What is a data breach, and how does it happen?

Data breaches are one of the most common cybersecurity threats that businesses and individuals have to face. What may seem like a small data leak can result in huge financial loss and reputational damage. So, what is a data breach, how does it happen, and how can you safeguard your data?

What is a data breach?

A data breach occurs when unauthorized people gain access to personal, classified, or otherwise protected information. Data breaches can be unintentional (for example, resulting from a company file sent to the wrong person) or malicious (caused by phishing emails, hacker attacks, or malware infections).

More often than not, businesses and individuals suffer malicious data breaches. Since data can hold significant value, it’s natural that cybercriminals try to steal it and make a profit from it either by selling the obtained information on the dark web or ransoming it for huge sums.

How do data breaches happen?

Typical data breaches involve specific steps, such as reconnaissance, gaining access, extracting data, and covering the hackers’ tracks. In certain cases, cybercriminals can also use privilege escalation or lateral movement.

Here’s how malicious actors breach systems to steal data:

• Step 1 – Reconnaissance. Before launching an attack (be it phishing, malware, session hijacking, or brute force attacks), cybercriminals will scout the system for potential attack vectors and system vulnerabilities. Once they gather the information they need, the cyberattack is ready to go.
• Step 2 – Gaining access. This one is also known as the initial compromise. During this process, hackers use their preferred attack method to gain unauthorized access to the system and its data.
• Step 3 – Privilege escalation. Once they breach the system, malicious hackers may need higher clearance, such as admin rights, to bypass restrictions and access more sensitive data. To do so, hackers exploit system vulnerabilities until they get admin-level access, which strengthens their control over the compromised system.
• Step 4 – Lateral movement. When hackers gain enough power over the system’s controls, they can use them to move laterally across the network. That means malicious actors have open access to all or most system files, most significantly those that include sensitive information.
• Step 5 – Data exfiltration. Once the bad guys are completely set in the breached system, they begin exfiltrating the “good stuff.” Using extraction tools, hackers steal personal information, business secrets, and classified documents in seconds, sometimes before system owners can even notice anything.
• Step 6 – Covering tracks. After completing their task, the hackers will try to cover up any trace of their presence. This usually means deleting activity logs or disabling security systems so that the system owners and security do not pick up any leftovers, unusual files, or suspicious activities.

The steps above describe a perfect data breach, during which the system operators are unaware of being attacked. Depending on the type of attack, the system security, or the vigilance of its owners, data breaches can be spotted early or even during the attack, forcing malicious actors to adjust their methods.

What are the main causes of data breaches?

Poor cybersecurity practices, such as weak passwords or unpatched vulnerabilities, are usually the main causes of data breaches. Cybersecurity experts also note that human error is among the most common causes of this issue and add misconfigured systems and physical credential theft (or loss) to the list of contributing factors.

Hackers target both small and large businesses for two different reasons. Small businesses often lack robust cybersecurity practices, making them easy targets. Meanwhile, large companies often present a challenge that can motivate hackers to breach the system and humiliate the company publicly, resulting in financial and reputational damage. Some hackers may also breach systems to commit espionage or even shine a light on a specific political or social cause (a process also known as hacktivism).

Based on these simple principles, malicious actors can exploit different vulnerabilities. For example, small businesses often suffer phishing and other social engineering attacks. Big businesses aren’t immune to phishing either, due to the larger number of employees and extensive communication channels. However, they’re also more likely to experience brute force attacks, which can breach the company’s cybersecurity and result in data theft.

Businesses may also face different types of data breaches caused by insider threats (employees who willingly help hackers get inside), malware, unpatched system vulnerabilities, or even lost or stolen company devices. This is why companies invest in cybersecurity measures, such as password managers, two-factor authorization (2FA), and skilled cybersecurity personnel. However, it’s equally important to train all employees to help them understand their role in maintaining cybersecurity in the workplace.

What methods are used in data breaches?

As mentioned, hackers can use numerous methods to breach the systems and steal data. From malware to third-party software, here are the main ways in which malicious actors may launch a data breach attack:

Malware

Hackers use malware to slip into the system undetected. Files with spyware or ransomware, trojans, and infostealers are among the most common types of malware that can open doors for hackers to access your system, potentially gain admin-level privileges, and steal sensitive data.

Malware can infect your system through various methods, including phishing links, infected USBs, and unsafe websites. Therefore, employee vigilance is essential in preventing this type of cyberthreat.

Social engineering

Social engineering refers to attacks that involve direct contact between the hacker and the system user. Malicious actors create believable scenarios and try to lure users into providing sensitive information, using methods such as phishing.

Whaling is another great example of a social engineering attack. This method is used to target big companies and works similarly to phishing. During whaling attacks, hackers send emails to high-level employees (executives, CEOs, and CFOs), pretending to be representatives of reputable companies, such as law firms. In those emails, the hackers may urge their victims to wire money, share the company’s secrets, click on suspicious links, or download unknown files.

