What is a Data Breach?
A data breach is an unauthorized intrusion into the confidential or personal information of an individual, business, or government entity. The data can be stored on a server, in a database, or in a physical location such as a flash drive or even a paper file.
- Data breaches involve unauthorized access to sensitive personal and financial information, often leading to financial exploitation or identity theft.
- Common methods of data breaches include phishing, malware attacks, network vulnerabilities, insider leaks, and the use of skimming devices.
- Data breach victims may receive notification years after the event, necessitating ongoing vigilance and monitoring of personal information.
- Victims of data breaches can take legal action, including filing personal injury lawsuits or joining class-action suits, to seek redress for the unauthorized exposure of their information.
In most cases, information thieves are cybercriminals hoping to gain financially by selling the information or using it to access financial accounts. Some perpetrators are disgruntled employees or political activists hoping to destroy organizations or draw attention to their causes. Data breaches typically expose such private information as the following:
- Full names
- Street addresses
- Email addresses
- Telephone numbers
- Social Security numbers
- Driver’s license numbers
- Bank account numbers
- Credit card numbers
- Medical information
- Trade secrets
- Intellectual property
A single data breach might expose the sensitive information of millions of people.
How Do Data Breaches Happen?
Although state and federal laws strictly regulate how private information must be stored and accessed, bad actors continually find new ways to penetrate physical, digital, and legal barriers. This results in various types of data breaches.
Social Engineering
Social engineering occurs when scammers manipulate people into disclosing sensitive information through deception. It can happen online or in person.
Phishing Scams
Phishing is one of the most common online methods of social engineering. In a phishing scam, someone posing as a legitimate business or person you know sends you an email. The scammer tries to persuade you to enter sensitive information or open an attachment that will install spyware on your computer. In corporate settings, it may appear to come from a company executive, IT professional, or other known person. A personal phishing email may appear to come from your bank or a retailer. Such scams can also happen through phone calls.
Baiting and Pretexting Scams
Baiting involves promising a product or service in exchange for your personal information. These scams can happen through emails, phone calls, or in person. Pretexting is similar to baiting, except the scammer poses as an authority figure, claiming you must provide personal information to verify your identity. Scammers often pose as law enforcement officers, government officials, or even IRS representatives.
Malware Attacks
Some scammers use social engineering to install malware on your computer. The malware can then scan your system, monitor your keystrokes, and send your personal information to the hacker. Malware might be installed on your computer when you open an email attachment that contains it. Another common tactic scammers use is to claim your device is infected so you will download software purported to fix it. However, instead of fixing your device, the download installs malware.
Network Vulnerabilities
Hackers look for vulnerabilities in computer networks and software to provide entry points. They use these points to install malware, which gives them access to your computer or allows them to monitor your keystrokes without your knowledge. They can sell your information, destroy it, or install ransomware—software that locks you out of your system. In ransomware attacks, perpetrators demand money in exchange for restoring your access to your system.
These attacks can occur on personal devices and large commercial and government networks. While large businesses and governments are frequent targets, small and medium businesses have higher risks because they may have less secure networks and be less aware of how cybercriminals work.
SQL injections are one of the most common intrusions against commercial entities. They can expose the sensitive information of millions of consumers in a single attack. SQL injections are possible because retailers store customer names, addresses, and credit card information online to automate the customer checkout process.
An SQL injection occurs when a hacker inserts code that manipulates a company’s normal search features so that performing product searches returns consumers’ private and financial information when the hacker performs a product search.
Insider Leaks
Insider leaks occur when trusted individuals with access to confidential information intentionally or unintentionally expose the information to unauthorized sources. Insiders can be employees, donors, business partners, vendors, or organizations. Insider leaks can occur through a variety of mechanisms, such as the following:
- Exiting employees take their work product outside the organization for career purposes.
- Angry employees use their access to expose private or proprietary information.
- Trusted individuals use their access to collect and sell private information.
- Negligent employees bypass security protocols to save time or fail to lock secure areas.
- Employees lose their laptops or other mobile devices.
Skimming Devices
Skimmers are devices hackers illegally install on machines where consumers make financial transactions, such as ATMs, fuel pumps, and point-of-sale terminals. The devices record data such as consumer PINs and credit card information, then send it to electronic databases controlled by the hackers. According to the FBI, skimming devices can take the following forms:
- Hidden cameras
- Keyboard overlays on ATMs that record keystrokes to capture PINs
- Card skimmers placed over card readers to capture card information
- Devices placed on the internal wiring of machines, such as gasoline pumps
Stolen or Lost Devices
Most people do not hesitate to store private information on their mobile phones, laptops, and tablets. Such devices are also essential tools in health care, government, and commerce. They can be a goldmine of financial, medical, personal, and even classified information. When these devices are lost or stolen, hackers can easily bypass passwords to access the data.
Notable Data Breaches
Unless you go off the grid, you cannot live in today’s world without your personal information being stored on digital databases. Every time you use social media, make a purchase, or open a new account, your private data gets entered into a database. Cybercriminals continuously look for weaknesses they can exploit. Thus, every enterprise is responsible for protecting your data. Businesses and organizations that fail to take security seriously get breached. It even happens to the world’s largest companies, and these data breaches transcend different industries.
The 2013 Yahoo Data Breach
In 2013, digital thieves stole sensitive data from all three billion Yahoo users. The stolen information included names, phone numbers, email addresses, hashed passwords, security questions, and answers to security questions. Yahoo was slow to respond and did not notify users until December 2016.
The second-largest data breach in history also involved Yahoo users. It occurred a year later when Russian operatives used a phishing email to access Yahoo’s user database and account management tool. Approximately 500,000 user accounts were exposed.
