What Is A Data Breach?

Individually or as a business, many have fallen victim to a data breach and such security breaches hit the headlines regularly – Virgin Media large data breach; British Airways £20 data breach fine; EasyJet 9 million customer cyberattack. As we spend more time online, so does our personal information which we give away every day. Cybercriminals can make a decent living from stealing and selling such information.

Data breach violations can have lasting complications, financially and mentally. So, how much do you know about such security incidents? We’ll guide you through some of the more common questions and advise you on how to act if you fall victim .

Data breaches explained

A data breach occurs when private and confidential information is accessed, viewed, destructed, or stolen and potentially sold on, without authorisation from the relevant person or organisation. Data breaches can happen by cyber criminals hacking into a system; scams on businesses and individuals; using weak passwords; stealing hardware, such as a laptop that stores unencrypted data; searching rubbish for personally identifiable information such as a credit card bill not shredded; documents left in public places.

Data breaches can include information where you may or not be identifiable from that data - a person’s email address and password, account login details, passport or driving licence details, credit or debit cards, bank accounts and much more. From a data breach, documents can be forged to duplicate the stolen data such as a passport. In the worst scenario, as a result of a data breach your whole identity could be stolen and used by another person.

How is a breach accomplished?

There are a number of ways that your data can be accessed, either accidentally or by targeted attacks.

With better access online, more people are working from home, cyber burglary opportunists are rife. At times, human error is the cause of a data breach, such as a mobile phone, laptop or documents left on a train, stolen from a car or home. If a stolen device isn’t password protected or encrypted, they can easily retrieve data. An email containing personal details sent to the wrong recipient(s) or an employee copying or altering data would also be considered a violation due to the recipient not having authorisation to view it.

Not all data breaches are through your data being access online, cyber criminals are resourceful in collecting information. Debit/Credit Card skimming (aka card cloning) happens when an electronic device is used to copy your card information. This happens predominantly at an ATM but also occasionally in-store if a device has been fitted to a card reader.

Cybercriminals can access databases by using malware. Malware can exploit out-of-date device security, allowing the hacker an ‘open window’ to a system. Viruses can be installed by clicking on a fraudulent link or visiting a compromised web page. This allows the hacker a ‘window’ to the network to steal data, money or identities and even create new accounts in the victim’s name.

Social engineering is a form of psychological manipulation, not unlike conmen. It works by dishonestly building trust with someone; humans are seen as an easier flaw to target compared to a computer system.

What do companies need to do if they discover a security breach?

In the UK, companies are required to report certain security breaches to the relevant organisation, namely the ICO (Information Commissioner’s Office) within 72 hours of the discovery of the said breach.

Not all breaches need to be reported. Once the situation has been thoroughly assessed, if it poses no risk to people, their rights and freedoms, then the organisation may not need to inform the ICO (Information Commissioners Office). They and the FCA (Financial Conduct Authority) do, however, have the power to fine businesses that have not taken adequate steps.

The ICO has a brief bullet-point list, outlined below, on their site, along with further detailed actions should they be required:

• The UK GDPR introduces a duty on all organisations to report certain personal data breaches to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
• If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
• You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority or the affected individuals or both.
• You must also keep a record of any personal data breaches, regardless of whether you are required to notify.

Data breach examples

Databases from large organisations are attractive to cybercriminals due to the volume of information they can obtain in one action. There have been some prominent attacks on well-known organisations over the last few years.

In November 2019, 1.2 billion records were discovered by dark web researcher Vinny Troia. Listed were people’s names, email addresses, linked social media accounts, and job titles. Troia said the data was said easy to find and easily accessible and he could not confirm if others had viewed or downloaded it before his discovery. Indications showed one of the sources that the information had come from was PDL (People Data Labs), but they stated they did not own the server and researchers confirmed subsequently that this was likely true.

The Virgin media data breach happened after a marketing database was left accessible from April 2019 to their announcement in March 2020. Up to 900,000 people were affected by the data leak. Virgin Media said the leak was not due to a cyberattack, but an ‘incorrectly configured’ database.

A catastrophic and sophisticated cyberattack, in January 2020, saw nine million customer records stolen in an EasyJet data breach. Detailed personal information was taken in this instance, such as names, addresses, travel dates, destinations and even credit card details in some cases.