Phishing

Phishing is a social engineering cyberattack that exploits users by baiting them to click on links or files that contain viruses, spyware, and other malware. Hackers usually attempt phishing through email and contact employees with messages that create a sense of fear or urgency and encourage quick response. For example, phishers may target employees by pretending to be representatives of legitimate organizations, and prompting the users to take immediate action based on the content of the email.

If an employee takes the bait, they may click on the link which typically hosts some kind of malware, potentially opening the doors for cybercriminals to breach the system. The landing pages of some phishing links may also replicate known user interfaces, such as system login windows, and scan everything the user types (including username and password), further exposing the system to the threat.

Human error

No matter how hard people try, sometimes accidents happen. A lost keycard, a typo in the email address field, or a lost work laptop can cause a data breach if they fall into the hands of malicious actors. If something like that happens, it’s important to report the issue without ignoring it and be vigilant of potential breaches or attacks. Offering support to the person who made a mistake is also a good practice for maintaining loyalty among employees.

Insider threats

In some cases, hackers can initiate a data breach with assistance from someone inside the organization. According to the experts, this issue has become so prevalent that it now ranks among the top cybersecurity risks for large businesses. To prevent insider threats, you can limit access to sensitive information or invest in a better workplace environment (people are less likely to turn against the company when they actually like working there, right?).

Supply chain attacks

Supply chain attacks occur when hackers target part of a company's supply chain software. In simple terms, it’s a type of cyberattack that targets service providers, vendors, and third-party apps on which the company relies. Some businesses may need to share access rights or sensitive information when using third-party services. Therefore, a successful supply chain attack can expose your company’s system even if it wasn’t attacked directly.

Unpatched vulnerabilities

As soon as companies develop new strategies to safeguard their data, malicious actors come up with new ways to overcome them. System security gets obsolete fast, exposing businesses to cyberattacks. Overdue updates and unpatched vulnerabilities invite hackers to breach your networks and steal sensitive data. To avoid such problems, companies should install system updates as soon as they launch while constantly monitoring and patching additional system vulnerabilities.

Weak or stolen credentials

Weak passwords are one of the most common causes of data breaches. Far too often, people believe their passwords are strong enough, while a hacker with a capable toolset can crack them in mere seconds. Safeguarding against this vulnerability requires businesses to introduce 2FA and educate employees on password security. Using additional tools such as password managers can also be a huge benefit.

Cloud misconfigurations

While cloud storage is a convenient choice for data storage, poorly configured cloud servers can turn that comfort into a headache in just a few seconds. Insufficient user restrictions, lack of encryption, or disabled logging and monitoring can allow malicious actors to jump into your cloud server and peek at all the sensitive data you might be hiding there.

Third-party access

Third-party access vulnerabilities can allow cybercriminals to steal your business data even without directly attacking your company. Hackers may target a third-party service provider to hijack communications, gain access to specific files shared between your company and the third-party service provider, or learn about potential vulnerabilities.

Safeguarding against this risk is difficult but not impossible. Before entrusting your company’s data to a third-party service provider, make sure that the provider has an impeccable cybersecurity record. Even then, set up separate accounts for communication and use proper information segmentation. In addition, look for ways to safeguard your system in case of a third-party attack.

What are the targets of data breaches?

Data breaches, as the name suggests, mainly target data. Depending on the service the business provides, we can divide that data into more specific types.

• Personal data. Includes names, surnames, addresses, phone numbers, Social Security numbers, and birth dates. Malicious actors may use stolen personal data to commit identity theft or sell it on the dark web.
• Financial data. This data type includes credit card numbers, bank account details, and payment information. With this data, hackers can try to carry out fraudulent transactions or drain bank accounts.
• Login credentials. If the system collects usernames, passwords, or answers to security questions, the data breach will expose them to malicious actors. Needless to say, login credential leaks can pose a huge risk of identity theft and loss of account access (for example, when hackers use the victim’s login details to change the account’s password).
• Intellectual property. Patents, trade secrets, and research data can harm businesses and cause significant financial damage when in the hands of hackers. Malicious actors may demand ransom for stolen data or try to sell it on the dark web, making a company’s hard work go to waste.
• Customer and client data. Businesses often collect various types of customer data including, but not limited to, personal and financial information. Suffering a data breach that leaks client data is a huge financial, reputational, and potentially legal blow. Customer data is often the most sought-after target for malicious actors because it causes the most damage, hurting the business and creating thousands of potential new victims.
• Government data. Some companies may work closely with the government as service contractors. That could mean exchanging sensitive information such as strategic documents, personal data of government employees, or even classified information. Exposing such data to hackers could, at the very least, cause a scandal, let alone destroy careers, or even worse — put someone’s life in danger.

What are the consequences of data breaches?

The consequences of data breaches vary depending on the type and amount of stolen data, the size and reputation of the company, and sometimes even the hacker's “goodwill.” Based on these (and many more) factors, the consequences of a data breach can range from small financial losses to massive reputational damage, compliance regulation breaches, lawsuits, loss of certificates, and even official government hearings.

