InfoSec: Data Breach

Introduction to Data Breach

Data breach is a security incident in which data are accessed, altered, erased, stolen or leaked from a system without the consent of the system’s owner. The victims of a data breach range from individuals to organisations and governments and the data breached could be personal information, personally identifiable information (PII), medical records, trade secrets, financial information, etc. Data breach can be caused by cyber attacks, malicious acts of insiders, negligent acts of employees, loss or theft of devices and documents, etc. Such data breaches can lead to serious impacts on affected individuals or organisations, including identity theft, financial loss, reputation damage, legal liability, etc. Most of the time, cyber criminals try to monetise the attack and use the stolen data for identity theft or other fraudulent purposes.

Recent trend of data breach

The rise in data breaches is evident and alarming. According to a global data breach security report by a non-profit making security organisation in 2021, the overall number of data breach increased by more than 68% compared to 2020. The report reveals that the three primary causes of a data breach are cyber attacks (86%) (including phishing and malware attacks), human and system errors (9%) (including misconfiguration and loss of devices) and physical attacks (2%) (including document or device theft). Healthcare, financial service, manufacturing & utilities, professional service and technology sectors are at the forefront of the data compromise; and they account for more than half of the breaches in 2021.

Data protection laws

In recent years, law enforcements and related departments / agencies in some jurisdictions have tightened regulations governing the personal data protection and cross-border data transfer. Data Protection Regulation (GDPR) came into force since 2018 in the European Union, California Consumer Privacy Act (CCPA) came into force since 2018 in some areas in the United States of America and Personal Information Protection Law (PIPL) came into force since 2021 in the People’s Republic of China. To combat the rising trends of data breaches, GDPR and some other countries’ laws have also included stringent data breach notification rules to set out mandatory data breach notification requirement for organisations to inform both the competent authorities and the relevant individuals.

Signs of a Data Breach

Although security tools may protect against most types of attacks, it is crucial to know the warning signs of a compromised system. Some of the major indicators are described below:

Figure 1: Signs of data breach

-

Appearance of suspicious or unknown files which are often exploit tools or scripts that attackers inserted and used to scan for vulnerable applications, run malware or automatically read a database, etc.;

-

Unusual high volume outbound traffic may indicate transfer of data to outside party by attackers;

-

Unusual volumes of file changes and database manipulation;

-

Suspicious login activities from an unusual time or location;

-

Inaccessible user accounts whose are changed without users’ knowledge;

-

Result from online self-checking tool (e.g. HaveIBeenPwnd - https://haveibeenpwned.com) or leaked password report show that data breach is involved; and

-

Receiving data breach notifications from data user who holds, processes and uses your personal data.

Common Causes of Data Breach

To minimise the risks of data breach, it is important to understand the major causes of data breach. The causes can be categorised into three common groups:

Figure 2: Common causes of data breach

1.

Insider threats
An insider threat typically refers to potential attacks from users with legitimate access to organisations’ data, network or computer systems. Threat actors include employees, contractors or third-party vendors, etc. Insiders vary in their motivation and intent.

-

Malicious insider: A staff member intentionally accesses data with purpose to damage the organisation, such as selling commercial data of a company to competitors for financial gain.

Example: In 2019, two employees of an energy company pleaded guilty to steal trade secrets from the company with intention to gain business advantage to start a rival company. More than 8 000 files containing sensitive information were leaked from 2011 to 2012.

-

Negligent insider: A staff member, without malicious intent, leaks the data due to accident or human errors, such as losing a removable device storing sensitive data, misconfiguring the system or bypassing IT measures and security tools in work from home/remote work situation.

Example: In 2021, a motor vehicle manufacturer reported a data breach by an unauthorised third party. Owing to an electronic file left unsecured by its marketing vendor, over 3.3 million customers’ data was leaked.

2.

Cyber attack
Cyber attack allows attackers to gain unauthorised access to organisations’ network or computer systems and steal the sensitive or confidential data. Attackers often infiltrate to gain access to protected information through the following stages and attack vectors:

Stages of data breach
Data breach caused by cyber attacks usually contains three main stages, including reconnaissance, attack and data exfiltration.

Figure 3: Data breach stages

a.

Reconnaissance - Attackers first perform a research to set the target and scan for vulnerabilities.

b.

Attack - According to the found, attackers develop tools and launch attack against the system.

c.

