Why do data breaches happen, and can you do anything to prevent them? Read on.
Data breaches have become common in today’s digital age, affecting businesses, individuals and even governments. In December 2022, Australian private health insurance company Medibank has fallen victim to a major data breach, with the personal and financial data of approximately 1.5 million of its customers leaked online. Hackers who claimed responsibility for the breach dumped the sensitive data on the dark web, including names, addresses, passport and visa information of international students, dates of birth and Medicare numbers. Despite the hackers’ demands for a ransom payment, Medibank refused to comply, resulting in the data’s release.
A data breach is a security incident in which unauthorized individuals or entities access, steal or use sensitive, confidential or protected information. It can be caused by a variety of factors, including human error, cyber-attacks and system vulnerabilities. Such incidents can have significant consequences, from reputational damage to financial losses and legal liabilities.
Why do data breaches happen?
1. Human error: Despite advances in cybersecurity, human error remains a significant risk factor in data breaches. Many data breaches occur because employees accidentally or unknowingly expose sensitive information. Studies have found that over 80% of all data breaches have a human element, and many are a result of human error—“an accident”.
For example, an employee might send an email containing confidential information to the wrong person or accidentally upload sensitive data to a public-facing website. Human error can entail setting weak passwords, leaving laptops or mobile devices unsecured and failing to apply necessary software patches or updates, all of which can increase the risk of a data breach. Even with cybersecurity training, mistakes can happen, and it only takes one slip-up to compromise an entire system.
2. Cyberattacks: Cyberattacks continue to be a major threat to businesses and individuals alike. Cybercriminals use a variety of tactics, such as phishing, malware and ransomware attacks, to gain unauthorized access to sensitive data. In a phishing attack, an attacker sends a fraudulent email that appears to be from a legitimate source, such as a bank or government agency, in an attempt to trick the recipient into disclosing sensitive information, such as login credentials or credit card numbers.
On the other hand, malware attacks involve the installation of malicious software on a victim’s computer or device, which can steal data or grant the attacker remote access to the system. Ransomware attacks involve the encryption of a victim’s data, which can only be decrypted by paying a ransom to the attacker.
3. System vulnerabilities: Sometimes, it’s not humans that cause a data breach but the system itself. For instance, in the case of Akasa Air, an Indian airline, a technical glitch in the system released the personal data of thousands of customers.
When systems have unpatched security flaws or are not properly configured, they can become vulnerable to attacks. Attackers can exploit these weaknesses to gain access to sensitive data. In some cases, they can do so remotely without having physical access to the system.
How data breaches impact individuals and organizations
Data breaches can be a costly nightmare for individuals and organizations. For individuals, a data breach can lead to identity theft, financial loss and the like. Data breaches can also affect governments, as they may lead to the loss of sensitive national security or intelligence information. For businesses, data breaches can have significant and far-reaching impacts on businesses in the short and long term. Some of the ways that data breaches can affect businesses include:
1. Financial losses: Financial losses resulting from data breaches can be significant for businesses, with the average cost of a data breach exceeding US$5 million as per an IBM report. The costs include expenses associated with investigating the breach, implementing additional security measures, and potential legal fees and settlements. There may also be indirect costs, such as damage to the company’s reputation and loss of customer trust, which can result in decreased sales and revenue.
2. Damage to reputation: One prominent example of a data breach that damaged a company’s reputation is the 2017 Equifax data breach. Equifax is a consumer credit reporting agency that collects and maintains sensitive financial information on millions of consumers. In September 2017, Equifax announced that it had suffered a massive data breach that exposed the personal and financial information of approximately 143 million consumers in the U.S., as well as data for a smaller number of consumers in Canada and the UK.
The fallout from the Equifax data breach was significant. The company faced numerous lawsuits, regulatory investigations and widespread public criticism. Consumers were outraged by the breach and the company’s response. Unsurprisingly, this also cost the company a lot of money. Equifax had to pay up to US$700 million in damages to consumers in addition to the costs it had to bear to rebuild its reputation.
3. Legal and regulatory consequences: Data breaches can have significant legal and regulatory consequences for businesses. Depending on the nature of the breach and the data that was exposed, businesses may be subject to fines, penalties or other legal actions for failing to protect sensitive customer data or for violating data protection laws, as was the case with Equifax.
4. Business disruption: A data breach can also cause significant disruption to business operations, particularly if the breach results in the loss of critical data or systems. This can lead to downtime, lost productivity, and delays in customer service delivery. This can have a ripple effect on the entire organization, impacting employee morale and even vendor relationships.
5. Loss of competitive advantage: In some cases, data breaches can result in the loss of a company’s competitive advantage and, in turn, a decline in market share and revenue. For example, if sensitive business information or trade secrets are exposed, competitors may gain insights into the company’s strategies and operations, giving them an advantage in the marketplace. This can be particularly damaging for companies that operate in industries where innovation and intellectual property are key drivers of success.
For example, in September 2022, Australian mobile service provider Optus experienced a breach that exposed the personal details of 9.8 million of its customers, exposing their names, email addresses, date of births, home addresses and driver license’s numbers. Its competitor, Telstra, gained an advantage as Optus consumers sought alternatives after losing trust in the company.
How to prevent data breaches
Preventing data breaches is crucial for businesses of all sizes. A data breach can not only result in financial losses and legal consequences, but it can also damage a company’s reputation and competitive advantage. Here are some effective ways to prevent data breaches and protect your business:
One approach is to implement a multi-layered approach that includes technical, administrative and physical controls. Technical controls include the use of encryption, firewalls, intrusion detection and prevention systems and antivirus software. Administrative controls include policies and procedures for data handling, access control and incident response. Physical controls include the use of locks, access control systems, and surveillance cameras to protect physical assets and data centers.
Training employees on data security is also crucial. A security awareness training program can educate employees on the importance of data security, the risks of data breaches and how to identify and report potential security threats. It should also provide employees with clear guidelines on how to handle sensitive data, such as encrypting data, using strong passwords, and avoiding phishing scams.
Another effective way to prevent data breaches is to conduct regular security audits and vulnerability assessments. These assessments can identify potential security flaws and vulnerabilities that attackers could exploit. They can also help organizations prioritize their security investments and ensure that they are allocating resources effectively.
In the event of a data breach, having an incident response plan in place is essential. This plan should outline the steps that should be taken in the event of a security incident, including notifying affected individuals, containing the breach and restoring systems and data. Ultimately, keeping customers in the dark will not bode well for you; it will just end up costing you more in terms of reputation, trust and actual financials.
It’s best to be transparent, honest and proactive with a resolve to do better in the future.
- 3 Dangerous Cybersecurity Threats of 2023
- Top 3 Cyber Attacks and Data Breaches of 2022
- What is Data Harvesting And How to Prevent It
Header Image by Flickr