Was it the result of hackers, or just a company oversight?
You hear it every week—a social media company, bank, healthcare company, or gaming suffered a data breach. But what does that actually mean?
Every data breach is different. But there are two important distinctions that separate the kinds of data breach, and whether or not it will lead to negative consequences. Was the breach intentional or accidental?
An intentional data breach refers to an incident where a hacker, malicious actor, or even state-sponsored group attacked a company for the purposes of leaking or stealing information.
An accidental data breach is a little more self-explanatory—it wasn’t the result of a bad actor, usually, data is left out in the open so there’s a chance it could be collected by scammers and criminals.
Let’s go through each one in more detail.
The intentional breach
Cause: A Hacker.
If you think of some of the more well-known data breaches, such Target, Equifax, and Capital One, they’re nearly always the result of a hacker getting into a company’s system (or finding their way in via a third-party). Just recently, hackers infected Macy’s website and stole credit card data from customers making purchases during a period of time in October.
Why hackers target a certain company or steal a specific set of data can vary. Here are a few of the reasons:
- They find a vulnerability in a company’s website and decide to exploit it.
- They can either use it themselves to carry out further attacks on targets found within the stolen data.
- They can sell the stolen data on the dark web or on hacker forums.
- They might have been working on behalf of another government, in which case, motives and consequences are much harder to discern.
What’s done with the stolen data can also depend on the company and type of data involved. Hackers stealing credit card info, for example, can use that data to make unauthorized purchases or they may sell it to others looking for stolen credit card data. A hacked financial firm may give up valuable social security numbers, date of birth info, and addresses, which can be used for identity theft. Even email and password data can be used to get into different accounts, given the prevalence of password reuse, or spammers can increase the number of emails sent out as part of a phishing campaign.
Whatever the reason, this kind of data breach is worth taking significant action. Change your passwords, add additional security measures to the affected account, and scrutinize any emails that have any relation to the hack or the company.
Hackers may impersonate the hacked company using stolen details or other scammers may take advantage of the widely known hack and spam people with phishing campaigns pretending to be the hacked company.
The accidental data breach
Cause: Oversight or negligence.
A data breach that wasn’t the result of a hacker is often called a leak or an exposure. For example, Adobe recently had a database exposure of 7.5 million account records. In most cases, this kind of breach is discovered by security researchers looking for publicly available information that should’ve been privately secured by companies.
This data breach can occur if a company fails to secure a server, a cloud database, or some other form of data storage, making it accessible to anyone with an internet connection, without any form of authentication, like a log-in or password.
In these cases, security researchers usually give a company time to put some security controls on the database, take it offline, or migrate it to a private server. By the time the leak is disclosed publicly, usually via the press, the data is no longer accessible.
However, there are cases where the disclosure is made public before any action is taken. This is usually the case if a security researcher contacts a company but doesn’t hear back, is met with pushback, or if too much time passes. Making the leak public is in everyone’s best interest as the risk of reputational consequence can spur a company to take action.
Because the data was publicly available and it’s often difficult to discern how long the information was out there, it’s hard to know whether any other party, hacker, or bad actor was able to access the data before it was taken down. Often, companies will make statements about whether or not any “unauthorized” person(s) had access to the data.
This can be comforting, especially if the server was taken down before the disclosure was publicly made. However, that doesn’t mean you have to ignore it. You should still change your password and be on the lookout for any suspicious behavior on or related to your account.
Be in the know
These descriptions should show you the major differences between different data breaches and will also help you understand how severe a given data breach is. Mass media doesn’t often get into the details and don’t clearly articulate the severity of a data breach so knowing the differences will help.
It’s important to remember that if a bad actor did steal your information, it may be months or years down the line before they do anything with it. The same is true is they sell the information to another scammer or hacker. Be proactive and take the steps we recommended above. That makes you a more difficult target for scammers and hackers, in which case, they might just ignore you, which means you’re relatively safe (for now).