Types of Data Breaches
The most common types of data breaches include the use of malware or spyware, human error and deliberate insider acts. Whether incidents are accidental or planned coordinated cyberattacks, data breaches make sensitive private, government and corporate digital files vulnerable.
Malicious software, also known as malware, spyware, a Trojan horse attack, worm or virus, is digital code installed on your laptop, smartphone or other device. As the Federal Trade Commision explains in its Consumer Advice, malware can get installed if you click on or download a scammer’s email attachment, fake ad or security pop up. It can also happen when illegally downloading free movies or video games.
Once installed on your device, hackers have access to your digital activity and personal information. One of the biggest data breaches in history was the Notpetya breach in which the Russian army is believed to have used malware to cause the Ukraine electrical grid to fail in 2017. The breach cost shipping giant Maersk $300 million in damage and global damage was estimated at $10 billion.
The Cybersecurity and Infrastructure Security Agency, known as America’s Cyber Defense Agency, recommends organizations educate and train staff on preventing malware breaches. Operating systems and data should be regularly backed up, networks should be separate and critical operations should be kept on a closed network. CISA announced the creation of a Ransomware Vulnerability Warning Pilot in 2022 to proactively identify information systems relating to critical infrastructure entities that contain vulnerabilities.
Phishing breaches happen when hackers present themselves as someone you know or an organization you trust. A spoofing attack is one form of phishing in which cyber attackers use familiar email addresses or URLs, changing a letter or number within the name, but keeping it similar enough to appear to be a trustworthy source. These phishing attacks can act as a vehicle for installing malware.
Once people click on links or attachments in a phishing message, their computers and sometimes broader networks can be infected. Also one of the biggest data breaches in history, the North Korean phishing attack of Sony Pictures used emails that appeared to be from Apple. Sensitive emails and records were accessed and the incident cost Sony $100 million.
The CISA identified a phishing breach in which the Small Business Administration COVID-19 loan relief webpage was spoofed. Swedish bank Nordea was spoofed in an email sent to clients that was infected with a virus. People who opened the email were directed to a false home page and asked to enter login information. Believed to be a Russian attack, the phishing incident enabled the theft of $1 million.
CISA advises people to avoid opening generic-looking email greetings and clicking on suspect links. If you hover over links instead of clicking, you can better verify their authenticity. Change your password frequently.
Employees or organization members with authorized access are responsible for insider breaches. Insider breaches can be accidental, but the threat can also be planned as part of external coordinated theft, espionage or terrorism. Using access badges, network access, knowledge of the structure or strategies of an organization, insiders can gain trade secrets, personnel data or financial information.
Financial institutions and cryptocurrency organizations have been vulnerable to intentional threats from state actors such as North Korea, incurring high costs. An example of an accidental insider breach involved a healthcare provider disclosing protected health information of its patients to unauthorized third parties because of a pixel-related data breach.
The United States Attorney’s Office reported a deliberate insider breach at General Electric that led to a former engineer being convicted of conspiracy to steal trade secrets and sentenced to two years in prison. The engineer worked with a co-conspirator from 2008 through 2019 to use employee access to confidential information to compete with GE globally.
Human Error Breaches
A joint Stanford University and security firm study found that employee mistakes cause 88% of data breaches. IBM research indicates that human errors, including negligent actions of employees or contractors, were responsible for 21% of breaches.
While companies can be quick to blame individual employees for data breaches, experts identify lack of proper security measures and poor training as key vulnerabilities making human error breaches possible.
When credit-rating company Equifax experienced a data breach in 2017, an IT technician was blamed. The company said the tech failed to communicate key information about patching an application, compromising the data of 145 million people. However, Equifax agreed to settle with the Federal Trade Commission, the Consumer Financial Protection Bureau and 50 U.S. states and territories for $575 – $700 million for failing to take reasonable security steps.
How to Protect Against Data Breaches
No matter the type of data breach, the costs can be serious, so a growing number of organizations are adopting a “zero trust” approach to protect themselves against data breaches. This “trust no one and nothing” point of view in action requires everything and everyone trying to gain access to the network be verified.
- Avoid clicking on ads, attachments, emails or links that you’re not certain are safe.
- Backup key files and delete sensitive information that’s no longer needed.
- Strengthen passwords, using at least 15 characters. Randomly generated password managers can help.
- Update your operating system and applications for the latest security, software and patches of potential vulnerabilities.
- Turn on multifactor authentication that requires an extra step to verify the identity of anyone trying to login to an account.
Several data breach lawsuits have been filed seeking compensation for loss of privacy and important data as a result of data breaches. Plaintiffs claim losses were sustained when their personal information was stolen and leveraged.
31 Cited Research Articles
Consumernotice.org adheres to the highest ethical standards for content production and references only credible sources of information, including government reports, interviews with experts, highly regarded nonprofit organizations, peer-reviewed journals, court records and academic organizations. You can learn more about our dedication to relevance, accuracy and transparency by reading our editorial policy.
