A data breach can happen to any company. Statistically, it will most likely happen at some point. Businesses are increasingly digitised, and more and more devices are recording, processing and storing data. Knowing the different attack windows and vectors is important, so that proper protections can be implemented. Equally important is that organisations know what to do when a data breach occurs.
What counts as a data breach?
A data breach is any event in which unauthorised persons gain access to data. Data breaches often, but not always, involve a loss, leak or theft of personal data. In Germany, a data breach is colloquially referred to as just that, theft of data. However, the General Data Protection Regulation (GDPR) refers to data breaches as a "personal data breaches,” or in other words, a failure to protect personal data.
Data breaches may occur due to many different causes. For breaches defined as data theft, there is a presupposition that an attacker was involved, which may be an internal or external person or persons who act intentionally to steal sensitive information. These individuals exploit vulnerabilities or user behaviour to gain unauthorised access.
Data breaches can also occur during ransomware attacks. Instead of simply denying access to data, once threat actors gain initial access to victim networks, malware and other tools are used to ultimately gain access and exfiltrate sensitive data. The targeted business is more likely to pay the ransom when they know their data has been stolen.
Many breaches are also due to unintentional causes. For example, when an employee loses a device containing sensitive information or sends an email containing personal data to the wrong distribution list.
Across malicious and accidental causes, data breaches can be divided into three categories:
- Unintentional data breach: This can be as simple as an employee allowing a colleague to look over their shoulder to explain something while another window displaying protected information is inadvertently left open. Another example is an employee losing an unencrypted USB stick that is found and accessed by someone who has no rights to view the information.
- Insider attack: Insiders are people who have authorised access to the company’s systems and/or protected data. They act deliberately to damage the company and pass on or sell the data.
- Attack by an external party: Threat actors may use a wide range of tactics to intrude into company systems and access information. Phishing attacks — in which an employee is tricked into sharing or providing access to data via social engineering, an SQL injection of a web application or other means — are common.
Data breaches by external persons often occur in seven phases.
The cyber kill chain was developed to recreate the process often followed by threat actors so that organizations can better defend against attacks. The seven phases are:
- Reconnaissance: The attacker researches the organisation and collects data to identify vulnerabilities. This can include active scanning to eventually determine an access point for their attack.
- Weaponisation: Depending on what is needed to exploit the organisation, the attacker determines the appropriate method, e.g., deploying malware, and uses the information gathered during reconnaissance to avoid detection.
- Delivery: This part of the process is when the attacker launches their attack, usually through a common tactic, such as sending a phishing email.
- Exploitation: The organisation’s defences are breached, and the attacker exploits systems, networks, and software by installing programs or making modifications.
- Installation: The attacker creates a new access point to a system or network that is hidden from the organisation, otherwise knowns as a backdoor.
- Command and Control: By obtaining credentials, escalating privileges and changing permissions, the attacker is granted control of the entire organisation’s network.
- Actions on Objective: With complete control and operating undetected, the attacker extracts data and sensitive information from the organisation’s network.
More details on the process of a cyber attack, including specifics for each phase, can be seen in this matrix.
Regardless of whether it is via an employee or an external perpetrator, if data has been leaked, action must be taken quickly.
What to do in the event of a data breach?
If a data breach occurs, there is significant risk for those affected and for the organisation that was breached. Depending on the type of breach, the methods used and the extent of information that was lost, the organisation will likely be required by GDPR or other regulations to notify the appropriate authorities and the individuals impacted. If it was due to an attack, the incident should be investigated, analysed and contained to avoid a recurrence.
Organisations are also obligated to document the details of the breach. This must include documenting the current situation and backing up the systems. Documentation must clearly state which remedial measures will be taken, so they can be demonstrated to regulators or to courts if the breach results in legal action.
Next, legal, security, compliance and other stakeholders must assess the risk of the incident. The assessment should examine the overall and specific impacts the organisation can expect in the aftermath of the breach. This must include a crisis plan for dealing with public scrutiny and communicating the incident to the media, customers, partners, authorities and other audiences.
These incidents can cause significant damage to an organisation’s reputation, and, depending on the severity, it can take a long time for the brand and public trust to fully recover.
The risks and consequences for affected individuals must also be assessed. Different obligations will apply depending on where the breach falls on the spectrum of high risk to no risk to personal rights.
Data breach laws and notification
As mentioned earlier, if personal data has been compromised during a data breach, there will likely be obligations to notify relevant authorities and data subjects.
GDPR applies in Germany and Austria. The handling of data breaches is regulated in Germany in Articles 33 and 34, which specify that data breaches must be reported to the competent supervisory authority within 72 hours. Exceptions are made in cases that are not expected to lead to a risk for the data subjects. Also, organisations must inform data subjects about the breach if it causes a high risk to their rights.
Under the Swiss Federal Data Protection Act (FADP), there is also a duty to report data breaches. Breaches that may lead to a high risk to the personal rights of the data subjects must be reported to the Federal Data Protection and Information Commissioner (FDPIC). In contrast to the GDPR, only a data breach with "high risk" must be reported instead of all with any level of risk. The FADP also requires notification of data subjects if the information is necessary to protect them.
Breach prevention measures
Simultaneously with documentation, risk assessment and reporting, organisations must analyse the incident or attack to determine which people and systems were involved. From there, remediation can begin, as can the process of improving data protection measures and incident response.
Important measures for data breach prevention are:
- Patch and update systems and applications regularly. If possible, follow vulnerability feeds and assess the risk of currently published vulnerabilities for the network. If the risk is high, update and patch more quickly.
- Encrypt sensitive data.
- Restrict or prohibit storage on external media or cloud services.
- Educate employees about social engineering, phishing and brute force attacks. Provide tips on setting secure passwords, run a course on data protection and test knowledge with trial attacks.
- Provide secure passwords and two-factor authentication.
- If employees are allowed to use their own devices (bring-your-own-device) for work, take security and governance measures such as data segregation and developing an acceptable use policy.
- Set up a disaster recovery plan to be able to react quickly and adequately in case of an emergency.
A data breach can happen in many different ways or to any business. Companies should prepare for the worst-case scenario as part of their overall disaster recovery plan.
Once a data breach has happened, it is important to document the incident, assess the risk, report what occurred and fix the security vulnerabilities. This way, organisations can reduce the impact for everyone involved and strengthen their resilience against future incidents.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.