Watch an on-demand demo how to stop data breaches
Prefer a one-on-one demo? Click here
Data breaches are confirmed incidents that may lead to unauthorized access or disclosure of sensitive, confidential or other protected data.
Data breaches typically affect personally identifiable health information (PHI), personally identifiable information (PII), intellectual property, financial data like credit card or bank account numbers, personal data like social security numbers or user credentials, or commercially sensitive data like customer lists or manufacturing processes.
If any of these types of data, or similarly sensitive data, is exposed to unauthorized parties, this represents a data breach. Data breaches can damage an organization’s reputation, may result in non-compliance with regulations or industry standards, and the organization can face fines or lawsuits in connection with the data it lost.
There are many ways of measuring the magnitude of a data breach, including the number of records lost and the financial damages caused. Below are ten data breaches that were indisputably among the biggest in history.
As security blogger Brian Krebs reported in 2013, Adobe disclosed that hackers compromised encrypted customer credit card records and credentials for approx. 3 million user accounts. Later Adobe corrected this estimate and said that 38 million active users were compromised. However, Krebs discovered that in reality 150 million usernames and passwords were breached, along with customer ID numbers and credit card numbers.
In 2018, a biometric database called Aadhaar, containing personal data belonging to more than 1 billion Indians, was made available for sale on the dark web. The data breach happened due to a data leak in a utility company owned by the Indian government. Attackers obtained personal information about almost all Indian citizens, including ID numbers, photographs, bank details, retina scans and fingerprints.
In 2019, an Australian graphic design service named Canva was attacked, leaking salted and hashed passwords, email addresses, usernames, locations of 137 million users of the service, of which 61 million created a password on Canva and did not use social sign in. The company claimed hackers were not able to steal credit card data, but did view some files with partial payment data.
In 2014, an attack on eBay revealed a complete list of accounts, including names, dates of birth, addresses, and encrypted passwords of 145 million users. According to the company’s statement, the breach was achieved by attackers who obtained the credentials of three office workers, gained access to the network and were only discovered after 229 days.
In 2017, Equifax, a large credit institution in the United States, stated that a vulnerable open source component on its website caused a data breach, putting approximately 148 million consumers at risk. The breach occurred in May, 2017, but was discovered only in late July. Attackers stole social security numbers, personal addresses, and some driver’s license numbers of 148 million US citizens, and credit card information of 200,000 citizens.
In 2013, a successful attack on Yahoo became the largest data breach in history. 3 billion user accounts were affected, but it took Yahoo as long as three years to discover the attack. It publicized the breach in late 2016, and asked all affected users to reset passwords and security challenges. The breach resulted in an immediate drop of 3% in Yahoo’s stock price, representing a loss of $350 million for investors.
In 2018, Facebook announced that it had stored millions of Instagram passwords in plain text format, exposed to the Internet. In 2019, another data breach discovered by TechCrunch exposed 400 million phone numbers linked to Facebook accounts. In addition to the phone numbers, attackers obtained the name, location and gender of the users.
In 2018, Marriott International announced that hackers stole the data of approximately 500 million customers of its Starwood hotel brand. The breach happened in 2014, when Marriott acquired Starwood, but was only discovered in 2018.
Attackers stole data including names, contact details, travel information and passport numbers. The company said that credit card numbers or other financial information was exposed for 100 million customers, but that attackers may have been unable to make use of the data, which was strongly encrypted.
In 2018, Twitter employees mistakenly stored a list of passwords in an internal log, making all 330 million passwords of Twitter users available on Twitter’s local network. The company claimed that no breach occurred and the issue was fixed, however the file was exposed internally for several months. Twitter requested all 330 million users to change their passwords, as a precautionary measure.
In 2013, a Russian hacker gained access to data for 360 million MySpace accounts. The breach was only discovered in 2016. The leaked information included name, username, passwords and dates of birth. Between 2013-16, attackers in control of this data were able to access hundreds of millions of MySpace accounts and view private data. After the breach was discovered, MySpace revoked passwords for any accounts created before 2013.
Here are a few important statistics about the global state of data breaches. All the statistics refer to organizations in the USA in the year 2019.
|Average Number of Records Breached||25,575|
|Average Time to Detect a Breach in Days||279|
|Average Time to Eradicate a Breach in Days||73|
|Average Number of Records Lost Per Day||780,000|
|Total Breaches Per Annum||1,473|
|Share of Breaches with Accidental Causes||49%|
According to a model developed by the Identity Theft Resource Center (ITRC), there are seven main sources of data breaches.