The 2017 Equifax Data Breach
In September 2017, hackers backed by the Chinese military exploited a vulnerability in Equifax’s dispute resolution website and installed malware to access its network and back-end databases. The breach compromised the names, addresses, birth dates, Social Security numbers, and other sensitive data of 145 million Americans.
Solarwinds 2020 Breach
Solarwinds, a software company based in Austin, Texas, provides system updates, support, and security software to Fortune 500 companies and government agencies. In 2020, Russian hackers exploited a vulnerability in the company’s update software known as Orion and installed malicious code.
The code was passed through the Orion system to high-profile clients, giving hackers access to the networks of the White House, the United States Treasury, the Pentagon, and other federal agencies. The attack may have affected as many as 18,000 Solarwinds customers, including many large companies. This type of attack is known as a supply chain attack because it used a third-party vendor—SolarWinds—to reach its real targets.
Colonial Pipeline 2021
The Colonial Pipeline carries gasoline and fuel products 5,500 miles from Texas to New York. It is responsible for 45 percent of the East Coast’s fuel supplies. A leaked password sold on the dark web allowed a cybercriminal to access the pipeline’s network and launch a ransomware attack that prompted the company to shut down the pipeline. Colonial Pipeline paid the $4.4 million ransom, contributing to a sharp increase in gas prices—they reached $3 per gallon for the first time in years.
How to Know If You Were Involved in a Data Breach
Every state has notification requirements for data breaches, but these laws vary. In some cases, you might not be notified. In other cases, you might receive a notification years later, such as with the 2013 Yahoo data breach. If you do receive a notification, it will generally be in writing via email or the U.S. mail system.
In most cases, you will receive a written notification via email or U.S. mail from the hacked company. Several identity theft protection services also monitor the dark web and other locations where personal data is illegally bought and sold. They send notifications when breaches are detected, often sooner than you would receive a notification from the hacked company. Examples of such services include the following:
You can also search your email address online to see if your information was breached. The website Have I Been Pwned is a popular and reputable resource for such searches.
Red Flags that Someone May Have Stolen Your Data
The following warning signs indicate that your data may have been stolen:
- You lose access to your accounts.
- You have unauthorized transactions in your checking or credit card accounts.
- You receive alerts from your bank or a credit card company about unusual activities.
- Your debit or credit card is unexpectedly declined due to suspected fraud.
- Your credit report shows a new account or inquiry you don’t recognize.
- Your computer, phone, or other device has been infected with malware.
- Friends and family are receiving messages you did not send.
- You receive phone calls or letters from bill collectors for accounts you don’t recognize.
What Should I Do in the Event of a Data Breach
If your personal or customer information was compromised in a data breach, you must act immediately to prevent unauthorized individuals from transacting business in your name or causing other harm.
What To Do If You Are a Business
If you have learned that information thieves have gained unauthorized access to your customers’ private information, you must act quickly for their protection and yours. The Federal Trade Commission provides the following guidance for businesses:
- Work with data breach experts and your internal teams to investigate how it happened.
- Secure physical areas and address network or software vulnerabilities to prevent additional breaches.
- Report the breach to law enforcement.
- Consult with an attorney to determine the notification requirements in your state.
- Notify other businesses who may also have been victims of the data breach.
- Contact the credit bureaus if Social Security numbers were stolen.
- Notify individuals in writing according to the laws of your state.
Phishing is a common cause of data breaches in business settings. Implement employee training to prevent additional breaches if phishing is determined to be the cause of your company’s data breach.
What To Do If You Are an Individual
Experian recommends that you take the following steps after receiving a notification that your personal information has been compromised:
- Update all your passwords with a unique password for each account.
- Establish two-factor authentication on all your accounts, which is an extra step that requires you to verify that it is you, such as entering a text code.
- Add a fraud alert to your credit files at any of the three major credit bureaus—Experian, Transunion, or Equifax. The alert will automatically be added to the other two.
- Sign up for credit monitoring through the credit bureaus or a paid service.
- Consider freezing your credit, which blocks all credit inquiries unless you unfreeze the accounts. You can do this separately through each of the three major credit bureaus.
How Can Data Breaches Be Prevented?
Data thieves constantly look for new ways to penetrate security software and access private data. Every business must take information security very seriously and take proactive steps to keep confidential information out of the hands of unauthorized users. Data breaches can almost always be prevented through the following steps:
- Keep your security software and all computers on your network up-to-date.
- Encrypt sensitive data.
- Train employees to report phishing and baiting emails.
- Require employees to use strong passwords with multi-factor authentication.
- Train employees to lock or close their computers when they walk away.
- Enforce a clean desk policy.
- Perform background checks on all employees.
Data Breach Laws
The Cyber Incident Reporting for Critical Infrastructure Act requires the Cybersecurity and Infrastructure Security Agency, or CISA, to regulate reporting requirements for data breaches. These regulations require businesses to report data breaches to specific government agencies to protect national security, critical manufacturing, and other industries. All 50 states require businesses to notify individuals whose information is exposed to data breaches.
Data Breach Lawsuit
When a business fails to protect your information and cybercriminals get access to your data, you may have grounds to file a personal injury lawsuit. Unlike other personal injury claims, the imminent risk of harm may qualify as an injury, giving you standing to file a claim even if your stolen identity has not yet been used.
If you were part of a large data breach, you may be eligible to join a class action lawsuit. You can even be a class member without filing the claim yourself. In this case, you will receive a written notification via mail or email. The notification will inform you what action you should take, if any. Often, no action is necessary.
If you were the victim of a data breach or you suspect you were, our data breach attorneys can determine whether your personal information has been exposed and advise you of your rights. Contact us today to get started.
"*" indicates required fields