What is a data breach?

Criminals use extracted data in many ways. Threat actors could demand ransoms, sell data, or use it to build profiles for phishing attacks. In all cases, organizations risk financial and reputational damage and should take robust precautions to limit data breaches.

How does a data breach happen?

Data breaches have three main causes: organized attacks by cyber criminals, mistakes by network users, or malicious action by insiders.

Innocent mistakes

Innocent errors occur when employees handle data unsafely. For example, employees may leave laptops in public places, allowing unauthorized individuals to access them. They may also send data to unauthorized contacts or lose devices containing sensitive data.

Network users' mistakes also enable many phishing attacks. Phishers use social engineering to write emails, SMS messages, or website content that deceives employees. Employees download attachments or run applications that seem legitimate but implant malware on their devices. These malware agents then begin extracting data.

Mistakes happen. However, companies increase the risks by failing to train employees and not implementing fail-safes to handle data breach incidents.

Malicious insiders

Insider threats use their privileged position to access networks and extract data. They may be angry at bosses or organizations or seek to gain by selling data to third parties. For example, competitors may use insiders to obtain data about new products or business strategies.

These attacks happen when organizations fail to manage user privileges properly. Organizations grant users excessive freedom to access data resources when they should limit lateral movement by implementing the principle of least privilege.

Companies may also fail to delete orphaned accounts. Ex-employees may use these accounts to access and move data.

Cybercriminals

Cybercriminals use many techniques to breach network boundaries and access data containers. Common weaknesses include weak passwords, unencrypted data, code exploits, and malware infections.

Attackers may remain undetected for long periods as they extract data. They can then sell data they obtain on the dark web. Other attacks use ransomware agents to encrypt target devices, steal data, and demand payment.

These attacks occur when companies fail to defend their network edge. Criminals breach poorly configured firewalls or use credential stuffing to exploit weak password policies. They could gain access via unencrypted remote access connections or run code exploits on unpatched applications.

What are the typical targets for data breaches?

Data breaches have various targets. Attackers may seek financial gain or data to assume the identities of targeted individuals. Some attacks involve corporate espionage, while others are purely malicious, seeking to damage organizations and ruin their reputations.

Financial databases

Attackers seeking maximum financial gains tend to target high-value data. Targets include financial data such as bank login passwords, IDs, and credit card data. They use this information to access bank accounts connected to their targets and withdraw funds until blocked.

Targets in this category include any organizations that hold or process customer financial data. This includes banks and insurers, e-commerce companies, and other online businesses.

Personal data

A data breach may also seek to extract and store personally identifiable information (PII). PII includes addresses, phone numbers, and social security numbers. These data types identify individuals. Criminals can use them to build profiles and carry out identity theft attacks.

Skilled identity thieves can leverage PII to access bank accounts, take out loans, obtain credit cards, or purchase crypto-currencies.

Every organization storing client information stores some personal data. However, high-value targets in this category include government bodies and education providers.

Health-related data

Some data breaches target protected health information (PHI). As with PII, criminals use PHI to profile targets and assume identities. Health data includes personal information that adds authenticity to stolen identities. This makes it easier to access funds or financial products.

Attackers may also target confidential health information about treatments, conditions, and providers to blackmail their victims.

Targets in this category tend to include healthcare providers, insurers, and clearinghouses. However, third-party business associates like health app developers or medical appliance manufacturers may also store PHI.

Corporate espionage

Organizations rely on confidential data to develop applications, research new products, and manage client relations. Attackers may seek corporate data to copy products or gain access to client databases.

Criminals may also use business data to run secondary attacks like business email compromise scams. Phishers use private data to convince high-status employees to pay fake invoices and make risky money transfers.

Types of data breaches

Data breaches have many targets and also come in many forms. Companies must know breach types that affect their operations and implement appropriate cybersecurity measures. Common types of data breach include:

Ransomware

Ransomware attacks lock targeted devices using encryption. Attackers demand a financial ransom to unlock devices. They often also use their position of power to extract data (secondary ransomware attacks). In these attacks, victims may pay twice to unlock their systems and to retrieve stolen data.

