This Comprehensive Guide Explains What is a Data Breach, its Types, Examples, Data Breach Response Plan Template & Top Service Providers to Handle it:
“In July 2019, nearly 6.2 million email Ids were unveiled through the Democratic Hill committee (for United States Senate) because of a poorly configured AWS S3 storage bucket!”
“In September 2018, British Airways faced a data theft of approximately 380K customer records containing full bank details!”
You must have heard of such massive data breaches time and again in the news. However, it shouldn’t be all that surprising. With technological advancements, more and more information is floating in this digital world. Consequently, cyberattacks have become gradually common and expensive.
Data breaches impact businesses and customers in several ways. According to a study, on an average, a data breach repair costs a company $148 per stolen record. However, this is not just the loss of money, but also a huge loss of reputation. So, organizations have to be vigilant about their data security measures.
In this tutorial, we will walk through the Data Breach phenomenon and all the things that you should be aware of to protect the confidential information from getting leaked.
What You Will Learn:
What Is A Data Breach
A data breach is an intentional or unintentional security incident in which secure, protected, sensitive, or private/confidential information is accessed without authorization or is released to an untrusted environment.
At times, it is also referred to as data leak, data spill, information leakage, or unintentional information disclosure.
ISO/IEC 27040 defines a data breach as a compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored or otherwise processed.
Data leaks may include financial data like bank account details or credit card details, PHI (Protected health information) data like medical history, test results, insurance information, etc., PII (Personally Identifiable Information) data like SSN, mailing address, email ids, phone number, etc., trade secrets like formulas, practices, designs, processes, etc., or intellectual property.
It may involve instances of theft or loss of digital media such as hard disk, pen drive, or laptops/PCs where information is stored in unencrypted form.
Publishing such information on the internet, or by keeping such information on a computer that is approachable from the internet devoid of proper information security measures, transfer of information from one system to another without proper security.
For example, unencrypted email, or sending of such sensitive information to a potential hostile organization like a competing firm or a foreign country, where it will be possibly exposed to further exhaustive decryption methods.
Our Recommended DLP Tools
#1) ManageEngine Endpoint DLP Plus
With Endpoint DLP Plus, enterprises get an integrated data loss prevention tool capable of protecting sensitive data on all managed devices. It is great at tackling both data theft and data leakage scenarios.
It is efficient at detecting and classifying sensitive business data, regardless of whether that data is structured or unstructured. It then lets users leverage granular settings to define and enforce protocols that control the access and transfer of data.
#2) LifeLock
LifeLock is an identity Theft Protection. Norton 360 with LifeLock will give you all-in-one protection to your identity, devices, and online privacy. Norton and LifeLock have become one company now.
The solution offered has functionalities to block cyber threats, detect threats & alert you through text, email, phone, & a mobile app, resolve ID theft issues, and reimbursement of funds that were stolen.
Types Of Data Breaches
Enlisted below are the most common types of data leaks:
#1) Ransomware: Ransomware is a type of breach where a hacker gains unauthorized control on your computer or mobile and locks it from use.
In return, the hacker threatens the individual or organization to pay a sum of money for restoring the data and giving the access back, or otherwise, he will delete/publicize the data. Generally, this type of attack is done on time-sensitive business systems like hospitals.
Some of the notable examples of Ransomware are Reveton (its payload deceptively asked users to pay a fine to Metropolitan Police Service) and CryptoLocker (which encrypted the files and threatened to delete the private key on a condition of not making a payment of Bitcoin or prepaid cash voucher within a certain period).
#2) Denial-of-Service: The DoS attack is usually done by swamping the aimed system with excessive requests to overburden systems and block some or all authentic requests from being completed.
This type of attack is mostly made on high profile businesses like banks, payment gateways, online shopping websites to disrupt trade.
#3) Phishing: It is a deceitful attempt where the hacker leads the users to supply their personal information like credit card details, bank account details, or any other sensitive information at a fake website that looks like a legitimate site.
It is been carried through email spoofing or instant messaging. There are mainly three types of phishing attacks i.e. Spear phishing, Whaling, and Clone phishing.
#4) Malware: It is a malicious software designed with the intent to damage a computer system or network. They exist in various forms like computer viruses, trojans, worms, spyware, adware, etc. The purpose of malware is to steal sensitive data or disrupt business operations.
#5) Password attacks/Password Guessing: This usually happens through brute force attacks in which the password is repeatedly guessed and checked against an existing cryptographic hash of the password. Generally, weak passwords are at the risk of getting cracked easily.
