You hear about data breaches on the news and on our site all the time. It turns out that a company whose service you use (or who works with a company you use) has lost your information to hackers.
There was a data breach, and perhaps your identity and other sensitive information is now in the hands of, well, who knows? But what does this actually mean? What is a "data breach"?
Where Is My Data?
This is actually the most important question! When you give your information to your bank or upload your photos to Google, where is that data physically? The answer to this question can vary a lot. In almost all cases, you, as the customer, have no idea. Some companies store your information in state-of-the-art data centers with multiple backups and extreme security measures - these are the Googles, Microsofts, and Amazons of the world.
Alternatively, your data could be stored on a grimy old laptop that's been repurposed as a web server and lives in someone's closet. Maybe small niche websites or forums run by amateur web admins.
There is, of course, an infinite range of options between these two extreme points. Regardless of where the data is stored, a data breach happens when someone gets access to these servers that host our data, and then they download, copy, or otherwise take that information for themselves.
Most of the time, our data custodians don't even know that their system has been breached until months or even years later. It may be yet more months or years before they admit it - if ever!
How Do Breaches Happen?
There's no one way that data breaches happen. As with all hacking, breaches happen because of technological weaknesses, human weaknesses, or a combination of the two.
There are also different kinds of breaches, and it's not possible to cover every possibility, but we can talk about the most common ones.
Insiders are people within the organization who get access to data that's meant to be private. Some people get this info accidentally, just by their proximity to people who are authorized to see and handle the data. Then there are malicious insiders who have infiltrated the company or were turned after joining legitimately. They might even be people who are paid to protect that information.
Physical theft or loss can happen when hard drives, laptops, physical servers, and other data-containing devices are lost or stolen.
Hackers are probably the most famous source of data breaches. Black hat hackers are the malicious actors who look for weaknesses in the security of whoever keeps the data. They'll break into networks, steal server passwords, trick employees into giving up information, and pull every other trick in the hacker playbook.
Why Do They Happen?
When accidental, non-malicious breaches happen most often due to bad luck or human error. Of course, it's also because of incompetence! The good news is that those sorts of breaches don't necessarily lead to data loss - though, of course, they can. The point is that there's no particular motivation behind them and, hopefully, they teach a few lessons to prevent them from happening in the future.
With malicious breaches, things are very different. The most obvious motivation is money! Data is worth a lot by itself. When hackers steal data in a breach, they probably are not going to use it directly. Instead, these data are sold on the Dark Web to others who will try their luck making a buck from them. Credit card numbers, for example, are sold by the thousands with the understanding that most are not going to work or be canceled.
Which brings up another issue. Data breaches, even those that are detected, can happen a long time before the data itself surfaces. In fact, sometimes, we only know that a breach has happened when the data surfaces for sale on the dark web.
That means many breaches might happen that we will never know of because the thieves are using the data for something other than direct sale or financial gain. State cyberwarfare or industrial espionage are two examples of this.
What Can We Do?
Since data breaches happen "out there" and are not under your direct control, you might think that there's not much you can do to either prevent or mitigate them. However, there's actually quite a bit you can do if you prepare properly:
- Never use the same password over multiple services: a breach of one means a breach of all.
- Compartmentalize your services and use different emails for different risk levels.
- Don't create accounts and store your information on sites that are run by amateurs.
- Change your passwords the minute you become aware of a breach.
- Use a password manager and use strong generated passwords that are very hard to crack using brute force.
Other than these basic steps, all we can really do is hold negligent companies responsible legally. We have to accept that data breaches are a fact of life and deal with them as they happen. There is no such thing as perfect security, and for high-value information, someone will always be motivated to steal it.