The 2020 DBIR Report from Verizon sheds light into how frequent is each type of breach and how commonly different threat actors are involved.
The Cyber Kill Chain (CKC) is a cyber security model developed by Lockheed Martin’s Computer Security Incident Response Team (CSIRT). The purpose of this model is to better understand the steps taken by an attacker during a data breach, allowing the security team to stop the attack at each stage.
|1. Reconnaissance||Attackers gather information about the infrastructure of the target organization.||Port scanning, social media monitoring, shadowing|
|2. Intrusion||Attackers make attempts to penetrate the security perimeter.||VPN attack, spear phishing, supply chain compromise|
|3. Exploitation||Attackers seek vulnerabilities or security gaps they can exploit while inside the network.||PowerShell attack, scripting attack, Dynamic Data Exchange.|
|4. Privilege Escalation||Attackers attempt to gain additional privileges to extend their reach to more systems or user accounts.||Access Token Manipulation, path interception, Sudo attack|
|5. Lateral Movement||Attackers “move laterally” by taking overmore accounts, connecting to more systems, on their way to the most valuable assets.||SSH hijacking, internal spear phishing, Windows remote management|
|6. Obfuscation||Attackers cover their tracks by tampering with security systems, deleting or modifying logs, changing timestamps, etc.||Binary padding, code signing, file deletion, hidden users|
|7. Denial of Service||Attackers disrupt an organization’s critical systems, with the goal of getting the attention of security and operations, and creating a distraction.||Endpoint DoS, network DoS, service stop, system shutdown|
|8. Exfiltration||An attacker finally obtains the organization’s most sensitive data. Attackers will find a discrete way, such as DNS tunnelling, to copy the data outside the organization without being detected.||Data compressed, data encrypted, exfiltration over alternative protocol, scheduled transfer|
Learn more about stages of the kill chain in our detailed guides to:
To better understand how data breaches occur, it is important to be familiar with the common cybersecurity threats facing organizations today.
Common cyber threats that result in data breaches include:
The working principle of social engineering attacks is to psychologically manipulate users, causing them to disclose confidential information to take action beneficial to the attackers, such as clicking on unsafe links or installing malware.
Common types of social engineering attacks include:
Learn more in the detailed guides to:
An APT is a long-term attack campaign carried out by an individual or group, aimed at gaining unauthorized access to the network of a specific organization. Attackers may remain in the network for a long time; during this period, they use advanced techniques to evade detection, and in the meantime, exfiltrate sensitive data.
APTs require a high level of expertise, coordination, organization and effort from attackers. Therefore, APTs are typically launched against valuable targets such as governments, institutions, or large organizations.
A network attack is aimed at gaining unauthorized access to a company’s network, to steal data or perform other malicious activities. There are two main types of network attacks:
Network attacks are an umbrella term for many types of cyber attacks:
Ransomware has become a major threat for organizations of all types, from small business to large enterprises, institutions and governments. Ransomware is malware that infects a machine, encrypts its data, and displays a notice asking the victim to pay a ransom to unlock their data. In many cases, payment is ineffective, and the ransomware destroys the data in any case.
Once a ransomware attack has occurred, it is very difficult to recover, and so the primary way to protect an organization is prevention. A ransomware prevention program includes four steps:
Learn more in our detailed guides about:
An insider threat is a malicious act directed at an organization, executed by the staff of the organization or other people the organization has willfully granted access to its systems. The threat actor (usually an employee or contractor) is a person who has existing access to the company’s network, databases, applications, or other IT systems.
Types of insider threats:
Cloud native is a new paradigm that simplifies the development, testing, deployment and operations of cloud-based applications. A cloud native application is built from scratch for the cloud, rather than being migrated from a traditional data center to the cloud. “Cloud” in this context can mean a public cloud such as Amazon Web Services, a private cloud, a hybrid or multi cloud environment.
Cloud native applications are more difficult to secure than traditional applications, because of their dynamic nature and the large number of entities that comprise them.
Cloud native security threats include:
A data breach response plan (DBRP) outlines the steps a company should take to discover and address a data breach. It helps everyone in the organization understand their role in the event of a breach, and provides practical steps employees can take to mitigate the threat and minimize the damage caused to the organization.