- Cybersecurity & Infrastructure Security Agency. (2023, March 13). CISA Announces Ransomware Vulnerability Warning Pilot. Retrieved from https://www.cisa.gov/news-events/alerts/2023/03/13/cisa-announces-ransomware-vulnerability-warning-pilot
- Cybersecurity & Infrastructure Security Agency. (2023, February 21). Protect Myself from Cyberattacks. Retrieved from https://www.cisa.gov/news-events/news/protect-myself-cyberattacks
- The HIPAA Journal. (2023, January 23). PHI of Thousands of Patients Compromised in 4 Healthcare Data Breaches. Retrieved from https://www.hipaajournal.com/phi-patients-compromised-healthcare-data-breaches/
- Page, C. (2023, February 14). Security breach? Don’t blame your employees. Retrieved from https://techcrunch.com/2023/02/14/security-breach-blame-employees/
- Page, C. (2023, February 10). Reddit says hackers accessed employee data following phishing attack. Retrieved from https://techcrunch.com/2023/02/10/reddit-says-hackers-accessed-internal-data-following-employee-phishing-attack/
- Department of Homeland Security. (2023, January 12). Insider Threat. Retrieved from https://www.dhs.gov/science-and-technology/cybersecurity-insider-threat
- Cybersecurity & Infrastructure Security Agency. (2022, December 18). 4 Things You Can Do To Keep Yourself Cyber Safe. Retrieved from https://www.cisa.gov/news-events/news/4-things-you-can-do-keep-yourself-cyber-safe
- Federal Trade Commission. (2022, December). Equifax Data Breach Settlement. Retrieved from https://www.ftc.gov/enforcement/refunds/equifax-data-breach-settlement
- Whittaker, Z. (2022, November 7). SolarWinds says it’s facing SEC ‘enforcement action’ over 2020 hack. Retrieved from https://techcrunch.com/2022/11/07/solarwinds-sec-investigation-russian-espionage/
- Robertson J. & Bennett, D. (2022, September 14). A Chinese Spy Wanted GE’s Secrets, But the US Got China’s Instead. Retrieved from https://www.bloomberg.com/news/features/2022-09-15/china-wanted-ge-s-secrets-but-then-their-spy-got-caught
- Ackerman, R. (2022, July 30). Just Why Are So Many Cyber Breaches Due to Human Error? Retrieved from https://securitytoday.com/articles/2022/07/30/just-why-are-so-many-cyber-breaches-due-to-human-error.aspx
- Cybersecurity & Infrastructure Security Agency. (2022, February 26). CISA and FBI Publish Advisory to Protect Organizations from Destructive Malware Used in Ukraine. Retrieved from https://www.cisa.gov/news-events/news/cisa-and-fbi-publish-advisory-protect-organizations-destructive-malware-used
- Cybersecurity & Infrastructure Security Agency. (2022, February 24). MAR–10369127–1.v1 – MuddyWater. Retrieved from https://www.cisa.gov/news-events/analysis-reports/ar22-055a
- IBM. (2022). Cost of Data Breach Report 2022. Retrieved from https://www.ibm.com/downloads/cas/3R8N1DZJ
- United States Attorney’s Office. (2021, November 10). Former GE Engineer Sentenced to 24 Months for Conspiring to Steal Trade Secrets. Retrieved from https://www.justice.gov/usao-ndny/pr/former-ge-engineer-sentenced-24-months-conspiring-steal-trade-secrets
- Cybersecurity & Infrastructure Security Agency. (2021, September 21). Malware Attacks: Lessons Learned from an Emergency Communications Center. Retrieved from https://www.cisa.gov/sites/default/files/publications/22_0414_cyber_incident_case_studies_malware_final_508c.pdf
- Cybersecurity & Infrastructure Security Agency. (2021, April 15). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved from https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-048a
- Cybersecurity & Infrastructure Security Agency. (2020, August 14). Malicious Cyber Actor Spoofing COVID-19 Loan Relief Webpage via Phishing Emails. Retrieved from https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-225a
- Cybersecurity & Infrastructure Security Agency. (2020, April 8). COVID-19 Exploited by Malicious Cyber Actors. Retrieved from https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-099a
- Federal Trade Commission. (2019, July 22). Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach. Retrieved from https://www.ftc.gov/news-events/news/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related-2017-data-breach
- Alsinawi, B. (2018, September 26). Key Takeaways from the NotPetya Malware Infection. Retrieved from https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2018/key-takeaways-from-the-notpetya-malware-infection
- Whittaker, Z. (2018, September 8). A year later, Equifax lost your data but faced little fallout. Retrieved from https://techcrunch.com/2018/09/08/equifax-one-year-later-unscathed/
- Greenberg, A. (2018, August 22). The Untold Story of NotPetya, the Most Devastating Cyberattack in History. Retrieved from https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
- Espiner, T. (2007, January 22). Swedish bank hit by ‘biggest ever’ online heist. Retrieved from https://www.cnet.com/news/privacy/swedish-bank-hit-by-biggest-ever-online-heist/
- Stop RansomWare. (n.d.). How Can I Protect Against Ransomware? Retrieved from https://www.cisa.gov/stopransomware/how-can-i-protect-against-ransomware
- Cybersecurity & Infrastructure Security Agency. (n.d.). Protecting Sensitive and Personal Information from Ramsomware-Caused Data Breaches. Retrieved from https://www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Protecting_Sensitive_and_Personal_Information_from_Ransomware-Caused_Data_Breaches-508C.pdf
- Cybersecurity & Infrastructure Security Agency. (n.d.). Defining Insider Threats. Retrieved from https://www.cisa.gov/defining-insider-threats
- Cybersecurity & Infrastructure Security Agency. (n.d.). Managing Insider Threats. Retrieved from https://www.cisa.gov/topics/physical-security/insider-threat-mitigation/managing-insider-threats
- Cybersecurity & Infrastructure Security Agency. (n.d.). Phishing. Retrieved from https://www.cisa.gov/sites/default/files/publications/phishing-infographic-508c.pdf
- Cybersecurity & Infrastructure Security Agency. (n.d.). Cybersecurity Awareness Month 2021: Do Your Part. #becybersmart. Retrieved from https://www.cisa.gov/sites/default/files/publications/Cybersecurity%20Awareness%20Month%202021%20-%20Phishing%20Tip%20Sheet.pdf
- Cybersecurity & Infrastructure Security Agency. (n.d.). Zero Trust Maturity Model. Retrieved from https://www.cisa.gov/zero-trust-maturity-model