Once the password is cracked, the hacker gets access to the sensitive data present on your machine or web account.
#6) Insider threat: This threat comes from the employees within your company. They know how the organization operates and have the inside information with regards to the company’s security practices, business strategy, computer systems, and sensitive data.
This malicious threat may include fraud, theft of sensitive data, theft of intellectual property, or disruption of computer systems.
#7) Stolen Information: Having an employee accidentally leave a computer, file, or company’s phone unattended or unlocked exposes these assets at risk of being stolen or being misused. It could compromise confidential and sensitive data.
Data Breach Examples
Given below are the examples of some of the top data breaches that happened in the year 2019:
#1) October 2019: Social Media Profiles Data leak
Number of affected Records: 4 Billion
This is one of the biggest ever data leaks that exposed 4 billion records of PII data of 1.2 billion people on an unsecured Elasticsearch server, as discovered by Diachenko and Troia. The leaked data included names, email IDs, telephone numbers, LinkedIn, and FB account information of people.
#2) July 2019: Orvibo Leaked Database
Number of affected Records: 2 Billion
Rotem and Locar detected an open database connected to Orvibo Smart Home products, imperiling greater than 2 billion records. The affected users were from around the world. The exposed data contained information including email IDs, passwords, geolocations, smart device details, IP addresses, user name, and account reset codes.
#3) July 2019: First American Data Breach
Number of affected Records: 885 Million
This data leak happened in First American Financial Corp in the U.S. It exposed bank transaction details of 885 Million people. These records were publicly available without any authentication. These records were containing bank account numbers, bank statements, SSN, tax records, transaction receipts, etc.
Some other data leak examples include:
- TrueDialog Data Breach: >1 Billion Records
- Verifications.io Data Breach: 808 Million Records
- Dream Market Breach: 620 Million Records
- 3rd Party Facebook Application Data Exposure: 540 Million Records
Recent Data Leaks
Enlisted below are few breaches happened recently in 2022:
- IT organization Clearview AI was hacked and suffered a data breach of 3 billion records (number of photos obtained).
- Phone accessories company Slickwraps suffered data leak due to poor security. 377,428 records were exposed.
- Tetrad, a market analysis company suffered a data leak of 120,000,000 records due to poor security.
- Wawa, a retail company were hacked and suffered a data leak of 30,000,000 records.
Data Breach Response
Data breach response relates to the appropriate actions that an organization needs to take following the detection of a breach or cybersecurity threat. This function is important in molding the outcome for a company after a breach incident.
An organization’s response should involve appropriate and comprehensive communication with employees, stakeholders, business partners, vendors, subcontractors, and customers, in addition to law enforcement and legal counsel as required.
Whenever a data leak occurs in an organization, its customers and stakeholders look for accountability. The effectiveness of a data breach response can have a long-term impact on the reputation of the company among its clients and industry.
Breach Response Plan
If a breach occurs at your company, then it’s crucial to have a plan that exists in place beforehand to control the situation. A data breach response plan caters to your organization with a comprehensive list of instructions and guidelines to follow in the case of a security breach.
An in-advance and well-defined plan help you to act wisely in crisis mode and avoid making mistakes. It saves your time and reduces stress in the event of a security breach.
When the plan is devised, it should involve all the key members of the company including IT teams, PR and marketing department, legal and compliance department, senior members of the project board.
The goals should be set clear and it should be defined that how each team needs to respond to a data leak. You may need to assess and improve the plan yearly or half-yearly to ensure its effectiveness.
Once you realize that a security breach has happened, then the data breach response plan can be activated immediately. Your employees can follow the pre-determined steps as per the plan to safeguard the services and get the business back to normal.
Elements Of A Response Plan
A data leak response plan should mainly possess the following key elements:
- Definition of breach
- Response team
- Action steps for handling the breach
- Follow-up
Definition Of Breach
The very first step while developing a response plan is to define what represents a data breach i.e. to define what type of events will trigger the response plan. Few incidents like a malicious email may have very little impact on your business operations, whereas incidents like ransomware or DoS attack may impact your business operations severely.
Though the definition of a breach may differ from one response plan to another, it normally comprises any stealing or interruption of electronic data files having confidential or sensitive data about consumers, buyers, patients, clients, or employees.
Moreover, a security breach is supposed to include any theft (or attempted theft) of confidential information of an organization comprising patents, exclusive rights, trade secrets, and other intellectual property or official documents.