These include security measures, as well as instructions and procedures employees must follow. The main steps in a data breach response plan are:
Data protection, also known as data security, is the process of protecting the confidentiality, integrity, and availability of sensitive information owned by your organization.
Almost all organizations work with sensitive data, either belonging to the organization itself or to its customers. This raises the need for a data protection strategy that can prevent theft, damage, and loss to that data, and reduce damage in case of a data breach or disaster.
After critical business data is breached or accidentally lost, recovering it is urgent, and any delay can impact business continuity. A data protection strategy must take into account the ability to recover the data in a timely manner.
In addition, many industries have legal requirements or voluntary compliance standards governing how organizations store personal information, medical information, financial information, or other sensitive data. A data protection strategy must address the specific compliance requirements your organization is subject to. Learn more in The Compliance Aspect of Data Breaches below.
Learn more in the detailed guide to data protection
There are many management and storage solutions available to protect your data. There are many data security measures that can limit access to data, monitor network activity, and respond to suspected or confirmed breaches.
The following are commonly used data protection technologies and practices:
A backup copies data from primary storage to secondary storage, to provide protection in the event of a disaster, disaster, or malicious activity. Data is crucial for modern businesses, and data loss can cause major damage. Therefore, backup is an essential process for businesses of all sizes.
Learn more in the detailed guide to data backup
RPO and RTO are key concepts in backup management, disaster recovery and business continuity.
Recovery Point Objective (RPO) is the amount of data a company can lose in the event of a disaster, and is determined by the frequency of backups. If the system is backed up once a day, the RPO is 24 hours. The lower the RPO, the more network, computer, and storage resources are needed for frequent backups.
RTO (Recovery Time Objective) is the time needed to restore data or systems from a backup and resume normal operation. If you store or back up large amounts of data in remote locations, copying the data and restoring the system can take a long time. There are technical solutions, such as high performance connectivity to backup locations and fast synchronization, which can shorten RTO.
Cloud backup (also known as online backup) lets you send a copy of your data to a cloud server, over a public or secure private network. Cloud backup services are typically offered by third-party providers. Cloud backups are an excellent way to enable offsite backups that can minimize data loss. You can access your data from multiple access points and share your data among multiple cloud users.
Organizations are typically charged for cloud backup on a pay-per-use basis, according to the number of users, the amount of data stored, the duration of storage, the amount of data transferred to and from cloud storage, and the frequency at which data can be accessed (hot, warm or cold data tiers).
In the following sections we describe enterprise cloud backup solutions provided by the big three cloud providers: AWS, Azure, and Google Cloud.
Learn more in the detailed guides to:
Amazon Web Services (AWS) offers AWS Backup, a managed service you can use to back up both local data, and data stored in the Amazon cloud, to storage services including:
AWS Backup is a central management interface that integrates these technologies, making it easy to organize and schedule backups in one place. Amazon also provides the AWS Storage Gateway, which lets you integrate local storage and backup solutions with Amazon services.
Learn more in the detailed guide to AWS backup
Microsoft Azure Backup is a cloud-based backup solution that is part of the Azure Recovery Services Vault. Azure Backup can be used to backup local data or cloud-based systems. Azure Backup provides consistent backup with security controls and management through the Azure portal.
Azure Backup can take point-in-time backups of the following data sources, including files, folders, system state, and SQL databases:
Learn more in the detailed guide to Azure backup
Google Cloud does not provide an integrated backup solution like AWS and Azure. It supports backup as part of the Google Cloud Storage service. Google Cloud Storage has three storage classes you can use to back up local or cloud-based systems:
Each tier offers progressively lower pricing per GB. Typically, regular backups are stored on the nearline tier, and long-term archives on coldline storage.
Learn more in the detailed guide to Google Cloud backup
Disaster recovery (DR) is the ability to respond to an event that negatively affects business operations and recover from it. The goal is to enable organizations to regain the use of critical IT infrastructure and systems as quickly as possible after a disaster occurs.
DR typically requires an in-depth analysis of all systems and creating a disaster recovery plan, a formal document the organization can follow during events. It enables organizations to think about disasters before they occur and design effective recovery mechanisms.
Disaster recovery planning raises awareness about potential disruptions, helping organizations prioritize mission-critical functions and facilitate discussions related to these topics so they can make informed decisions about suitable responses in low-pressure settings.
