A data breach is any incident in which someone gains unauthorized access to sensitive or protected information. This includes both information leaking outside of an organization and internal breaches where employees, contractors, or partners copy, view, transmit, or steal data that they should not have access to.
Data breaches can affect both individuals and organizations. Breaches of corporate data can be intentional or the result of inadvertent actions by an authorized user of the data.
How Data Breaches Happen
Data breaches can occur in a variety of ways. One of the major differentiators is whether the threat originated internally or externally in the organization
Internal Threats
The popular conception of data breaches and other security incidents is that they are performed intentionally by cybercriminals operating from outside the organization. However, insiders can be just as dangerous to an organization and its data.
Trusted insiders have legitimate access to an organization’s network, systems, and potentially the sensitive data in question. This makes it easier for them to gain access to the protected data and take actions that – intentionally or otherwise – cause it to be exposed to unauthorized users.
For example, a common source of data breaches is misconfigured cloud infrastructure. If an insider copies corporate data to a personal cloud or changes cloud security settings to make it easier to use, this may allow unauthorized parties to access and use the data in question.
External Threats
Data breaches can also originate from outside the organization, and these are the breaches that typically make the news. Data breaches involving large amounts of sensitive information are of wider interest than an email forwarded to the wrong person.
External data breaches follow similar attack progressions to other cyberattacks. These attack chains – as outlined in Lockheed Martin’s Cyber Kill Chain or the MITRE ATT&CK framework – involve a series of steps that move the attacker from initial reconnaissance to accessing and exfiltrating the target data.
Once an attacker has access to sensitive or protected data, they can use it in various ways. Often, data is offered for sale on the dark web, and some types of data can be used to gain access to user accounts or for fraudulent activities.
Types of Data Breaches
Data breaches come in many different forms. Some of the more common types of data breaches include the following:
Employee Error: Employee error is a common cause of data breaches. Employees can cause a data breach directly (by exposing data via email, cloud infrastructure, etc.) or can make a breach easier to perform (by using weak credentials, misconfiguring security settings, etc.).
Lost/Stolen Devices: Lost or stolen devices can cause data breaches if the data is not encrypted at rest. Examples include computers, mobile devices, removable media, etc.
Malware: Some types of malware are designed specifically to steal sensitive information. This includes banking trojans, credential stealers, and other malware such as remote access trojans (RATs) that give the attacker the access needed to steal data.
Phishing: Phishing emails are commonly designed for data theft. Phishing attacks could be intended to steal user credentials, request sensitive information from employees, etc.
Ransomware: Ransomware groups have expanded their attacks to include additional forms of extortion to force targets to pay a ransom beyond simply denying access to sensitive or valuable content. This includes stealing data from a target and threatening to leak it if a ransom is not paid.
Skimming: Skimmers are designed to collect payment card data at a point of sale (POS) device or website. Skimmers can be physical devices or malicious code built into a site.
Web Application Attacks: Exploitation of web application vulnerabilities are another common cause of data breaches. SQL injection and cross-site scripting (XSS) are two examples of web application attacks that can leak sensitive data.