What is a data breach?
Discover how to identify a data breach, along with prevention and response strategies to keep your organization protected.
Data breach defined
A data breach is a data security incident when private information or confidential data is stolen or taken from a system without knowledge or permission from the owner. It can happen to any size organization—from small businesses and large enterprises to government entities and non-profits—and involves gaining access to personal data such as social security numbers, bank accounts, financial data, healthcare information, intellectual property, and customer records. Data breaches can occur intentionally or unintentionally, and by internal or external acts.
Data breaches can result in serious, lasting problems including damaged reputation, financial loss, disruptions in operations, legal ramifications, and loss of intellectual property. Today, many organizations implement cybersecurity best practices to help prevent data breaches.
Types of data breaches
Although data breaches are often conflated with a cyberattack, the two terms are not interchangeable. Cyberattacks can target any connected device and sensitive data may or may not be exposed, while data breaches exclusively involve the disclosure, alternation, or destruction of sensitive information.
Here is a list of some of the most common types of data breaches:
External data breaches
This type of breach is a security incident where the cyberattacker steals from outside the organization.
- Hacker cyberattacks: Gaining unauthorized access to a device, network, or system in order to damage or exfiltrate data.
- Phishing and social engineering: Sending fraudulent communications that appear to come from a reputable source to trick victims into revealing personal information.
- Ransomware: Threatening a victim by destroying, illegally disclosing, or blocking access to critical data or systems until a ransom is paid.
- Malware: Damaging or disrupting the normal use of endpoint devices through malicious applications or code, in turn rendering data unavailable.
- DDoS: Targeting websites and servers by disrupting network services to exhaust an application’s resources and sabotage data.
- Business email compromise (BEC): Emailing someone to trick them into sending money or divulging confidential company info.
Internal data breaches
These breaches originate within the organization by people with authorized access to data.
- Insider cyberthreats: Current employees, contractors, partners, and authorized users who maliciously or accidentally misuse their access, resulting in potential data security incidents.
- Accidental data exposure: Inadequate security measures, human error, or both that result in a security incident.
Common data breach targets
When cyberattackers steal information, it’s typically incentivized by financial gain. Although any individual or organization is at risk for data breaches, some industries are targeted more than others. Industries may be targeted for their business nature, including government, healthcare, business, education, and energy. Weak security measures also make for prime data breach targets. This includes unpatched software, weak password protection, easy-to-phish users, compromised credentials, and lack of email encryption.
Some of the most common types of information that cyberattackers target include:
- Personally identifiable information (PII): Any information that represents the identity of a person, such as name, social security number, date and place of birth, phone number, email address, and home address.
- Protected health information (PHI): Electronic and paper records that identify a patient and their health status, history, and treatment. This may include demographic data, personal information, medical records, health insurance, and account numbers.
- Intellectual property (IP): Intangible assets of human intellect, such as patents, copyrights, trademarks, franchises, trade secrets, and digital assets. Examples include company logos, music, computer software, inventions, domain names, and literary works.
- Financial and payment data: Any personal and financial information collected from payments, such as credit or debit card numbers, payment activity, individual transactions, and company-level data.
- Business-critical data: Any information that is essential to the success of a business, including source code, business plans, merger and acquisition files, as well as data that must be kept for regulatory and compliance reasons.
- Operational data: Data that is crucial to an organization’s day-to-day operations. This may include financial statements, legal documents, batch files, invoices, sales reports, and IT files.
The impact of data breaches
Data breaches can cause costly, time-consuming, and long-term damage whether you’re an individual, business or government organization. For businesses, data breaches can damage their reputation and destroy customers' trust, sometimes causing a lasting association with the incident. They can also have substantial effects on the bottom line from business loss, fines, settlements, and legal fees.
Government organizations may experience ramifications from leaked military information, political strategy, and national data to foreign entities, posing a major cyberthreat to a government and citizens. Fraud is one of the most common cyberthreats for individual data breach victims, which could potentially ruin credit scores, pose legal and financial problems, and compromise your identity.
Real-world data breaches and their financial repercussions
Web services provider
From 2013-2016, a large American web services provider was the target of virtually the largest data breach on record. Hackers gained access to all 3 billion users’ names, birthdates, phone numbers, passwords, security questions and answers, and email addresses through a series of emails containing a link. The extent of the leak wasn’t public until the company was acquired, which resulted in a reduction in the purchase offer by $350 million.
Credit bureau
Hackers breached an American credit bureau in 2017, stealing the personal data of more than 147 million Americans. Today, it’s considered one of the largest cybercrimes related to identity theft. The cyberattackers gained access to the network before moving onto other servers to access personal information, including social security numbers, driver’s license numbers, and credit card numbers. In the end, it cost the company $1.4 billion in fines and fees to repair the damage.
Retail company
The parent company of two large retail chains suffered a consumer data breach in 2007, which was considered the largest and most financially damaging breach in U.S. history at the time. Hackers accessed customer data by illegally accessing a store’s payment systems, making off with nearly 94 million compromised customer records and causing more than $256 million in financial loss.
The lifecycle of data breaches
Every data breach method follows a lifecycle that consists of five phases. Understanding these phrases can help you implement preventative measures that may help mitigate your risk of a data breach.
- Reconnaissance and vulnerability scanning
The lifecycle of a data breach originates with a cyberattacker that discovers a security weakness in the system, individual, or organization they intend to attack. Then they move on with determining the right strategy for the type of vulnerability.