Learn more in the detailed guide to disaster recovery
A business continuity plan (BCP) is a document that outlines how a company will continue to operate during and after a disaster or disruption. It is designed to help the company minimize the impact of an unexpected event on its operations and stakeholders, and to ensure that the company can recover and return to normal operations as quickly as possible.
A BCP typically covers a wide range of risks that could disrupt the company’s operations, including:
A BCP should identify the potential threats that the company is most likely to face and provide detailed plans for how the company will respond to and recover from each type of threat. The plan should also include a list of essential resources that the company will need to continue operations during and after a disruption, and a plan for testing and maintaining the BCP to ensure that it is up-to-date and effective in the face of changing risks and circumstances.
Learn more in the detailed guide to business continuity plan.
Data Loss Prevention (DLP) refers to the strategies and tools used to prevent data loss or loss across an organization. DLP solutions have an endpoint management component, which defines who can access data on an endpoint, what can be accessed, and specifies how data should be secured in transit. They can also protect data at rest and data in transit.
A DLP solution lets you adapt data protection to the level of importance and sensitivity of different classes of data. DLP solutions cover four main areas:
Advanced threat prevention (ATP) is a collection of analysis tools for defending against advanced threats using unknown and known attack vectors. ATP helps extend common security tools designed to repel only known intrusion strategies.
Advanced threats attempt to surreptitiously gain unauthorized access to a certain network and then remain undetected within the network for months or years. Staying in the network for a long time enables them to exfiltrate large amounts of data, conduct espionage, and cause significant damage.
ATP solutions help protect endpoints against sophisticated and advanced threats by using artificial intelligence (AI) and machine learning (ML) technologies. This focus on threat prevention, rather than detection and response, enables ATP tools to minimize the potential impacts and risk of advanced attacks on endpoints.
Learn more in the detailed guide to Advanced Threat Protection
Endpoint security solutions combine two layers of security:
Here the main features provided by endpoint protection platforms (EPP):
User behavior analytics (UBA), which later evolved into User and Entity Behavior Analytics (UEBA), is a security solution that profiles the day-to-day behavior of user accounts or entities like servers, applications or networks.
UBA/UEBA uses anomaly detection, based on machine learning techniques, to compare current behavior with the normal behavior of the specific entity and its peers (for example, other users in the same department). When it detects abnormal activity, it alerts security teams to the suspicious behavior.
An important part of modern UEBA systems is the use of thresholds to determine when to treat anomalies as a security threat. For example, if a user always starts at 8am, and then one day logs in at 7am, this is rare, but not unusual enough for investigation. UEBA tools measure the degree of anomaly by calculating a risk score. For example, a log in event at 4 or 5 am, combined with other anomalous characteristics (location, equipment used, other activities, etc.) may increase the risk to a level sufficient to raise an alert.
Backup is a critical defense against ransomware attacks. However, several steps need to be taken to prevent backups themselves from being attacked and encrypted by ransomware software.
To protect your backups from ransomware, follow these guidelines:
Data breaches are not only damaging for an organization, but may place it in violation of regulations or industry standards. This may result in fines and other negative consequences. Below is a brief review of regulations that affect an organization’s data breach strategy.
Data classification involves tagging data according to specific types, sensitivity levels, and the impact of data loss, such as data modification, theft, or deletion. Organizations use data classification to determine the value of specific data, its risk level, and then apply the appropriate controls to mitigate these risks.
The data classification process is subject to regulatory compliance while also helping achieve compliance. Certain industries, for example, require classification according to different data attributes. The ability to locate and control specific data can help meet compliance with SOX, PCI DSS, GDPR, and HIPAA regulations.
Learn more in the detailed guide to data classification.
Other federal laws that apply to the collection of information online
The HIPAA Breach Notification Rule requires companies to disclose security breaches. It applies both to Covered Entities (healthcare organizations, medical providers and practitioners), and Business Associates (who provide services to Covered Entities).
The HIPAA Breach Notification Rule may require organizations to notify individuals whose data was affected by the breach, the USA Office for Civil Rights (HHS/OCR), and/or the media. Violation of the rule can result in fines of up to $1.5 million per year, calculated per violation, or per PHI record exposed in the breach.