Credential stuffing

Attackers obtain personal data from potential victims and may also know passwords they use on other websites. They use this information to guess passwords, using as many variations as possible until they gain access.

Keyloggers

Keyloggers are malware designed to record every keystroke on a targeted device. They capture sensitive data like login credentials, credit card numbers, and personal messages. Keyloggers can infect systems through phishing emails, malicious downloads, or compromised software. Some keyloggers operate at the hardware level, making detection harder. This stolen information is often used for identity theft or financial fraud.

Phishing

Phishers seek to persuade targets to take risky actions like downloading attachments or entering data into fake websites. When attackers succeed, they generally infect targeted devices with malware or gain access to sensitive information.

Phishers commonly use emails to impersonate legitimate contacts via social engineering. This could include business associates, colleagues, family members, or reputable companies. Other techniques use SMS messaging or phone calls to achieve the same results.

Exploits and SQL injection

Cyber attackers leverage code vulnerabilities in applications or devices connected to the public internet. Targets include operating systems, APIs, collaboration tools, and web applications.

SQL injection attacks also target vulnerabilities, this time in the Structured Query Language used to manage databases. Attackers enter malicious code into undefended fields, potentially extracting information within the database.

Supply chain attacks

Supply chain attacks target third-party vendors that supply large numbers of downstream clients. Many cloud vendors store or process data on behalf of companies. If attackers breach the defenses of these suppliers, they may be able to extract data from hundreds of other companies.

Data theft

Around 17% of data breaches result from physical theft. Employees may work remotely in public spaces and leave work laptops unattended. Departing employees may take office devices with them when they leave, while commuters can leave work devices on public transport.

What damage can a data breach do?

The most immediate impact of data breaches is financial. According to IBM, the average cost of a data breach in 2024 was $4.88 million. This figure includes compensation paid to victims, the cost of remediation, and ransom payments (if any) made to attackers.

Breaches also often damage business continuity. Attacks may take critical systems offline, making them unavailable to customers.

Eventual costs can be far higher if regulators act. In 2023, Meta received a $1.2 billion fine from EU regulators for GDPR violations. In the USA, T-Mobile paid a $31.5 million settlement after failing to protect customer location data.

Lawsuits can also result from data breach attacks. For example, credit broker Equifax had to pay $425 million after courts awarded damages to victims of a high-profile 2017 data exposure.

Financial payments and penalties are not the only damage caused by data breaches. Companies also suffer lasting reputational harm following data breach attacks. Customers lose trust in their security policies and move their business elsewhere.

In the worst cases, data breaches lead to business failure or may worsen the prospects of struggling businesses.

National Public Data is a great example. The data processing firm suffered a data breach in December 2023, exposing data from 270 million users. It filed for bankruptcy a few months later, citing mounting costs from compensation and class action lawsuits.

How to prevent a data breach

The consequences above demonstrate the importance of a data breach prevention strategy. We cover this topic in more detail in our how to prevent data breaches guide.

These best practices summarize how to block data theft:

• Train employees to spot phishing emails and avoid risky behavior
• Enforce strong, regularly changed passwords
• Protect the network edge with multi-factor authentication (MFA)
• Update applications regularly to avoid exploit attacks
• Use the principle of least privilege to limit access to sensitive information
• Use a firewall to implement network segmentation strategies
• Regularly backup critical data and store data in a secure location
• Understand your data security compliance obligations, including reporting and managing incidents
  
  

NordLayer can help you implement these best practices. Assign limited network access rights and multi-layered authentication methods with Identity and Access Management (IAM) solutions. Implement strong Zero Trust network security principles with features like Cloud Firewall, IP allowlisting, and Device Posture Security. Establish secure remote connections and encrypt all data in transit with Business VPN solutions. Ensure your employees have secure internet access by masking their IP addresses, restricting access to malicious websites, and scanning all downloads for malware.