Data Breach
Home > 
Data Breach
< back

Data Breach

Data breach is a cyber security incident in which data like personal information and corporate data are accessed, altered, erased or disclosed without authorisation. Data breach can be resulted from various causes like cyber attacks on computer systems, malicious acts of insiders, negligent acts of employees, etc. Cyber criminals may exploit the breached data for identity theft or other fraudulent purposes.

The threat of data breach has been escalating in recent years. According to a survey conducted by a security software company in 2019, the number of reported breaches increased by 54% in the first six months of 2019 as compared with the same period in 2018. In the first half of 2019, there were 3 800 data breaches involving over 4.1 billion of records being publicly disclosed. Data breach will not only tarnish the victims’ reputation, but will also result in massive tangible and intangible loss to the victim.


What May Cause Data Breach?

To minimise the risks of data breach, it is important to understand the following major causes of data breach:

Phishing

Phishing is the most common cause of data breach. Cyber criminals may disguise themselves as a trusted or legitimate party to initiate a phishing attack by setting up fraudulent websites or sending spoofed emails to lure users to click on malicious URL links.

When users click on the links, they will be redirected to malicious webpages that can steal their login credentials or execute malicious code on the users’ systems by exploiting vulnerabilities in browsers or operating systems. This enables the cyber criminals to gain access to sensitive data in victims’ systems. They can even move laterally through the network in search of other valuable data for exfiltration.

Example

In 2019, two staff accounts of an airline company were breached in a phishing attack. Over a hundred thousand of personally identifiable information (PII) from the airline company’s internal documents were believed to be leaked to cyber criminals.

Vulnerabilities

Cyber criminals can exploit vulnerabilities in various systems and applications such as:

Operating systems
Web servers
Software applications
Software libraries or modules

Cyber criminals may use exploit kits to scan and compromise software through the vulnerabilities to obtain user login credentials or collect commercial data without being detected.

For example, injection attack is one of the most prevalent types of cyber attacks. By injecting specially crafted queries or codes into systems or web applications running with programming languages such as Structured Query Language (SQL), Lightweight Directory Access Protocol (LDAP), etc., cyber criminals can execute remote commands, take control of the infected systems and access the data therein.

Example

In 2017, a credit reporting agency leaked the data of hundreds of millions consumers due to unpatched vulnerabilities in software. Although related patches were available well before the incident, the company failed to apply them in time which led to security breach.

Misconfiguration

Misconfiguration of systems or networks can result in vulnerability, leading to serious security incidents like data breach. It can happen in different aspects of computer systems, such as:

Systems level - missing appropriate security hardening or overlooking the security settings in any part of the system.
Applications level – using out-dated or vulnerable software or default configurations and passwords.
Network level - overly permissive security group policies or flexible firewall rules.
Cloud services - improper permission and security configurations of cloud services.

Example

In 2019, an information technology company exposed hundreds of millions customer records due to misconfigured network security settings of a database. Unencrypted data was exposed and made accessible to anyone with a web browser without authentication.

Insider Threats and User Negligence

Users may have rights to access sensitive data or privileged systems due to operational needs, e.g. present or former employees, third-party contractors, or service providers, etc. They could pose potential threats as they may use the data for illicit purposes such as selling commercial data of a company to competitors. On the other hand, some users without malicious intent may leak the sensitive data by negligence, such as losing a removable device storing sensitive data.

Example

In 2019, millions of PII records of a bank were found breached. The data was stolen by a bank employee who gathered customer information and shared it with a third-party outside the bank.


Impact of Data Breach

Legal Ramifications

Laws and regulations on data breach have been put in place in different regions which impose legal obligations on data controllers and processors to properly handle and protect personal data. Some notable examples of such legislation include the Personal Data (Privacy) Ordinance of Hong Kong and General Data Protection Regulation (GDPR) of the European Union. Companies that fail to adhere to the applicable laws and regulations may be subject to legal actions (e.g. fines and imprisonment) taken by the regulatory authorities.

Financial Loss

Companies can suffer huge financial loss in data breaches. Data breach can affect or disrupt the operation of a company and result in loss of business. Other financial consequences include payment to affected customers for reimbursement and settlement as well as the costs for legal services, breach response and investigation, etc.

