In July 2019, the security hotline for Capital One received an anonymous call. According to the tipster, some of the bank’s most sensitive data had been leaked on the web – and they were right.
Within a few days, the FBI was able to trace the breach back to a malicious insider: a software engineer in Seattle, who worked for a Capital One partner. Thanks to a misconfigured firewall, the hacker was able to penetrate Capital One’s database and compromise the personal data of about 100 million Americans, as well as 6 million Canadians.
Among the sensitive information stolen was 140,000 Social Security numbers and 80,000 bank account numbers, as well an undisclosed number of customer names, addresses, balances, and even credit scores.
According to the investigation, the breach occurred four months before, and was only discovered after the hacker boasted about her exploits on social networks like Meetup and Twitter.
In the end, Capital One paid out $80 million in fines, as well as suffering further damage from a class-action lawsuit, remediation costs, negative media headlines and a sharp decline in trust from customers, investors and the public.
Data breaches: definition
The Capital One incident is a prime example of a data breach. This is any instance where secure or sensitive information is exposed, whether intentionally or not. It can also be called a data leak, or in typical corporate notices or apologies, an “unintended disclosure of information”.
The exposed data can range from personally identifiable information (PII), to corporate secrets and intellectual property, all the way to matters of national security.
Depending on the nature of the data involved, the organization that has been breached can face compliance violations, regulatory fines, and lawsuits from affected parties.
What causes a data breach?
Breaches can be accidental (data loss) or malicious (data theft). Below are some common causes, with real-life examples.
Examples of data loss
- Loss of physical property that contains sensitive information, such as laptops, smartphones or data storage devices: In 2018, Heathrow Airport was fined £120,000 by the UK’s data protection body, after a USB stick containing private data was found by a member of the public.
- Using shadow IT solutions (cloud applications and devices that are not permitted by the enterprise) to store and share data. Employees often use their own devices and third-party tools, like Slack and Dropbox, to get their jobs done. However, if these are unauthorized, employees are effectively leaking data outside of the enterprise. If it gets into the wrong hands, or is not secured correctly, this could lead to an exposure and hefty fine.
- Unsecure cloud applications are often used by employees and contractors to store sensitive information. However, if these applications aren’t configured correctly. They leave data exposed online, ready for exploitation. For example, Facebook suffered a huge breach when a third party partner accidentally exposed more than 540 million user records on an improperly secured AWS server.
Examples of data theft
- In rare circumstances, employees may intentionally abuse their access privileges to steal data from their company – possibly out of disgruntlement, or to take with them to a competitor in a new role. In the case of SunTrust, a malicious insider stole over 1.5 Million clients’ personal details with the help of a hacker.
- Unpatched software or missed security updates leaves apps open to attack. The most prominent example of this is the WannaCry ransomware attack, which took advantage of a vulnerability in Microsoft Windows OS.
- Employee-targeted attacks such as phishing or social engineering lure users into sharing sensitive information or encourage them to click malicious links that allow hackers to take over their devices. In 2014, JPMorgan announced that the contact details of 76 million households and seven million businesses were stolen by hackers due to a successful targeted phishing scam.
- Advanced persistent threats (APT) are complex attacks initiated by hacking groups – often in a bid to steal national information. Deep Panda, for example, was an APT attack against the US Government’s Office of Personnel Management. Over 4 million sensitive records were compromised.
What are the consequences of a data breach?
While a data breach can happen in a number of different ways, the impact is usually the same:
Regulatory and compliance fines – Organizations face violations, especially in industries that strictly regulate sensitive data, such as HIPAA and PCI.
For example, the massive Equifax breach in 2017 was a violation of the Payment Card Industry Data Security Standard (PCI DSS). As a result, they received a huge fine of $575 million.
But it’s not just national regulations that organizations need to think about – it’s state ones too. As of 2018, all 50 states have data breach notification laws in place. These enforcements show just how seriously cybersecurity is being taken at a government level.
Litigation and settlement – Apart from regulatory fines, the organization at fault must also compensate all parties affected by the data theft. In general, large-scale data breaches often lead to class-action lawsuits due to the sheer number of victims involved.
In the Yahoo! data breach incidents spanning 2012-2016, for example, the company had to establish a $117.5 million settlement fund, with individual pay-outs ranging from $358 to $25,000.
These costs are dangerous for smaller companies, which may not have that amount of money to begin with. In the case of the AMCA breach, the company had to file for bankruptcy just months after disclosing the incident.
Business losses – Bad publicity and negative brand equity can damage companies for years to come, undermining new business opportunities and discouraging prospects and customers.
Data breaches: by the numbers
- 3 billion:The number of records affected in the largest ever data breach, which was suffered by Yahoo between 2012-2016.
- The Internet giant previously announced that 500 million users were affected, before revising the figure to include all 3 billion of its users in October 2017.
- $575 million:The biggest fine and settlement stemming from a data breach to date, paid out by Equifax for the 2017 breach that compromised over 148 million records.
- $3.86 million:The average cost of a data breach worldwide, according to anIBM study. The US has the most expensive average cost at $8.64 million
- 280 days:The average time it takes to contain a data breach. In some cases such as Marriott, the breach can be undetected for years.
- $7.13 million:The average cost of a data breach in the healthcare industry.
The 5 biggest data breaches to date
As the above shows, data breaches do not discriminate by industry. But what’s even more terrifying about these intrusions is that they can happen for years without being detected, meaning victims are only notified when it is too late.
For Marriott, the data theft was discovered four years later, after a change in company ownership. The repercussions of late detection include heftier fines and more compensation for impacted parties.
Data breaches in the post-Covid era
Data breaches aren’t anything new, but they are becoming more and more common. For malicious attackers, personal information is extremely lucrative. It can be sold on the dark web or used to carry out more attacks, like highly-targeted phishing scams.
In fact, research shows that, last year, the total number of compromised records surpassed 37 billion – a 141% increase compared to 2019. This growth can be contributed to the pandemic.
With more people working from home, the opportunities for data loss and theft have exploded. Users are now outside the watch – and protection – of the corporate perimeter. Many are sharing data through unofficial tools or working from unsecured endpoints. Cybercriminals are constantly searching for that weak link in the enterprise chain, so that they can exploit it.
Preventing a data breach needs to be the top priority for IT teams, particularly as most enterprises today cannot afford the ramifications. Because employees are working outside of the corporate network, traditional perimeter protections are no longer effective. So, IT teams need security tools that focus on protecting data – wherever it resides.
This is why many companies are turning to next-generation CASB and DLP tools.
These solutions support organizations in discovering, classifying and securing sensitive information across cloud applications and unmanaged devices. In essence, they tackle the root causes of breaches – such as shadow IT and malicious insiders – to stop data from getting into the wrong hands.
Polymer protects against data loss (DLP) on modern collaboration tools like Slack, Dropbox, Zoom, Github and more with alerting & real-time redaction of sensitive and regulated information such as PII, PHI, HIPAA, financial, security or customer-defined data.