Hardly a week goes by without a data breach hitting the headlines. Cybercriminals have normalised phishing, and vast swathes of stolen data are the result.
A recent report from the security industry body ISACA shows that less than one-quarter of UK consumers feel that businesses protect their personal data. The report also points out the real impact of data losses, with almost half of consumers saying they would no longer deal with a company that has experienced a data breach.
Lost data means lost customers, large fines, and reputation damage. It is important to know how to deal with a data breach when it happens.
Here are our best practice tips to dealing with a data breach.
Personal Information and Data Protection
Personal data is anything that can be used to identify an individual. For example, name, address, age, email address, phone number, and so on. These data are like gold dust to cybercriminals and are at risk from simple accidental exposure.
Personal data must be protected according to various data protection and privacy regulations. For example, the UK Data Protection Act 2018 (DPA2018) describes the data protection rules to ensure that personal data is secure. The basic principles of DPA2018 are that data must be:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
DPA 2018 is sometimes compared to the EU’s GDPR. As such, DPA2018 is also referred to as the UK GDPR. There are some differences between the DPA 2018/UK GDPR and the EU GDPR, such as processing criminal data being less stringent in the UK. Also, legitimate reasons for profiling are less strict in the UK than in the EU.
However, both require that personal data be protected, and certain post-breach conditions must be met if a breach occurs. This includes breach notification rules and potential fines for non-compliance.
How Does a Data Breach Happen?
Wherever data is created, stored, shared, or used, it is at risk of being stolen or accidentally exposed. A variety of cyber-threats cause data breaches, including:
- Phishing – fraudsters steal data directly using malicious websites. Alternatively, cybercriminals use spear phishing to steal login credentials. These credentials are then used to gain access to corporate networks and apps. Even staff credentials without privileges can lead to database hacks and massive data breaches.
- Social engineering – cybercriminals trick employees into handing over personal data that they then use to commit further crimes. Fraudsters use many mediums to carry out social engineering, including phone calls and social media. These attacks can ultimately lead to more significant data breaches.
- Misconfigured web components – simple configuration mistakes can leave web servers and databases open to hackers.
- Software vulnerabilities – flaws in software code can leave databases, web servers, and other software vulnerable to an attack. Often, software vulnerabilities are used with other attack vectors, such as phishing, to install malware, such as ransomware. This then leads to more significant data breaches.
- Malware infection – all the above techniques and tactics can result in malware infection. For example, malware can lead to data exfiltration back to a cybercriminal waiting to place it for sale on a dark web marketplace. Or it can lead to a ransomware infection. Often ransomware steals data before encrypting it and attempting extortion.
- Accidental data breaches – personal data is not just at risk from cybercriminals. Accidental data exposure is a form of a data breach that can happen from simple mistakes and careless actions.
The Cost of a Data Breach 2022 report from IBM found that:
- The top attack vectors causing a data breach: stolen or compromised credentials (19% of breaches), phishing (16% of breaches), and cloud misconfiguration (15% of breaches). All these vectors can be caused by human error; for example, an employee does not realise they are being phished and clicks a malicious link that leads to stolen credentials.
Similar figures came from the Verizon Data Breach Investigation Report for 2022:
- 82% of breaches involve a human being, for example, clicking a phishing link at some point in the attack.
- 62% of data breaches use supply chain vendors. Again, the attackers used social engineering tactics to target third-party vendors and attack companies further up the chain.
The Damage Hackers Can Do
Fraudsters use personal information to perpetuate a variety of cybercrimes. For example, identity theft: the UK’s CIFAS National Fraud Database recorded an 11% increase in identity theft in the first half of 2021. Moreover, CIFAS has seen even more significant growth in 2022, with cases of identity theft up by one-third on the 2021 figures.
Identity theft leads to financial losses for individuals and companies who deal with the fraudster behind the stolen identity. As such, UK companies and individuals lose around £4 billion yearly due to identity-related fraud.
The Cost of Data Breaches report presents the evidence for the impact of a data breach:
- The average cost of a data breach in 2022 was $4.2 million (£3.8 million)
The cost of a data breach includes:
- Costs of fixing direct damage to IT systems
- Reputational damage
- Fines for regulatory non-compliance
- Damages to customers; often, data breaches can lead to class-actions
- Staff sacking and morale issues
- Potential leak of Intellectual Property or company secrets.
What To Do in the Event of a Data Breach
Any organisation suffering from a data breach must have a solid plan to mitigate the impact. Here are some ideas and tips on how to handle a data breach:
A personal data breach has happened: managing the situation is critical to containing the event and minimising the impact. Stay calm and work through the problems.
Assess the Damage
Investigation of the event is a time-sensitive task. You must inform the authorities if the breach meets the criteria required to make it a notifiable breach. For example, in the UK, the Information Commissioner’s Office (ICO) must be informed within 72 hours of a data breach being discovered.
Investigate the Incident
Log all the facts surrounding the incident as you uncover them. It is essential that you record events and include the damage. This log may be used as evidence if the case ends up in court.
Contain the Breach
You can develop a breach containment strategy as you assess the damage and record what has happened. Containment measures depend on what type of incident has occurred. For example, a ransomware attack will require more technical containment measures than a mis-delivery of an email containing customer data. The type of steps to contain different types of incidents should be carefully outlined in a security policy.
Assess the Risk
Evaluate how damaging the data breach was to those involved. For example, is there an identity theft risk, or could someone be at risk of physical harm? Understanding the risk level will help guide your company in an appropriate response.
Respond to the Incident
Responding to a cyber attack has many layers. It includes dealing with the aftermath of the loss of personal data from the view of those affected. It also means that your organisation needs to reassess its security posture. Look at where the existing measures failed. Do you need more regular Security Awareness Training? Are you using encryption appropriately? A measured response will look at the entire event chain of the incident so you can tighten up your corporate security.
Measures that Help in a Data Breach Response
A data breach can cause immeasurable damage to an organisation. However, as mentioned above, the human factor in the chain of events that leads to a data breach is where real change can be made.
Findings from the ISACA report evidence the effectiveness of security training. The report records that 80% of organisations said that Security Awareness Training positively benefits employee awareness.
By using staff Security Awareness Training as a fundamental measure in the fight against cyber attacks, an organisation can prevent them. Adding measures such as data encryption and robust authentication to this security education makes it much less likely that a malicious or accidental data breach will happen.