Reputational Damage

Data breach can cause serious damage to the brand and reputation of a company, projecting a negative image to the existing and potential customers. Clients and business partners may lose their trust and terminate their relationship with the companies.


Preventive Measures

System / Application / Network Security Measures
Apply secure system configurations for all applications and disable unnecessary functionality of the systems.
Apply patches in a timely manner to fix any known vulnerabilities and use patch management software to automate the testing and deployment of patches, if applicable.
Remove or upgrade obsolete or end-of-support systems and applications.
Implement appropriate measures to secure network (e.g. application firewall, segregate networks with different security requirements) for data transmission.
Detect suspicious data flows or unauthorised activities for investigation on any potential data leakage.
Ensure users do not have excessive access rights to systems and data that are not necessary to their current role.
Adopt strong password and authentication measures (e.g. multi-factor authentication, biometric authentication, etc.) to avoid unauthorised access to services, systems or the data therein.
Conduct regular security risk assessment and audit to review and identify any risks in data protection and take timely mitigation measures.
Data Encryption and Disposal
Enforce encryption on sensitive data in transit and at rest using strong security protocols (e.g. Transport Layer Security).
Implement key management services, such as hardware security module (HSM) or enterprise key management systems to properly create, store, and exchange cryptographic keys for data encryption.
Properly erase sensitive data from storage devices before disposal (e.g. degaussing and physically destruction of the storage media).
User Awareness Training
Arrange regular trainings / drills for different levels of users (from senior management to front-line staff) to raise their awareness of information security including the importance of data protection.
Remind users to report any suspicious emails or websites to a responsible party of their organisation for necessary action.

Respond to Incident

When a data breach occurred, the company should consider the following actions to effectively respond to the incident:

1. Gather Information and Contain the Breach
Identify the source of data breach and gather relevant information (e.g. when, where and how the breach happened) for assessing the impact of the breach.
Block the access to the data immediately to prevent further damage from the data loss.
Take the affected system or services offline and suspend the user accounts suspected to be involved in the incident.
Remove the leaked data (e.g. data in external hosts) or access to the data (e.g. links to the leaked data) by contacting with the related parties like Internet service providers, administrators of the websites, forums or search engine, authorities like national computer emergency response teams, etc.
Report the case to the police if any criminal activity is involved. Submit a data breach notification to the Office of the Privacy Commissioner for Personal Data if breach of personal data is involved.
Seek advice from the Hong Kong Computer Emergency Response Team Coordination Centre on incident response and recovery, if necessary.
2. Perform Assessment Associated with the Breach
Assess the risks, impact resulting from the breach incident.
Conduct investigation to collect evidences such as logs, audit trails, system reports etc. to determine the extent of the breach.
Check whether personal data or commercial data is involved and evaluate the damage caused to the business and clients.
Determine whether external technical assistance is needed to eradicate the system loopholes.
3. Notify Affected Individuals
Notify the affected individuals as soon as possible. Provide relevant information about the breach and advice on actions (e.g. change account password) that the parties can take so that the potential impacts (e.g. information being misused) of the breach can be mitigated.
Make proper responses to any public or press enquiries.
4. Post Incident Evaluation
Investigate the root cause of the breach and consider taking remedial actions to avoid recurrence of data breach incident.
Make practical recommendations on improvements, taking into account the findings of the investigation, for example:
Improve the handling process of sensitive data.
Review users’ access rights setting of sensitive data.
Assess the IT security and implement protective measures against unauthorised access to sensitive data.
Conduct an audit to ensure the recommendations are effected.

Extended Readings

2.
National Institute of Standards and Technology (NIST) - Data Confidentiality: Detect, Respond to, and Recover from Data Breaches
3.
Information Systems Audit and Control Association (ISACA) - Data Breach Preparation and Response in Accordance With GDPR
4.
Department for Digital, Culture, Media and Sport (DCMS) - Cyber Security Breaches Survey 2020
5.
Office of the Australian Information Commissioner (OAIC) - Data breach response plan
6.
Privacy Commissioner for Personal Data (PCPD) of Hong Kong - Guidance on Data Breach Handling and the Giving of Breach Notifications

Disclaimer: Users are also recommended to observe the disclaimer of this website and read the user agreements and privacy policies of the security software and tools before download and use them.