Data Breach can be defined as in which data is taken without owners knowledge or consent. A data breach could happen to a major business or an individual. Credit card numbers, customer information, trade secrets, and information about national security are examples of sensitive, proprietary, or confidential information that may have been stolen.
Data breaches(Read more about data breach here) can immediately impact hundreds of millions or possibly billions of individuals in the data-driven world of today.. Data breaches have grown in scope along with the digital transformation as attackers take advantage of our everyday reliance on data.
After selecting a target, the attacker searches for vulnerabilities to exploit, including those in systems, people, or networks. This requires the attacker to spend many hours doing investigation, which may include following employees’ social media accounts to learn about the infrastructure the business or an individual has.
After scoping out a target’s weak points, the attacker initiates communication through a network-based or social attack. In a network-based attack, the attacker takes advantage of holes in the target’s defenses to launch a breach. These flaws could be exploited through SQL injection, vulnerability exploitation, and/or session hijacking, among other things.
In a social attack, the attacker infiltrates the target network through social engineering techniques. This could involve sending an employee a specially designed email with malicious intent in order to get their attention. The email may contain a malware attachment that will run when downloaded or contain a phishing request for information that will trick the recipient into providing personal information to the sender.
The attacker is free to extract data from the company’s network once they have gained access to it. The exploitation of this information for cyber propaganda or extortion is possible. The data an attacker gathers can potentially be utilized to carry out more severe assaults on the infrastructure of the target.
Date: August 2013
Impact: 3 billion accounts
The attack on Yahoo has taken the top rank, nearly seven years after the initial breach and four years after the real quantity of documents disclosed was made public. In December 2016, the business made its initial public disclosure of the incident, which it said occurred in 2013. It believed that a hacker gang had obtained the account information of more than a billion of its customers at the time when it was in the process of being acquired by Verizon. Yahoo revealed that the real number of user accounts exposed was 3 billion less than a year later. Yahoo said it was sending emails to all of the “additional affected user accounts” and that the increased estimate did not indicate a new “security risk.”
Date: November 2019
Impact: 1.1 billion pieces of user data
A developer for an affiliate marketer used his own crawler software to collect user information from the Alibaba Chinese shopping website Taobao over the course of eight months, including usernames and mobile numbers. Although both the developer and his company received a three-year prison sentence, it appears that they were only gathering the data for their personal purposes and not for sale on the black market.
Date: June 2021
Impact: 700 million users
In June 2021, the dark web forum hosting 700 million LinkedIn users’ data was leaked, affecting more over 90% of the company’s user base. By abusing the site’s (and others’) API, a hacker going by the handle “God User” used data scraping techniques before leaking a first information data set of over 500 million users. They then boasted that they were selling the entire 700 million client database as a follow-up.
Date: April 2019
Impact: 533 million users
Two datasets from Facebook apps were discovered to have been made available to the public internet in April 2019. The data includes phone numbers, account names, and Facebook IDs and related to more than 530 million Facebook members. The data was shared for free two years later, in April 2021, showing new and genuine criminal intent about the data. Troy Hunt, a security researcher, actually added functionality to his HaveIBeenPwned (HIBP) breached credential checking site that would enable users to check if their phone numbers had been included in the exposed dataset given the sheer number of phone numbers impacted and easily accessible on the dark web as a result of the incident.
Date: May 2019
Impact: 137 million users
An online graphic design tool owned by an Australian company, Canva, experienced a data breach in May 2019 that affected 137 million members. Email addresses, names, usernames, cities, and passwords that were kept as bcrypt hashes were among the data that were exposed.
Date: January 2021
Impact: 12.3 million records
The client data on Bonobos’ backup server was accessed by a cybercriminal in 2021, resulting in a data breach. Private information belonging to Bonobo was kept separate from this database in order to maintain privacy. Threat actors might still use the stolen data, though
Date:Sep 2022
Impact: 9.8 million customers.
A customer database containing information on up to 9.8 million consumers was made available to cybercriminals after they gained access to Optus’ internal network. The corrupted data was first discovered in 2017.
Most states/countries have legislation around security breaches involving personal information (in various levels of comprehensiveness and completeness). And you’ll need to follow them after a breach; otherwise, you could face severe consequences.
The General Data Protection Regulation (GDPR) is a great example of legislation that has severe penalties for not following its requirements. In the event of a breach, you’re required to notify your users within 72 hrs; if you fail to do so, you could see fines as high as €20M or 4% of the previous year’s annual revenue.
You must immediately safeguard your systems after a breach to prevent future data loss. According to IBM’s 2020 analysis, you could save an average of $164,386. To avoid obstructing a criminal investigation, you’ll want to make sure you do it the right way. Here are some recommendations for optimal practices.
Legally speaking, if you fail to alert the appropriate parties at the appropriate time about a breach, you risk receiving a hefty consequence (like the $35 million the SEC fined Yahoo for failing to alert investors for over two years).
Notification is more than simply a legal need, though; it’s also about keeping your consumers’ trust (and money). As Uber discovered in 2018, failing to inform your users of a breach is a disastrous PR decision.
Notify your users, business partners, law enforcement and other important people so that you dont get a penalty and your relation with users dont become too bad.
You can always learn and figure out why this data breach happened and take the necessary to protect from data breach in future. It is not acceptable to cross your fingers and hope that the other security measures you have in place will be effective once the immediate threat of your most recent cyberattack has passed. To prevent future incidents and lessen the overall impact on the company, it implies it’s necessary to audit and fix other weaknesses in your systems right quickly.
Data Breach is the biggest issue in both government and corporate information security today. But as the number of cases is increasing more preventive measures are been taken. Various governments have published data privacy laws, organizations are taking data privacy measures. Users are more careful while sharing their data on the internet and all. Various companies have started to build products to protect consumers data. Such as ODE Infinity are building solutions such as coconut where they will work as medium to make things clear between organization and users. Users will be aware that what data is being used by other organizations and he can also request to remove his data.