List Of Response Team Members
Once you have defined what constitutes a data leak for your organization, the next step is to form a bulletproof response team. The members in the response team will be responsible for executing the response plan if a breach occurs. These should be very trusted employees whose integrity is beyond doubt.
Your breach response team should be assembled well in advance and the roles & responsibilities of each member should be designated to ensure an end to end preparedness.
The size and composition of the response team will vary from company to company as it depends upon multiple factors like the size of the company, the industry domain in which your business runs, the complexity of your business, etc.
However, generally, the response team should be made up of at least one representative from each of the below departments:
- HR
- Customer Care
- IT or Data security
- Public Relations
- Risk Management
- Legal
- Top Management/ Executive leaders
In some instances of security breaches that are too complicated to be handled by your internal response team, you may need expert help from outside your organization.
These may include outside consultants like data recovery experts, legal advisors, forensics partners, communication partners, data breach resolution provider, etc. You need to engage these external partners and secure pre-breach agreement contracts.
Action Steps For Handling The Breach
This contains the step by step instructions regarding what actions the response team members need to take if a breach occurs.
The action steps can be divided into two parts: The first 24 hours and the next steps.
The First 24 Hours
The first 24 hours following a breach are the most critical. The response team needs to act very fast and strategically in the first 24 hours to regain security, collect evidence, and protect your brand.
As soon as a breach is discovered, follow the below critical steps under the guidance of your legal counsel:
- Record the moment of discovery: Note down the date and time when your response plan is triggered i.e. as soon as someone on the response team is notified about the data leak.
- Alert and activate everyone on the response team including the internal as well external members to start executing your response plan.
- Secure the premises: Make sure that the area in which breach has happened is secured to preserve the evidence.
- Stop additional data loss/Contain the breach: Immediately disconnect affected machines from the internet, take them in offline mode, but don’t switch off the computers or don’t start investigating into the machine on your own until the forensic team arrives. It is very important to immediately take action to limit the breach. Recover the records and stop the further unauthorized practice by revoking or changing computer access permissions. Deal with vulnerabilities in physical or electronic security.
- Document everything: Don’t miss out to record any details like who discovered the breach, to whom it was reported first, who all are aware of, what type of breach has happened, how many systems seem to be impacted, etc.
- Interviewing involved parties: Have a word with those who noticed the breach and others who are aware of it and then record the results.
- Check notification protocol: Examine those that touch on distributing information regarding the breach aimed at involving everyone at this early stage.
- Evaluate priorities and risk: This evaluation must be based upon your current knowledge about the breach. At this point, ask your forensics firm to start an in-depth investigation.
- Notify law enforcement: Carry out conversations with legal counsel & higher management and notify law enforcement if needed.
After the first 24 hours, measure your progress to confirm that your plan is on track. Subsequently, follow the below next steps.
Next Steps
- Root cause analysis: Make sure that the forensic team identifies the root cause of the data breach. They need to eradicate all the hacker tools and deal with any other security gaps. It is also very important to document when and in what way the breach occurred.
- Alert your external partners: Send notifications to your external partners from the response team and get them involved in the incident response. Involve your data leak resolution vendor to manage notifications and establish a call center.
- Carry on working with forensics: Find out if any defensive actions, like encryption were activated during the breach. Investigate all sources of data to determine what information has been contravened.
- Identify Legal Obligations: Go through all the federal and state regulations concerning this breach and then identify all bodies to whom notifications are required to be sent. Make sure that you notify all concerned parties about the breach within the designated timeframe. The breach notification can be communicated through various media like email, press release, social media account, company website and blog, customer portals, custom website to share details about the breach.
- Report to Upper Management: Create reports that contain all the facts about the breach, along with actions and resources required to deal with the breach. Share this report with the top management. Also, design a high-level report of priorities and progress, along with issues and threats with regards to the breach.
- Discover Conflicting Initiatives: Identify if any forthcoming business plans and actions that may conflict with the breach response efforts. If there are any conflicts, then discuss with management and decide on postponing these efforts for some fixed duration.
Follow up
Evaluate response plan and Educate employees – Finally, once your response plan is fully executed and after the breach has been contained, schedule a debriefing session with your response team and assess how well your organization managed its response to the data breach.
Determine lessons learned and accordingly make any required changes or improvements to your readiness plan. Members should also explain any issues they faced along the way so that the plan can be adjusted for the future as required.
