Q&A
What is typically exposed in a data breach incident?
Information that might be stolen or unintentionally exposed to unauthorized viewers includes documents relating to a company's financial dealings, confidential customer data, or a personal medical history.
In a data breach attempt, malicious hackers will often seek to steal personally identifiable information (PII) such as:
- Names
- Social Security numbers
- Home addresses
- Dates and places of birth
- Driver's license numbers
- Passport numbers
- Bank account numbers
Cybercriminals can use PII to commit identity theft, make illegal purchases with stolen credit card numbers, and steal money from financial accounts. Or they can sell this sensitive data to others, usually on the dark web, who want to commit these crimes.
Companies may also be targeted for their intellectual property. During the global health crisis, for example, hackers were working to steal coronavirus vaccine secrets. Other types of intellectual property that malicious actors might try to steal are research, product designs, and source code. The loss of this data could be very costly for a business.
These malicious actors might be state sponsored, hired by a company's competitor, or independent opportunists. Government agencies are top targets for state-sponsored hackers.
How does a data breach happen?
Data breaches can occur in many ways and for many reasons. In general, malicious actors who want to set up and carry out an attack will:
- Conduct research.Malicious actors can spend many hours researching their targets. They want to figure out what employees or systems they can potentially exploit and learn whether the targeted data is stored in the cloud, on a hard drive, or on a server in a data center.
- Choose their attack method.Based on what they learn from their research, malicious actors will decide whether to launch a direct, network-based attack that targets IT infrastructure weaknesses, or execute a campaign that relies on social engineering. Social engineering aims to trick a user into enabling data-stealing malware to enter the company's network or providing direct access to sensitive data.
- Extract the data.This process is also known as data exfiltration. Once an attacker gains access to the data, they will copy, transfer, or retrieve it from a computer or server. This can be accomplished remotely using malware. Data exfiltration often is carried out gradually so that information leaving the network can be concealed in normal traffic.
How does a malicious insider differ from an external attacker?
If the malicious actor is an insider, they might employ similar methods as an external attacker. Or they might abuse their or others' privileged access to data—for example, by stealing a colleague's legitimate login credentials to access sensitive files from a cloud-based system. An insider might send the compromised information to their personal email address, a cloud storage account, or a portable storage device like a thumb drive.
A "negligent insider" can also cause a data breach. This insider could be an employee or contractor who doesn't follow good cyber hygiene in their workspace, for example by using weak and easy-to-guess passwords like 12345. A negligent insider might also download and then fail to secure sensitive company or customer information on a personal mobile device like a laptop.