- Initial compromise
In a network-based cyberattack, they exploit weaknesses in their target’s infrastructure. In a social cyberattack, they send a malicious email or some other social engineering tactic to instigate a breach.
- Lateral movement and privilege escalation
Lateral movement is the part of the lifecycle where the cyberattacker moves deeper into the network after initial access. Then, they use techniques to advance their privileges, known as privilege escalation, to achieve their goals.
- Data exfiltration
This is a form of security breach that involves intentional, unauthorized copying, transfer, or movement of data from a computer, device, app, service, or database.
- Covering tracks
The final stage of the data breach lifecycle is covering tracks, which is when the cyberattacker hides all evidence to avoid being discovered. This may involve disabling auditing features, clearing logs, or manipulating log files.
Identifying and responding to data breaches
Detection and quick response are critical steps in minimizing damage from a data breach. Any delay in the investigation process can hurt your business and bottom line, making every minute critical. There are seven basic steps in identifying and responding to a data breach. These phases are:
- Identify the type of data breach
A search for security vulnerabilities, a security breach of the general network, or a cyberattack notification are examples of leads. An indicator means a breach has already occurred or is currently in action—often detected by suspicious emails or login security activity. A breach can also occur internally when departing employees commit data theft.
- Employ immediate precautions
Record the date and time of identification. Then, the breach must be reported to internal parties, followed by access restrictions on the data.
- Collect evidence
Speak with the individuals that identified the breach, check your cybersecurity tools, and assess data movements in your apps, services, servers, and devices.
- Analyze the breach
Examine traffic, access, duration, software, data and people involved, and the type of breach.
- Take restriction, destruction, and recover precautions
Move quickly to restrict access to servers and apps, prevent destruction of evidence, and initiate recovery of servers to their former states.
- Notify stakeholders
Notify stakeholders and law enforcement about the breach.
- Focus on protective measures
Study the breach to create new insights for preventing future breaches.
Tools for data breach detection and response
There are specific tools to monitor alerts and act quickly against data breaches, featuring protection and response systems, and data security:
- Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) monitor all network traffic and detect signs of possible cyberthreats.
- Security Information and Event Management (SIEM) helps organizations detect, analyze, and respond to security cyberthreats before they harm business operations.
- Incident response planning and execution implements access control—an essential step in security operations.
- Cybersecurity professionals specialize in incident response, developing procedures, performing audits and identifying vulnerabilities.
- Data security solutions including Data Loss Prevention and Insider Risk Management can help detect critical data security risks before they evolve into real incidents.
- Adaptive Protection can automatically apply strict security controls on high-risk users and minimize impact of potential data security incidents.
Preventing data breaches
Developing plans and policies to prevent and reduce damage by data breaches is key for any organization. These may include a comprehensive incident response plan that includes detailed procedures and a dedicated response team, along with ways to keep operating and recover in the event of an incident.
One way to test your organization’s crisis management strengths and weaknesses is with tabletop exercises, which are data breach simulations. Finally, collaboration among internal and external stakeholders is a powerful tool to stay informed, gather insights, and work together toward a more secure organization.
Whether you are a small business, large enterprise, government organization, or nonprofit, here are effective measures that can work for almost any organization:
- Strong access controls
- Frequent, mandatory security training for employees
- Encryption and data masking techniques
- Patch management and vulnerability assessment
- AI and machine learning for data security
- Zero Trust architecture
- Information protection
- Data loss prevention (DLP) solutions
- Insider risk management
- Biometric or two-factor authentication (2FA)
Get data breach prevention, detection, and response tools for your organization with Microsoft data protection tools, which can:
- Keep your organization up to date with the latest data security solutions and best practices.
- Save your organization from costly and lasting damages.
- Protect against major cyberthreats to your reputation, operations, and bottom line.
Learn more about Microsoft Security
Information protection and governance
Safeguard data wherever it lives. Help protect sensitive data across clouds, apps, and devices.
Microsoft Purview
Learn more about governance, protection, and compliance solutions for your organization’s data.
Microsoft Purview Data Loss Prevention
Get intelligent detection and control of sensitive information across Office 365, OneDrive, SharePoint, Microsoft Teams, and endpoints.
Microsoft Purview Data Lifecycle Management
Meet your legal, business, privacy, and regulatory content obligations with built-in information governance and intelligent capabilities.
Microsoft Purview Information Protection
Understand what data is sensitive and business critical; then manage and protect it across your environment.
Microsoft Purview Insider Risk Management
Quickly identify and take action on insider risks with an integrated end-to-end approach.
Frequently asked questions
-
A data breach means someone has accessed sensitive data or personal information without authorization, either accidentally or maliciously.
-
Examples of data breaches include a cyberattack to access customers information, a third-party hacker creating a site that mimics a real site, or an employee accidentally downloading a file that contains a virus.
-
A data breach is a security violation that exploits sensitive information. Hacking is gaining access to networks or devices and compromising those systems.
-
If you have a data breach, you’re at risk of theft, fraud, and a host of long-term problems. It’s important to take immediate action by responding to the cyberattack and protecting against further damage.
-
Visit the company website in question, consult a credit monitoring agency, or run a check on a third-party website that can scan for data breaches. It’s also important to monitor suspicious activity to any accounts and files.
-
Data breaches occur when there is a vulnerability in a network, device, or system. This may involve weak passwords, social engineering, unpatched applications, insider risks, and malware.
Follow Microsoft Security