Typically, after stealing sensitive data, malicious hackers can either use it to further their scams (for example, using stolen client data to launch phishing attacks and steal identities), sell the data on the dark web, or contact the owners of the breached system to demand ransom for the stolen data. If the company has a strong presence in the market or is one of its leaders, the hackers may leak the data for free to cause reputational (and, therefore, financial) damage.

Real-life examples of data breaches

Examples of real-life data breaches prove that even well-known companies, such as Equifax and Yahoo, cannot feel safe from potential cyberattacks. Here are a few high-profile data breach cases:

• MGM resorts data breach (2023). In early 2023, MGM Resorts suffered a major data breach after a cyberattack that appeared to target its internal systems, causing severe disruptions. A result of a ransomware attack, the breach granted hackers access to sensitive information, including guest data and internal systems. The breach resulted in complete system shutdown along with reputational damage and significant financial loss.
• Snowflake data breach (2023). Snowflake, a business cloud data platform, suffered a data breach when hackers found a possible entry point through a third-party provider. The supply-chain attack exposed sensitive data stored on Snowflake's platform, including financial information and business intelligence. This caused a series of security incidents including breaches at other Snowflake-associated companies (such as AT&T and Santander Bank). While the company took swift action and worked with security experts to address vulnerabilities, the snowball of breaches that rolled over Snowflake’s customers resulted in a significant reputational damage.
• MOVEit Transfer data breach (2023). Progress Software's MOVEit Transfer, a secure file transfer software, was exploited by a zero-day vulnerability, just last year. The breach affected thousands of organizations worldwide, with hackers gaining access to personal, financial, and healthcare information. The company sustained increased scrutiny and hefty financial consequences.

How can businesses prevent data breaches?

For businesses, data breach prevention requires substantial financial and human resources. Here are some tips on how to safeguard your business against data breaches:

• Implement two-factor authentication. Safeguarding systems with 2FA provides an additional layer of security and helps detect suspicious or unauthorized access requests more quickly.
• Encrypt sensitive data. Investing resources in strong encryption can improve your business cybersecurity and increase the safety of sensitive information. While you can use file encryption tools, a VPN such as NordVPN can offer additional benefits (for example, Threat Protection Pro™ features).
• Build a strong cybersecurity team. Large companies should invest in seasoned cybersecurity specialists. They will help you better prepare for potential cyber threats and strengthen the overall safety of the company’s sensitive data (for example, through educating your employees).
• Update and patch software regularly. System updates often include new security patches, so it’s crucial to install them as soon as possible to keep your systems up to date.
• Carry out security audits and employee training. As the old saying goes, “practice makes perfect.” Run regular security audits and employee training sessions to strengthen the company’s cybersecurity and ability to respond to a potential data breach.
• Create backups and data recovery plans. Data diversification can be a smart strategy. Make sure to create backups for sensitive information and draw up strategies to recover lost data. While this may not protect against a potential data breach, it’ll help mitigate the damage (for example, by avoiding paying a ransom) after a potential cyberattack.
• Use NordStellar. From the minds behind NordVPN, the latest addition to the Nord family, NordStellar helps businesses identify potential exposures and compromised customer or employee credentials before hackers can take action. It’s a useful tool that aids businesses in data breach monitoring, identifying potential risks, and tracking mentions of your company in cybercrime communities.

What to do if your business suffers a data breach

If the business has suffered a data breach, it’s critical to act fast. First, contain the breach by isolating all affected systems and assessing the damage and the compromised data. Then, start patching vulnerabilities, fixing security gaps, and notifying affected customers and stakeholders. Some laws may also require reporting the data breach to law enforcement (for example, under the GDPR, organizations have 72 hours to report a breach to the relevant data protection authority).

Finally, continue to monitor your systems and review the security policies. The backlash and repercussions may continue for some time. However, while going through the process, it’s important to start upgrading and patching your cybersecurity weaknesses to avoid future cyberattacks.

FAQ

What is the average cost of a data breach?

While it’s hard to define a specific figure, the average cost of a data breach usually involves millions of dollars. Some experts indicate that the average cost per lost or stolen record containing sensitive information could be approximately $165, while healthcare records may reach $429 per record. According to IBM's 2023 Cost of a Data Breach report, the average data breach exposes about 25,000 records. Based on these numbers an average data breach can cost from $4 million to $10 million and more.

How to detect a data breach?

To detect a data breach, check your system activity logs and file directories for suspicious activity. Data breaches usually include connections from unknown devices, changes in file locations or sizes, and unusual data transfers. So if you notice any unauthorized or dubious changes in your system, start investigating. Additionally, use automated security tools, such as NordStellar, and regularly conduct security audits to enhance threat detection capabilities.

How should business report a data breach?

Reporting a data breach may look different depending on where the business operates. For example, in the EU, you must report a breach to your local data protection authority (DPA) within 72 hours of its discovery. In the US, however, most states obligate businesses to notify their Attorney General's office or consumer protection agencies of any breaches. The requirements vary by state, and the timelines may be shorter than those mandated by federal law.

It's also critical to inform the company's customers by sending emails or text messages describing the situation and the steps that will be followed to mitigate the damage.