Data exfiltration - Following a successful attack, attackers may access, extract, alter or disclose victims’ data without .

Attack vectors

-

Social engineering: Attackers disguise themselves as trusted or legitimate parties to manipulate and trick users into giving sensitive information. Phishing is the most common type of social engineering which uses phishing emails or fraudulent websites to solicit personal information.

Example: In 2020, a social media platform’s employees leaked user credentials due to spear phishing attacks. With the compromised accounts, attackers gained access to 130 famous private and corporate accounts and used 45 of these accounts to promote a Bitcoin scam.

-

Brute force attack: Attackers use trial-and-error to guess login credentials. By hacking into a user’s personal account, they can access confidential data, and spoof the identity for illicit actions.

Example: In 2021, a telecommunication company had fallen victim to a massive data breach. The attacker used brute force attack to breach IT servers and stole the personal information for more than 54 million customers.

-

Supply chain attack: Attackers access an organisations’ network via trusted third-party vendors or suppliers. By exploiting the vulnerabilities in the supply chain and compromising a vendor, attackers can steal the data.

Example: In 2020, threat actors infiltrated the supply chain of an information technology firm through injecting malicious code into the company’s software system update that automatically pushed out. Over 18 000 of its customers installed the updates and left them vulnerable to attack.

-

Malware: Attackers deploy malicious software to target computer systems to compromise normal computer functions, steal data and obtain unauthorised access. Ransomware is a malware commonly used to exfiltrate and encrypt data for extortion.

Example: In 2021, an oil pipeline company suffered a ransomware attack that shut down operations and cut off fuel supplies to millions of individuals. Nearly 100 gigabytes of data was stolen from the company servers for which ransom payment was demanded.

-

Exploit security vulnerability: Attackers use exploit kits to scan and compromise software through the vulnerabilities to obtain users’ login credentials or collect commercial data.

Example: In 2021, a cashless parking app had been breached due to a security vulnerability introduced by a third party vendor. Critical customer data of 21 million customers were leaked and sold on the dark web.

3.

Physical data breach
Sensitive documents or devices with sensitive data (e.g. USB storage device, hard disk, laptop) which are not physically secured, such as those left unattended in public places or sensitive data stored on portable devices without , can cause a massive data breach.

Impacts of Data Breach

Data breach can cause far-reaching and damaging consequences to organisation and individual. Depending on the extent of the data breach, it is possible that society and citizens can be threatened. The leakage of confidential information on asset, health and identity record can result in social panic and threats to personal safety.

1.

Organisation

-

Financial loss: Data breach can affect or disrupt the operation of an organisation and result in loss of business. Other financial consequences include revenue decrease, loss of intellectual property (e.g. patents and trade secrets), payment to affected customers for reimbursement and settlement as well as the costs for legal services, breach response and investigation, etc.

-

Legal liability: Laws and regulations on data breach have been put in place in different regions. Organisations that fail to adhere to the applicable laws and regulations such as Personal Data (Privacy) Ordinance (PDPO) of Hong Kong may be subject to legal actions (e.g. fines and litigation) taken by the regulatory authorities.

-

Reputation damage: Data breach is devastating to organisations’ reputation. The damage to business reputation will lead to brand depreciation, loss of customer loyalty and business partner/supplier relationship.

2.

Individual

-

Identity theft: Data breach hurts individual by compromising sensitive data like PII. Using stolen credentials obtained fraudulently, attackers can impersonate users for illicit purposes, such as transferring victims’ money illegally and committing frauds with victims’ identity.

Best Practices for Preventing Data Breach

General recommendations

Figure 5: General recommendation for preventing data breach

-

Install software and mobile apps from trusted sources, do not install apps that require permission rights in doubt;

-

Do not over share personal details online to avoid becoming a victim of identity theft;

-

Adopt strong password and authentication measures (e.g. , biometric authentication, etc.);

-

Avoid using pubic Wi-Fi networks or untrusted devices to process personal and sensitive information;

-

Harden online privacy setting to reduce the exposure of personal data in social media; and

-

Use secured portable media with data encryption enabled to protect sensitive data.

Best practices for organisations

Figure 6: Best practices for organisations to prevent data breach

1.

Identify:

-

Define and classify sensitive data (e.g. PII, intellectual property and confidential information) and develop policy to demonstrate compliance if necessary;

-

Inventory the critical system/data assets and apply appropriate industry practices controls (e.g. data encryption, and audit); and

-

Conduct privacy impact assessment using applicable data privacy regulations, such as PDPO or GDPR, for implementation or operation involving personal data.