Learn more in our in-depth guide to HIPAA breach notifications
A significant regulation at the state level is the CCPA, the most comprehensive data protection law in the United States, which came into force in January 2020. CCPA places certain obligations on companies who collect or store information about California citizens. These include notifying the data subject when and how their data was collected, and giving them the ability to access and delete that information.
The CCPA gives California citizens the right to request statutory damage if their information was exposed in a data breach. This applies only to data breaches that meet three criteria:
The EU General Data Protection Regulation (GDPR) regulates the collection, use, transmission, and security of data collected from residents of 27 European Union countries. It applies to any business that works with European citizens, regardless of where the company is based. Organizations that violate the GDPR can be fined up to 20 million Euro or 4% of global revenue.
What is the official GDPR definition for data breaches?
The GDPR requires organizations to notify relevant parties if they are breached. According to the Quick Guide to Breach Notifications, a breach that requires notification is an incident that:
72 hour deadline and possible fines
According to Article 33 of the GDPR, organizations need to report security breaches as defined above within 72 hours of detection of the breach. Breaches are reported to a Data Protection Authority (DPA), and in some cases, also need to be reported to individuals who were affected or to the press.
Failure to notify about a breach can result in a fine of up to 10 million Euro or 2% of global revenue. However, European authorities emphasize that fines are a last resort and will only be imposed on those who repeatedly and seriously violate the regulation.
Learn more in our in-depth guide to GDPR data breaches
Cynet 360 AutoXDR™ is an autonomous breach protection platform that works in three levels, providing XDR, Response Automation, and 24/7 MDR in one unified solution. Cynet natively integrates these three services into an end to end, fully-automated breach protection platform.
Breach protection with Cynet incident response services:
CyOps, Cynet’s managed detection and response team, is on call 24/7 allowing enterprises of all sizes to get access to the same expert security staff that protect the largest enterprises. Here’s what you can expect from the CyOps incident response team:
Learn how the Cynet Autonomous Breach Protection platform and the CyOps 24/7 incident response team can help you.
Cynet 360 AutoXDR™ provides cutting edge EDR capabilities:
Cynet 360 AutoXDR™ provides the following XDR capabilities:
Cynet 360 AutoXDR™ can be deployed across thousands of endpoints in less than two hours. It can be immediately used to uncover advanced threats and then perform automatic or manual remediation, disrupt malicious activity and minimize damage caused by attacks.
Get a free trial of Cynet 360 AutoXDR™ and experience the world’s only integrated XDR, SOAR, and MDR solution.
Cynet, together with several partner websites, has authored a large repository of content that can help you learn about many aspects of data breaches and data security. Check out the articles below for objective, concise reviews of key data security topics.
Advanced Threat Protection
Authored by Cynet
Advanced threat protection (ATP) solutions leverage various techniques to provide organizations with the real-time visibility and data awareness needed to detect and block advanced threats.
See top articles in our advanced threat protection guide:
Authored by Imperva
Learn how organizations prepare themselves for a disaster by setting up a remote disaster recovery site and creating automated procedures for business continuity and business recovery (BC/DR).
Authored by Cloudian
Data protection practices and tools help organizations ensure the protection of data that passes through the organization’s systems. Learn about key data protection techniques.
See top articles in our data protection guide:
Authored by Cloudian
Data backup is critical to ensure organizations can recover from various types of data losses. Learn how to successfully implement data backup techniques.
See top articles in our data backup guide:
Authored by NetApp
Amazon Web Services (AWS) is a top cloud computing vendor, offering highly customizable tools, including a dedicated backup service. Learn how to leverage AWS backup tools and techniques.
See top articles in our AWS backup guide:
Business Continuity Plan
Authored by Faddom
Authored by NetApp
Microsoft Azure is a popular cloud computing vendor, offering enterprise-grade solutions, including backup and recovery services. Discover key Azure backup tools and techniques.
See top articles in our Azure backup guide:
Google Cloud Backup
Authored by NetApp
Google Cloud Platform (GCP) is a widely used cloud computing vendor, offering scalable and cost-effective services. Learn about popular backup options and techniques offered by Google Cloud.
See top articles in our Google Cloud backup guide:
Authored by Satori
Learn how organizations classify large scale datasets in order to better secure and protect their most sensitive and valuable data.
Authored by NetApp
Authored by NetApp
Authored by NetApp
Authored by Hackerone
Additional Data Breach and Data Security Resources
Below are additional articles that can help you learn about data security topics.