“Data breach” is one of those terms you see in the news when an organization’s data has been compromised. But, what does it actually mean?
A data breach is a security incident where a hacker gains access to and/or copies, transmits, deletes, or locks sensitive information, like:
Credit card numbers
Protected health information (PHI)
Personally identifiable information (PII)
Credentials and passwords
Once they get their hands on your data, hackers can sell it, use it to gain more information, steal your money or identity, or use it to ruin your reputation or your business.
Finding out that your personal information was found in a data breach can be terrifying (it doesn’t need to be), uninteresting (it shouldn’t be), or confusing (hopefully it won’t be by the time you finish reading this).
Plenty of services these days will alert you about your email address turning up in a database of stolen data — from credit monitoring services like Credit Karma to security awareness services like KnowBe4 — but it’s important to understand what this means and what to do about it to protect yourself and/or your business.
How Data Breaches Happen
Let’s start with some background. Even though major online services (social media, banks, hotels, etc.) put tons of effort into protecting their users’ data, the bigger they are (and the more sensitive the personal information they store), the harder hackers try to break in. When someone eventually finds a hole in the defenses and encounters unencrypted data, they download everything they can find, try to sell it to the highest bidder (usually on the “dark web”), and vanish. This often leaves the breached company completely unaware that anything happened.
Arguably the most damaging data from these breaches are email/password combinations. These same hackers (or their buyers) will then try to use those credentials to log in to the breached company’s site and countless other popular sites. They can do this at an immense scale using bots in a technique called “credential stuffing.” This problem has been growing for years, with almost 500 million records exposed in 2018.
After being discovered by well-intentioned groups (sometimes years after the breach), these credentials will get added to public-facing databases (with email addresses decoupled from passwords) where anyone can search for their email address or password to find out if it’s been found in a breach. The most popular site for this is haveibeenpwned.com, which contains data on over 8 million compromised accounts. It even lets you search for passwords to see if that very clever password you use on every single shopping website has been circulating around the dark web for years.
This all has obvious implications for your personal information — if there are hundreds of hackers out there logging into your accounts, collecting your secrets, stealing your identity, and maybe worse — it’s not great. But a data breach has plenty of implications for your business as well. People very often use the same password for their work accounts that they use for personal ones. When someone’s Facebook password (the same one they use for their work email) gets passed around the dark web, your business can get impacted fast.
Data Breach FAQ
Understanding data breaches and protecting your business from them can be overwhelming to figure out on your own. Here are the most common questions about data breaches.
How Do I Check for a Data Breach?
To see if your data has been exposed in a breach, you can use free online tools like haveibeenpwned.com to search your email addresses and passwords. If your information has been hacked — exposed for others to access and use — you should change your password right away.
What Should an Organization Do After a Data Breach?
If your business has a data breach, take these steps:
Identify the source and the extent of the breach
Contain the breach
Inform affected customers
Conduct a root cause analysis and address the root cause
Communicate findings to customers
Implement new controls and tests to prevent it from happening again
How Can You Prevent Data Breaches?
Here’s a checklist to ensure you won’t be impacted by the next data breach:
Enable Multi-Factor Authentication (MFA) for all services so that, even if someone does know your password, they have a much harder time getting in. See our recent post on MFA for more. Search haveibeenpwned.com to see if any of your email addresses have been part of a known breach (spoiler alert: they probably all have). If you have the same password on multiple accounts, search for it, and if it’s been compromised, change it immediately on all accounts.
Never use the same password more than once. Even if it’s a great password, it can still get stolen in a breach and give hackers access to multiple sites. How do you remember all those different passwords? Use a password manager like 1Password, LastPass, or Dashlane that will help you generate random, strong, unique passwords for each site, store them securely, and autofill them into websites and even mobile apps. Some of these, like LastPass, also offer business services that let you create accounts for all your employees and even securely share credentials, allowing different employees to log in to shared accounts without ever seeing the password.
Use strong passwords. This doesn’t help much in a data breach, but it’s worth noting here. If you’re not letting a password manager generate random passwords for you, or if you need a memorable one to log into your password manager or Single Sign-On, the length is the most important factor. Go for 12 characters or more and make sure it isn’t guessable. One technique is to string together a random set of words (e.g., “dogsoupfeather”). If your organization’s password policy has complexity requirements (one capital, one number, etc.) and forces a reset every six months, scrap all of that and just set it to require 12 characters.
Deploy Single Sign-On (SSO). SSO is even better than diversified passwords. See our previous post, Why You Need Single Sign-On, for more on that. OneLogin, our preferred SSO provider, just today announced a new feature called Shield that checks your passwords against real-time breach databases and your password history to prevent reuse.
Update your software. Products that are old and don’t have security patches (link to post) are common data breach victims. Updating your software regularly and installing all the patches is an easy way to prevent attacks. Enforcing that all of your users do this (link to Jamf post?) is even better.
Limit access to your valuable data. Only the employees that need to see sensitive files should have access to them. When fewer people can view this information, the probability and scope of a breach is reduced.
Demand transparency from your third-party vendors. Other organizations that can see your files or send people to your facility need to follow privacy laws. Doing background checks, adding controls and terms into contracts, and limiting who can view your documents as part of your third-party risk management will help.
Train your employees about security awareness. Because your employees are your organization’s weakest link in data security, training will help strengthen this area. Quarterly or monthly sessions about suspicious emails and other common security threats can help change their behavior.
Share this information with all of your users (even contractors!). The more your people know about this, the better.
Contact Kinetix for Information Security Services
Security is important, but it can also be complicated. Our mission is to make security simple for you. Our Security Essentials (link here) includes the necessary tools for basic yet thorough security monitoring, and we also offer individualized consulting to identify your business’s vulnerabilities. We’ve worked with more than 150 clients and are excited to become your cybersecurity partner.
Reach out to Kinetix for more guidance and help with credential management. Don’t wait for the next breach — it may have already happened.