2.

Detect:

-

Monitor network access and review system logs regularly to identify any abnormal system or network activities; and

-

Conduct data loss prevention (DLP) and malware scanning regularly.

3.

Protect:

-

Enforce system hardening, such as disabling unnecessary ports and services;

-

Implement appropriate measures to secure network (e.g. application , network segregation with different security and functional requirements) for data transmission;

-

Avoid using unidentifiable portable media to a computer or mobile device;

-

Consider to implement zero trust architecture:

Figure 7: Zero-trust architecture workflow

Define the critical and valuable data or assets and enforce policy that ensures secure access to defined data or assets (refer to “Identify” section);
Segment granular and secure subnetworks to allow easier dissection and building more specific security controls based on user and device identification; and
Strengthen identity and access management to authenticate and authorise data points only the resources and services it needs.

-

Enforce encryption on sensitive data in transit and at rest using strong security protocols (e.g. Transport Layer Security for data in transit);

-

Implement key management services, such as hardware security module (HSM) or enterprise key management systems to properly create, store and exchange cryptographic keys for data encryption;

-

Erase sensitive data properly from storage devices before disposal (e.g. degaussing and physically destruction of the storage media);

-

Arrange regular trainings for different levels of users (from senior management to front-line staff) to raise their awareness of information security;

-

Conduct regular security risk assessment and audit to review and identify any risks in data protection and take timely mitigation measures; and

-

Perform regular backup and keep at least one copy of the backups off-site.

4.

Respond:

-

Develop an incident response (including data breach) plan, conduct a drill and review the plan regularly, and revise the plan if needed;

-

Increase the frequency and extent of security monitoring after a data breach to ensure the threat is completely removed; and

-

Refer to “Respond to data breach” section for more details.

Respond to Data Breach

Figure 8: Respond to data breach

1.

Containment

Depending on the causes identified in early stage, containment measures may include:

-

Take the affected system or services offline to prevent further damages from data breach;

-

Suspend the user accounts suspected to be involved in the incident;

-

Keep the evidence of the data breach to facilitate investigation;

-

Remove the leaked data (e.g. if the data published on platforms administered by external parties) by contacting the related parties like Internet service providers, administrators of websites, forums or search engines, etc.; and

-

Seek advice from the Hong Kong Computer Emergency Response Team Coordination Centre on incident response and recovery, if necessary.

2.

Assessment on the risk of harm

-

Assess the extent of the harm and impact caused by data breach (e.g. amount, types and sensitivity of data leaked, causes of the data breach, likelihood of reoccurrence of the incidents, encryption status of the leaked data, etc.).

3.

Notification and report

-

Notify affected individuals about the data breach with relevant details, including categories of personal information involved, causes of the incidents and potential harm, remedial measures taken and mitigation measures that individuals may take, etc.

-

Report the case to the Hong Kong Police Force if criminal offence is suspected.

-

Submit a data breach notification to the Office of the Privacy Commissioner for Personal Data if the data breach involves personal data.

4.

Post incident evaluation

-

Investigate the root cause of the breach and consider taking remedial actions to avoid recurrence of data breach incident.

-

Make practical recommendations on improvements, taking into account the findings of the investigation, for example:

Improve the handling process of sensitive data;
Review and revise access rights to sensitive data;
Assess the adequacy of protection against unauthorised access to sensitive data and implement further security measures if necessary; and
Strengthen the monitoring mechanism of data processing and detection effectiveness of early signs in data breach.

-

Conduct an audit to ensure the recommendations are effected.

Extended Readings

1.

Office of the Privacy Commissioner for Personal Data (PCPD) - Guidance on Data Breach Handling and the Giving of Breach Notifications

2.

Office of the Privacy Commissioner for Personal Data (PCPD) - Protecting Privacy - Using Computers and the Internew Wisely

3.

HKCERT - Protect sensitive information in the use of social media and beware of potential cyber attacks arising from data leakages

4.

European Commission (EC) - What is a data breach and what do we have to do in case of a data breach?

5.

Office of the Australian Information Commissioner (OAIC) - Data breach response plan

6.

Identity Theft Resource Center - 2021 Annual Data Breach Report

7.

Department for Digital, Culture, Media and Sport (DCMS) - Cyber Security Breaches Survey 2021