Taking time to think about and create these changes can guarantee a more efficient breach response within the future. Use the incident as a chance to retrain staff not solely in their specific response roles once a breach happens, however co-jointly in their security & privacy practices.
For example, latest Ponemon reports reveal that only 26% of corporations conduct security coaching courses yearly and 60% of corporations don’t need staff to retake training and courses, missing a chance to accentuate security best practices.
So, this was in detail about the data breach response plan. We have also mentioned some key points to keep in mind regarding the response plan from its inception until its execution and follow-up. You can also call it as a data breach response checklist.
Data Breach Response Checklist
Below are the checklist/key points for driving an effective breach response plan:
DO
- Closely involve C-suite members in the data breach response plan from the beginning.
- Assemble your breach response team at regular intervals to confirm end-to-end preparedness.
- Engage right external parties early and sign a pre-breach agreement.
- Engage with the appropriate resources both domestic and overseas, as early as possible.
- Employ independent cybersecurity and forensic experts.
- Conduct response exercises not less than twice a year.
- Practice your plan – set up a schedule to implement simulation exercise regularly.
- Self-detection is the key to an effective response.
- Activate the incident response team as soon as the breach is encountered or something fishy is smelled.
- Set up a privileged reporting and communication channel.
- Act fast in the first 24 hours following the breach.
- Stop additional data loss.
- Secure all evidence.
- Save computer logs.
- Document every small or big thing concerning the security breach.
- Determine what law enforcement and regulators you need to include.
- Your general counsel must issue advisory for protecting privilege right at the beginning of the incident as the preliminary forensics investigation begins.
- Find out your legal, contractual, and insurance notification liabilities.
- Not all breaches need a notification. In case your data was encrypted, or an unauthorized worker mistakenly accessed but didn’t ill-use the data, then you may not need to notify.
- Interview personnel involved.
- Change security access keys and passwords.
- Update, audit, and test your plan quarterly to assure a successful incident response.
DO NOT
- Neglect the incident without the instructions from cybersecurity or forensic experts.
- Probe or turn off computers and affected machines.
- Run antivirus programs or utilities.
- Reconnect affected systems.
- Capture or copy data or connect storage devices/external media to affected machines.
- Go public until you know what has happened.
- Ignore local restrictions that apply to how you carry on the breach investigation.
Data Breach Incident Response Plan Template
[image source]
The above image illustrates a sample data breach response plan template. The template may vary from organization to organization; however, it is just one sample that you can refer to.
Enlisted below are the components of the sample data leak incident response plan:
#1) Approval Signature
#2) Introduction
[Mention the purpose of the incident response plan] [Mention the state laws with which the organization complies with through this plan][Mention what policies and procedures are included in the plan]
#3) Incident Response Team
[Mention the details of the incident response team, its size, roles, and responsibilities]
#3.1) INCIDENT Response contact sheet
#4) Suspecting Or Detecting An Incident
[Mention definitions to interpret what constitutes an incident]
[Upon suspicion or detection of an incident, the staff needs to fill the below discovery form and forward to their supervisor, or as applicable]
#5) Incident Response Discovery Form
#6) Incident Assessment And Analysis
[Mention the points your company will consider upon assessing the incident. Incorporate such questions in the assessment:
- Has the incident occurred inside the organization or is it external? ,
- What type of incident is it? ,
- How severe the incident is? ,
- Is it possible to restraint the breach? ,
- What evidence exists, etc.]
#7) Data Breach Incident Response Flowchart
Below is a sample breach response flowchart (only for illustration purpose):
#8) Notification
[Enlist the entities that you need to notify in the event of a data breach, list down any other notification liabilities]
#9) Customer/Employee Notice Content
[Mention what details will be given in the notification. This may include description of incident, type of information that is compromised, what steps the company has taken to stop additional data loss, customer support numbers on which clients and employees can call to obtain any further information or assistance, recommendations to customers/employees to stay vigilant, any other remedies, etc.]
#10) C Customer/Employee Notification Letter
Given below is a sample notification letter that illustrates the content that may be added in a data leak notification letter.
#11) Additional Policies AND Procedures
[Include Detailed Documentation, Damage/cost assessment, Insurance, Review and Adjust, Board of Directors Management, and Reporting].
How To Prevent Data Leaks
Given below are 21 smart tips to prevent data breaches:
- Keep Easy to remember, hard to guess, strong passwords.
- Change your password every few months. Set time-outs and timers on passwords.
