Data breach
A data breach, also known as data leakage, is "the unauthorized exposure, disclosure, or loss of personal information".[1]
Attackers have a variety of motives, from financial gain to political activism, political repression, and espionage. There are several technical root causes of data breaches, including accidental or intentional disclosure of information by insiders, loss or theft of unencrypted devices, hacking into a system by exploiting software vulnerabilities, and social engineering attacks such as phishing where insiders are tricked into disclosing information. Although prevention efforts by the company holding the data can reduce the risk of data breach, it cannot bring it to zero.
The first reported breach was in 2002 and the number occurring each year has grown since then. A large number of data breaches are never detected. If a breach is made known to the company holding the data, post-breach efforts commonly include containing the breach, investigating its scope and cause, and notifications to people whose records were compromised, as required by law in many jurisdictions. Law enforcement agencies may investigate breaches, although the hackers responsible are rarely caught.
Many criminals sell data obtained in breaches on the dark web. Thus, people whose personal data was compromised are at elevated risk of identity theft for years afterwards and a significant number will become victims of this crime. Data breach notification laws in many jurisdictions, including all states of the United States and European Union member states, require the notification of people whose data has been breached. Lawsuits against the company that was breached are common, although few victims receive money from them. There is little empirical evidence of economic harm to firms from breaches except the direct cost, although there is some evidence suggesting a temporary, short-term decline in stock price.
Definition[edit]
A data breach is a violation of "organizational, regulatory, legislative or contractual" law or policy[2] that causes "the unauthorized exposure, disclosure, or loss of personal information".[1] Legal and contractual definitions vary.[3][2] Some researchers include other types of information, for example intellectual property or classified information.[4] However, companies mostly disclose breaches because it is required by law,[5] and only personal information is covered by data breach notification laws.[6][7]
Perpetrators[edit]
According to a 2020 estimate, 55 percent of data breaches were caused by organized crime, 10 percent by system administrators, 10 percent by end users such as customers or employees, and 10 percent by states or state-affiliated actors.[24] Opportunistic criminals may cause data breaches—often using malware or social engineering attacks, but they will typically move on if the security is above average. More organized criminals have more resources and are more focused in their targeting of particular data.[25] Both of them sell the information they obtain for financial gain.[26] Another source of data breaches are politically motivated hackers, for example Anonymous, that target particular objectives.[27] State-sponsored hackers target either citizens of their country or foreign entities, for such purposes as political repression and espionage. Often they use undisclosed zero-day vulnerabilities for which the hackers are paid large sums of money.[28]
Consequences[edit]
For consumers[edit]
After a data breach, criminals make money by selling data, such as usernames, passwords, social media or customer loyalty account information, debit and credit card numbers,[26] and personal health information (see medical data breach).[93] Criminals often sell this data on the dark web, using platforms like .onion or I2P.[94] This information may be used for a variety of purposes, such as spamming, obtaining products with a victim's loyalty or payment information, identity theft, prescription drug fraud, or insurance fraud.[95] The threat of data breach or revealing information obtained in a data breach can be used for extortion.[26]
Consumers may suffer various forms of tangible or intangible harm from the theft of their personal data, or not notice any harm.[96] A significant portion of those affected by a data breach become victims of identity theft.[91] A person's identifying information often circulates on the dark web for years, causing an increased risk of identity theft regardless of remediation efforts.[89][97] Even if a customer does not end up footing the bill for credit card fraud or identity theft, they have to spend time resolving the situation.[98][99] Intangible harms include doxxing (publicly revealing someone's personal information), for example medication usage or personal photos.[100]