It’s pretty common nowadays to hear about a new data breach. There are plenty of different forms a data breach can take, though. There are even breaches that don’t result in data breaches at all. The core of a data breach is that some data intended to remain private is made public.
How Does a Data Breach Happen?
There are plenty of different ways that data breaches can happen. The standard assumption is that an attacker somehow gained access to a private system and downloaded the data. Entry would typically be acquired by the hacker exploiting some vulnerability. Some of these exploits are entirely new “zero-day” exploits for which the victim has very little chance of successfully preventing. Many data breaches, however, are the result of previously known vulnerabilities being exploited in systems that haven’t been updated.
Tip: A “zero-day” is an exploit actively used in the wild that had previously been unknown. Typically, a patch for a zero-day is not immediately available and must be developed before being distributed and installed on affected systems. In some cases, for example, mitigation may be available to disable the vulnerable component. Still, servers may need to way up going offline vs. being unable to defend against a known attack.
Because the vulnerability is not known before it’s actively exploited, zero days are hard to defend against. Defense in depth is typically the best plan. That is, having many layers of defense, meaning that it’s unlikely that any single issue results in an actual data breach.
Phishing is another common cause of data breaches. Attackers try to trick legitimate users into disclosing their credentials to gain access to the system with their victim’s permission. Accounts and users with administrative permissions are often targeted as they tend to have more widespread access to more sensitive data.
Insider Threats and Incompetence
Insider threats are an underappreciated risk point. A disgruntled employee can use their legitimate access to cause great damage. This attack leverages the fact that the user knows the system and has fair access to it, making them difficult to detect and prevent.
Incompetence can also be a cause of data breaches. There are several examples of data breaches resulting from a company making a backup database public without realizing it. In this case, the term breach is almost difficult to justify as the company themselves leaked the data, not a hacker. It’s worth noting that legally, gaining unauthorized access to a computer system is a crime.
This can even count if the data was made public accidentally by allowing open access to a system. You likely couldn’t be convicted for simply accessing a public site. You probably would be sentenced if you tried downloading and selling that data on a dark-web forum.
What Type of Data Gets Breached?
The type of data that gets breached depends on the data the breached organization has and the attackers’ motivation. It also depends on your definition of what is breached. Some hackers are after data that they can sell. They try to access user data, especially usernames and password hashes, as well as other PII and payment details. This sort of attack typically has the most significant impact on people as their data and privacy are impacted.
Some hackers have a cause and often target data that details misdeeds, perceived or otherwise. Others are aimed at stealing proprietary or secret data. This tends to be the realm of nation-states and corporate espionage. Most breaches affect as much data as can be accessed on the theory that it will have value to someone or can be released as evidence of legitimacy.
Other breaches may never result in actual data breaches at all. A hacker may gain access to a system and be identified and stopped before they can do any real damage. This would be similar to catching a thief in the real world as they’re in the process of breaking in. Technically there was a security breach, but no data was lost or exfiltrated.
The Legal Situation
In most places, the laws that cover computer crime list “unauthorized access or use” of a computer system as a crime. Things like accessing a computer without permission are technically a crime. It also means that accessing a system you’re not supposed to, even if you have permission to access other systems, is a crime. This means that any breach involves some criminal activity.
Even in cases where the breach is considered in the public interest, the leaker can face criminal liability. In some cases, this complicates whistle-blower cases. Often, whistle-blowers are legally protected, as it’s in the public interest for injustices to be brought to light. But in some cases, gathering the evidence necessitates accessing things without permission. It also involves sharing data without permission. This can lead to whistle-blowers trying to remain anonymous or requesting amnesty to reveal their identity.
Additionally, determining what is in the public interest is notoriously fraught. Many hacktivists would deem their actions in the public interest. Most individuals whose data is released as part of that action would disagree.
A breach typically refers to a data breach where some data that was intended to be private is made public. However, the term “breach” may refer to a security breach in which an incident occurred, but no data was stolen. Data targeted often has value to the hackers. This could be personal data that can be sold, corporate or national secrets, or evidence of perceived wrongdoing. Data breaches typically gain access to as much data as possible, assuming that all data has some value.