- Don’t leave passwords for computers on notes. The passwords should not be stored anywhere. The attackers should not get access even to the hashed passwords.
- Employ risk management solutions to avoid deletion or loss of sensitive or important data.
- Always lock your computer when you leave your workstation.
- Don’t click on any email attachment or ad until you are sure that it’s coming from a legitimate source.
- All employees in the company must be given compliance training and strong security protocols should be implemented.
- Invest in a good cybersecurity program that can detect threats, stops malicious downloading, and prevent your data from getting compromised.
- Purchase cybersecurity insurance and evaluate the coverage regularly. This won’t directly prevent the data breach but would, of course, prevent the losses incurring from the breach.
- Keep only the information that you need; don’t retain unnecessary records.
- Destroy data permanently before disposal.
- Minimize the number of places where you keep sensitive data.
- Keep security software up to date.
- Encryption should be mandatory for all data transmissions.
- Restrict/monitor the use of portable media or other personal electronic devices in the office.
- Practice data segmentation – This helps in slowing down attackers and limiting compromised data.
- Employ the principle of least privilege (PolP). Each user account should have access, not more than what is required to perform his work.
- Enforce multi-factor authentication (MFA).
- Enforce BYOD security policies.
- Patching and updating software as soon as updates are available.
- Upgrade the software if its no longer supported by the manufacturing vendor.
Data Breach Services
Data Breach Services are designed to help in the restoration efforts after a damaging security breach incident inside an organization’s IT infrastructure.
In the case of a security breach, malware, or any other type of security attack that imperils the organization’s data and systems, data breach services provide solutions to figure out the causes, retrieve lost data, and mitigate future risks, among other services.
Businesses can hire data leak services providers proactively in preparation for responding to data breaches or any possible attacks. Businesses can also reach out to these vendors after the learnings from breach incidents.
Top Data Breach Service Provider Companies
#1) Safetica
Safetica is a robust on-premise and cloud-based data loss prevention solution that was designed to prevent data leakage against external and internal threats. As a DLP solution alone, Safetica covers a broader area by serving as a web content filtering, device control, email protection, and endpoint protection tool. IT administrators will have no issue deploying and getting started with the tool.
You get a ton of preconfigured policies to play with. These policies can be customized as per your organizational requirements. Add to that, you can also set real-time alerts and notifications. The tool will use this configuration to report on security incidents as and when they occur. The tool is also great with regard to the compliance and regulatory support it offers.
#2) ID Experts
ID Experts provide best-in-class data breach services that are rooted by their MyIDCare identity protection platform. They offer both pre-breach and post-breach services ranging from notification services, to call center services, to incident response planning, to breach websites, to privacy protection and identity protection services.
Website: ID Experts
#3) Experian
Experian offers a suite of data breach products that can help the organizations in both resolving and responding to data leaks quickly and efficiently. Experian also extends the support required to protect customers and employees in the event of a breach.
They offer services including incident management, notification, identity protection solutions, call-center support, and reporting.
Website: Experian
#4) Kroll
From data leak preparation & prevention to investigate & respond to remediate & restore, Kroll offers all breach response services across many industries and geographies.
They offer services like cyber risk assessments, cyber policy review and design, endpoint detection and response, data recovery and forensics analysis, data collection and preservation, identity theft and breach notification, data breach call center, etc.
Website: Kroll
#5) TransUnion
Based on the organization’s needs, TransUnion offers various solutions for credit monitoring and identity theft protection. They also offer identity restoration services and education services to customers to protect data breaches.
Website: TransUnion
#6) Epiqglobal
Epiqglobal offers data breach response services including breach notification, contact center, strategic communications, return email tracking, and address scrubbing, credit monitoring, and ID theft restoration.
Website: Epiqglobal
Conclusion
In this tutorial, we discussed the meaning and types of data breaches along with some examples and saw how to respond efficiently. We also went through a data breach response plan in detail along with a sample template. We walked through some useful tips to prevent a data leak.
We explored some data breach services providers that help organizations in preparing for and fighting against a security breach.
A data breach is a very serious incident for any organization. In addition to a huge compromise of sensitive information, a data leak directly impacts the brand value of the company and the trust of its customers.
So, it’s advisable to take preventive measures and have a concrete breach response plan in place to deal efficiently with the breach in case it occurs.
Of course, the breach response plan may vary from organization to organization, here, we have included a basic sample of a response plan that you can refer to.
Happy Reading!!