British Airways suffered an attack which saw 420,000 personal details taken. Between August and September 2018, names, addresses, and credit and debit card details (including the CVV) were amassed. The ICO later fined British Airways £20 million for ‘poor security arrangements.

Morrisons is another prominent organisation to have suffered a data leak. In 2014, a disgruntled employee leaked payroll details of approximately 100,000 members of staff and simultaneously notified the newspapers. The employee had initially held legitimate access to the data but bore a grudge against his employer and wished to seek revenge for a verbal disciplinary. The employee was jailed for his role.

What could happen to my stolen data?

Selling stolen data on the dark web is a lucrative business for cybercriminals. Data can fetch from as little as a few cents to hundreds of dollars. Estimations of costs can vary significantly, not only due to the importance some details hold over others, e.g. a set of full banking details over a Netflix account, but also ease of monetary gain.

Researchers from Privacy Affairs conducted a dark web mission to see what various pieces of information are for sale and for what price.

The above table doesn’t specify everything that can, and will, be sold on the dark web, but serves to show a small selection of how valuable a portion of your data can be.

Can I prevent a data breach?

As an individual, you would not be able to prevent a large scale cyber attack on an organisation, but you can help step up your personal security. Be aware, if you use any type of device and are connected to the internet, from your children to your business, you are at risk from hackers. Checking to see if your personal information is for sale is the best way to protect yourself.

• Use a safe and secure way of monitoring for your details being available to Cyber Criminals with our Fraudweb Lite or Fraudweb Full
• Ensure all software is up-to-date. Many updates contain new security patches which are necessary.
• Download McAfee Total Protection onto your devices with your Notty account. This helps to protect your devices against all types of malware.
• Use different passwords for each site and/or account you use. Combine upper and lower case letters, numbers and special characters and the longer the better. It is thought that every 8 character passcode has now already been cracked! McAfee Total Protection has a password manager that stores all the passwords for you, saving you having to rely on memory!
• Where possible, utilise two-factor authentication (also known as multi-factor authentication). This adds another layer of security, such as a fingerprint or facial ID, when signing into accounts.
• Monitor bank statements and credit reports regularly for any unusual activity or unfamiliar transactions that you have not made.
• Ascertain the security of a site by acknowledging whether it has an ‘S’ after ‘HTTP’, ie. ‘HTTPS’. That ‘S’ is integral to it being secure!
• With your Notty account, take advantage of the free dark web searches that we perform to see if any of your details are for sale on there. We do not put your details on there during the process of searching, and if your details are found, we will notify you and inform you about what to do next.
• Never click any suspicious links contained in emails, or give out any details over the phone. Reputable companies will not ask for such details via email or over the telephone.

What should I do if I’m a victim of a breach?

If a company has suffered a data breach, and the data is at high-risk of exploitation, they have a duty to inform the ICO and any individuals, immediately, that may be affected by the breach. If organisations fail to do so, the ICO has the power to fine companies up to £8.7 million or 2% of global turnover.

Act quickly ! If a company contacts you to say they have had a data leak, there are a number of things you should do:

• The main action needed is being aware of what is happening with your data after a leak, it is available for cyber criminals to use. Fraudweb Full monitors a full range of your personal information, including credit/debit cards, passport details, driving licence, logins, passwords, bank accounts plus more. Ongoing searches, looking for any sign your information is being used and giving you alerts if anything is found.
• Monitor bank accounts etc. and credit reports for a few months. If there are any suspicious transactions on your bank or credit card statement, contact the bank immediately.
• If you begin to receive cold calls, ask them to confirm details about your account, such as monthly cost for a service, or the date of the direct debit. If necessary, terminate the call and search for the company’s number rather than use one they supply. Where possible, use a different phone too.
• If the data loss causes anguish or financial distress, you may have a case for compensation. You can lodge a complaint with the company that suffered the breach and you can also inform the ICO. They are not able to give compensation but by lodging a grievance with them, it may add weight to your case.

If you have been a victim of a data breach, your personal information could be used for years by cyber criminals. Ongoing monitoring is the best way to know if you are and what information is still at risk.

Your FREE Notty Account helps you Find, Protect and Profile your online self.