are willing to take it through nefarious means. Here are a few things criminals might try to do when they have your data:
- They can use your credit card or financial information to make purchases.
- They can use your health insurance information to pay for health care procedures and medication.
- They can create a fake identity with your Social Security number (SSN) and other personal data and use it to apply for loans.
- They can sell company trade secrets to other businesses.
- They can sell personal information to bidders on the dark web.
What information is typically targeted in a data breach?
Before hackers try to breach an organization, they look for weaknesses in the organization’s network. They may decide to attack holes in a company’s data security systems or even try to coerce employees into revealing authorization credentials.
Here are a few of the main things hackers target when they breach an organization:
- Weak passwords: If a company’s network passwords aren’t strong, it won’t take long for hackers to figure them out.
- Internet of things (IoT): Some employees may use mobile devices to log into networks or store authorization credentials.
- Third parties: If a criminal can’t access a business’s database directly, they might be able to hack one of the company’s business partners. By hacking a third-party network, criminals can gain indirect access to their target company’s information.
- Employees: Hackers can launch social engineering schemes to deceive employees into giving them unauthorized access to information.
Data breach examples
Both attacks from outside an organization or from people working inside a company can cause data breaches. We’ll explain the differences between internal and external data breach threats in the next few sections. We’ll also give you some examples to help you understand each type of breach.
Insider data breach threats
An insider data breach threat comes from someone who works for or is involved with a company. There are both malicious and accidental insider data breach threats. Malicious breaches occur when an insider purposely leaks information. Accidental breaches occur when an insider accidentally leaks information.
A malicious insider abuses their access to people’s personal information. They willfully leak personal data with criminal intent. A malicious insider might be a current employee looking for a financial windfall or a disgruntled ex-employee looking to hurt a company.
A malicious insider breach happened to the IT networking company Cisco Systems in 2018. A disgruntled former Cisco employee, Sudhish Kasaba Ramesh, was caught hacking into the company’s system and destroying several applications. The former worker’s actions caused the company to have millions of dollars in damages.
An insider that leaks information by mistake can also affect a company. An example of an accidental insider breach happened at Scotland’s national telehealth organization, 24 NHS. A member of the organization’s HR team unwittingly sent emails containing employee PHI to the wrong email address.
The emails contained delicate health information concerning 24 NHS employees on medical leave. The emails were supposed to go to executives within the company but instead were sent to everyone in the company — giving employees access to their colleagues’ sensitive medical history.
External data breach threats
An external data breach comes from a person or an organization not involved with the party being hacked. External threats can come from hackers acting alone, online organizations, and even other governments.
Here are a few of the main methods that cybercriminals might use to get personal information:
- Phishing happens when a criminal pretends to be someone they’re not to gain a target’s trust or scare them. If a criminal targets your company, they might pretend to be a law enforcement agency, a potential employer, or even a charity. At some point, they’ll ask for money, personal information, or authorization credentials.
- Malware is harmful software that attacks gaps in a network’s security programs. A hacker might infect a company’s network with a virus to damage files, ransomware that can hold data hostage, or spyware that can track employee keystrokes. It can take a long time for a company to realize that malware attacked its network.
- Brute force attacks occur when a hacker uses special software to guess network passwords. Hackers can be extremely adept at guessing passwords. Often, they can crack weak passwords in under a minute.
An example of an external data breach happened in 2017. A few members of the Chinese organization the People’s Liberation Army worked alongside China’s intelligence agencies to breach the American credit bureau Equifax. The breach exposed the PII of around 145 million people.
How to avoid a data breach
As more businesses store employee and consumer information on the cloud, it’s increasingly important to protect that information.
The good news is that you can do things to reduce the likelihood of being involved in a data breach and limit what happens if your information is ever exposed.
How to avoid personal data breaches
Below are a few tips that can help you limit your exposure to online data breaches.
- Get expert help. McAfee’s Total Protection Ultimate plan offers premium antivirus software, identity monitoring, a password manager, a secure VPN, and up to $1 million in identity theft insurance.
- Check your bank account, financial statements, and credit report as often as possible. Look for purchases you didn’t make or unexplained changes in your credit score. These could be signs that someone stole your information.
- Always be on the lookout for scams and threats to your data privacy. Watch out for messages that promise something for nothing. Don’t open emails from questionable sources. And verify messages from government organizations.
- Don’t overshare on social media. Hackers are on social media searching for potential passwords and other personal information.
- Use strong passwords online. Great passwords are long (at least 12 characters). They have uppercase letters, lowercase letters, numbers, and symbols, and they don’t have anything to do with your personal information. Make a different password for every account and change your passwords often. Finally, don’t share passwords!
- Make sure your devices are secure. Smartphones, laptops, smartwatches, and other online devices should be password-protected and have security software like McAfee Secure VPN. You should also consistently download the latest software updates for your devices.
How companies can avoid data breaches
In a business, cybersecurity is part of everyone’s job. Here are some tips for strengthening your company’s network against cyberattacks:
- Make sure your IT team regularly tests and audits the operating system for bugs and security issues. If they discover any problems or weaknesses, they need to be patched and updated immediately.
- Teach your employees how to prevent, recognize, and respond to security threats. Create educational material or have conferences to show your staff how to create strong passwords and discern scam emails from legitimate ones.
- Develop a detailed incident response plan for how your company will handle a security breach. Include things like who needs to know, what to do, and when to release a data breach notification to the public. Have a meeting to go over your contingency plan. Create a document of your plan and store it somewhere your employees can access.
Stay protected online with McAfee
The internet makes things like shopping, banking, and scheduling appointments extremely convenient, but there are always hungry cybercriminals looking to steal credit card numbers and gain access to sensitive data.
A security breach can be embarrassing for companies and upsetting for consumers. If you learn to protect your private information, identify the signs of a data breach, and take the right security measures when there’s a data leak, you’ll greatly reduce your vulnerability to cybercriminals.
McAfee’s Total Protection services can create a safer online experience for families and small businesses alike. Our security products are simple to install and include safe browsing and credit monitoring features. And if you ever have a security incident, we’ll help you with identity restoration and provide up to $1 million in identity coverage.
We take information security seriously so you can relax. See how McAfee can make data protection simpler.