What Is a Data Breach?
A data breach is an incident that exposes confidential or protected information. A data breach might involve the loss or theft of your Social Security number, bank account or credit card numbers, personal health information, passwords or email.
A data breach can be intentional or accidental. A cybercriminal may hack the database of a company where you’ve shared your personal information. Or an employee at that company may accidentally expose your information on the Internet. Either way, criminals may access your key personal details and profit from them at your expense.
Retailers, hospitals, corporations, government offices and colleges have all been targets of data breaches. But how does it happen?
In this article, you’ll learn about:
- Recent data breaches.
- How data breaches happen.
- What you can do to help stay safe.
Examples from a record year of data breaches
In 2016, Yahoo disclosed two data breaches that show how a mountain of personal information can land in the hands of thieves. Combined, the breaches at the online portal affected 1.5 billion user accounts. That number is more than 4-1/2 times the U.S. population. Here’s how the two breaches broke down:
- Disclosed in December: 1 billion-plus user accounts, stolen in August 2013.
- Disclosed in September: 500 million user accounts, stolen in late 2014.
The Identity Theft Resource Center ranked 2016 as a record year for data breaches. The San Diego-based nonprofit recorded 1,093 U.S. incidents, a 40 percent increase over the previous year. Here’s a quick look at those breaches by industry sector:
- Business: 494 incidents (45.2%)
- Healthcare/medical: 377 (34.5%)
- Education: 98 (9%)
- Government/military: 72 (6.6%)
- Banking/credit/financial: 52 (4.8%)
The pace of data breaches remains brisk, with high-profile incidents reported in 2017. For instance, data firm Deep Root Analytics exposed personal information on nearly 200 million U.S. voters in June. The files included voting history and political leanings.
How does a data breach happen?
It might feel like cybercriminals keep coming up with new ways to steal data. But do they? The 2017 Verizon Data Breach Investigations Report identifies nine “patterns” that criminals use. They mostly remain consistent year after year and accounted for 88 percent of breaches. How does it happen? Based on the report, here’s how.
- Insider and privilege misuse: Company insiders know the value of information and sometimes they steal it. Maybe they sell it or use it to start a new company. The theft of organizational resources accounts for 60% of data breaches.
- Physical theft and loss: A laptop left in a hotel lobby can lead to a breach. More often, breaches involve paper documents. The loss of physical assets can be deliberate or accidental.
- Denial of service: These attacks target networks and systems. Distributed denial of service attacks often target large organizations. The cyberattacks flood and overload systems, disrupting service.
- Crimeware: This includes various types of malware—short for malicious software. For instance, ransomware attacks hold computer files hostage. Attackers seek payment to unlock them.
- Web application attacks: When you sign up for a web application, you often share personal details. Attackers steal data such as names, addresses and other information and use them elsewhere.
- Payment card skimmers: Criminals can place a skimming device on a credit card reader to steal personal and financial information. Two popular targets: ATMs and gas pump terminals.
- Cyber-espionage: This is a malicious email linked to state-affiliated actors. The goal is to pierce a system and steal information over time.
- Point-of-sale intrusions: Remote attacks target point-of-sale terminals and controllers. Restaurants and small businesses have seen increased assaults.
- Miscellaneous errors: Accidents compromise data. This includes the inadvertent release or loss of anything containing sensitive data.
- Everything else: This “pattern” has variety. Lately, it includes compromised email accounts, where a company “CEO” might order a wire transfer for a believable reason. When someone in company finance, say, follows the bogus directive and wires money to a criminal’s account, it can have unbelievable results.
Data breaches: What can you do?
It’s always smart to try to keep your data safe. Even so, you probably have provided personal information to a lot of places. That might include your bank, employer, doctor’s office, and favorite restaurant. They all have a responsibility to keep your personal information secure, but that doesn’t always happen. Things go wrong.
You can take steps to strengthen your personal defenses against data breaches. Here’s a partial checklist:
- Shred documents.
- Use secure websites.
- Give your Social Security number only when absolutely required.
- Create strong, secure passwords using uppercase and lowercase letters, non-sequential numbers, and special characters symbols. You can even find unusual approaches for boosting password strength.
- Use different passwords on different accounts. It will help minimize the damage if one of your accounts is compromised.
- Make sure your computers and mobile devices are running the latest versions of operating systems and applications.
Also, remember to take steps to minimize the impact of a potential breach.
- Frequently monitor online and monthly financial account statements to make sure transactions are accurate.
- Regularly check your credit reports to confirm that thieves haven't opened credit card accounts or loans in your name.
The takeaway: It’s important to make moves to help protect your personal information. It’s also important to realize what happens when you share personal information: You have little control in the event of a data breach.
Editorial note: Our articles provide educational information for you. Norton LifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.