Data breach


A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment. Other terms for this phenomenon include unintentional information disclosure, data leak, information leakage and also data spill. Incidents range from concerted attacks by black hats, or individuals who hack for some kind of personal gain, associated with organized crime, political activist or national governments to careless disposal of used computer equipment or data storage media and unhackable source.
Definition: "A data breach is a security violation in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so."
Data breaches may involve financial information such as credit card or bank details, personal health information, Personally identifiable information, trade secrets of corporations or intellectual property. Most data breaches involve overexposed and vulnerable unstructured data – files, documents, and sensitive information.
Data breaches can be quite costly to organizations with direct costs and indirect costs
According to the nonprofit consumer organization Privacy Rights Clearinghouse, a total of 227,052,199 individual records containing sensitive personal information were involved in security breaches in the United States between January 2005 and May 2008, excluding incidents where sensitive data was apparently not actually exposed.
Many jurisdictions have passed data breach notification laws, requiring a company that has been subject to a data breach to inform customers and takes other steps to remediate possible injuries.

Definition

A data breach may include incidents such as theft or loss of digital media such as computer tapes, hard drives, or laptop computers containing such media upon which such information is stored unencrypted, posting such information on the world wide web or on a computer otherwise accessible from the Internet without proper information security precautions, transfer of such information to a system which is not completely open but is not appropriately or formally accredited for security at the approved level, such as unencrypted e-mail, or transfer of such information to the information systems of a possibly hostile agency, such as a competing corporation or a foreign nation, where it may be exposed to more intensive decryption techniques.
ISO/IEC 27040 defines a data breach as: compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored or otherwise processed.

Trust and privacy

The notion of a trusted environment is somewhat fluid. The departure of a trusted staff member with access to sensitive information can become a data breach if the staff member retains access to the data after termination of the trust relationship. In distributed systems, this can also occur with a breakdown in a web of trust. Data quality is one way of reducing the risk of a data breach, partly because it allows the owner of the data to rate data according to importance and give better protection to more important data.
Most such incidents publicized in the media involve private information on individuals, e.g. social security numbers. Loss of corporate information such as trade secrets, sensitive corporate information, and details of contracts, or of government information is frequently unreported, as there is no compelling reason to do so in the absence of potential damage to private citizens, and the publicity around such an event may be more damaging than the loss of the data itself.

Insider versus external threats

Those working inside an organization are a major cause of data breaches. Estimates of breaches caused by accidental "human factor" errors range from 37% by Ponemon Institute to 14% by the Verizon 2013 Data Breach Investigations Report. The external threat category includes hackers, cybercriminal organizations and state-sponsored actors. Professional associations for IT asset managers work aggressively with IT professionals to educate them on for both internal and external threats to IT assets, software and information. While security prevention may deflect a high percentage of attempts, ultimately a motivated attacker will likely find a way into any given network. One of the top 10 quotes from Cisco CEO John Chambers is, "There are two types of companies: those that have been hacked, and those that don't know they have been hacked." FBI Special Agent for Cyber Special Operations Leo Taddeo warned on Bloomberg television, "The notion that you can protect your perimeter is falling by the wayside & detection is now critical."

Medical data breach

Some celebrities have found themselves to be the victims of inappropriate medical record access breaches, albeit more so on an individual basis, not part of a typically much larger breach. Given the series of medical data breaches and the lack of public trust, some countries have :Category:Medical privacy legislation|enacted laws requiring safeguards to be put in place to protect the security and confidentiality of medical information as it is shared electronically and to give patients some important rights to monitor their medical records and receive notification for loss and unauthorized acquisition of health information. The United States and the EU have imposed mandatory medical data breach notifications. Reportable breaches of medical information are increasingly common in the United States.

Consequences

Although such incidents pose the risk of identity theft or other serious consequences, in most cases there is no lasting damage; either the breach in security is remedied before the information is accessed by unscrupulous people, or the thief is only interested in the hardware stolen, not the data it contains. Nevertheless, when such incidents become publicly known, it is customary for the offending party to attempt to mitigate damages by providing to the victim's subscription to a credit reporting agency, for instance, new credit cards, or other instruments. In the case of Target, the 2013 breach cost Target a significant drop in profit, which dove an estimated 40 percent in the 4th quarter of the year. At the end of 2015, Target published a report claiming a total loss of $290 million to data breach related fees.
The Yahoo breach disclosed in 2016 may be one of the most expensive today. It may lower the price of its acquisition by Verizon by $1 billion. Verizon later released their renegotiation to Yahoo agreeing to lower the final price from $4.8 to $4.48 billion. Cybercrime cost energy and utilities companies an average of $12.8 million each year in lost business and damaged equipment according to DNV GL, an international certification body and classification society based in Norway. Data breaches cost healthcare organizations $6.2 billion in the last two years, according to a Ponemon study.
In health care, more than 25 million people have had their health care stolen, resulting in the identity theft of more than 6 million people, and the out-of-pocket cost of victims is close to $56 billion.
It is notoriously difficult to obtain information on direct and indirect value loss resulting from a data breach. A common approach to assess the impact of data breaches is to study the market reaction to such an incident as proxy for the economic consequences. This is typically conducted through the use of event studies, where a measure of the event's economic impact can be constructed by using the security prices observed over a relatively short period of time. Several studies such studies have been published with varying findings, including works by Kannan, Rees, and Sridhar, Cavusoglu, Mishra, and Raghunathan, Campbell, Gordon, Loeb, and Lei as well as Schatz and Bashroush.

Major incidents

Notable incidents include:

2005