How Data Leaks Happen
A data leak, where sensitive data is exposed to unauthorized parties, can be an expensive and hair-raising experience for business leaders. That’s why companies and their security pros are talking about data leaks and their effects on business, as they work to secure systems against the troublesome concerns associated with these problems. Here is some information on data leaks so that you can be better prepared for this type of problem.
What Is a Data Leak?
Data leaks, by their definition, may or may not be intentional. Some kinds of data leaks involve malicious actors who are trying to get things to sell on the dark web, or assaulting a network for other purposes. But other kinds of data leaks are just unfortunate mistakes.
Experts define a data leak as a situation where sensitive data gets exposed, regardless of whether hacking is involved. In a data leak, that data is leaked beyond the specific set of users that is authorized to view it. In many situations, it is leaked to the public, or held by nefarious parties who will sell it for a price.
Data leaks can lead to things like identity theft, theft of trade secrets and other kinds of harmful results. Companies are realizing that they need to be proactive about preventing data leaks, and put plans in place to mitigate any data leaks that occur.
What Causes a Data Leak?
We’ll talk a bit about some fundamental types of data leaks.
Insufficient Password Policies
One cause of a data leak is related to passwords and password hygiene. Passwords are, in essence, the keys to the gates that open network systems to reveal their data. That means companies have to really monitor how passwords are used.
If somebody mistakenly publishes a user’s private passwords to the public, that’s a data leak. It’s also a data leak if hackers resort to methods like social engineering and credential stuffing, to get those passwords and use them to unlock the network.
In fact, that’s one new trend in password-related hacking. Credential stuffing involves a type of brute force attack that takes existing stolen passwords and plugs them into other platforms in order to gain access. The idea is that because so many people reuse the same password for multiple sites, even fairly innocuous web crawling or hacking can deliver the keys that can be used to broaden a hacker’s area of access. Credential stuffing is a nasty, wide-ranging business. Some hackers even sell initial password and credential lists on the dark web that other malicious actors can then use in their own credential stuffing attacks.
Another type of data leak involves insecure file sharing or accidental publishing.
Suppose there’s sensitive data in a document or file that’s held internally in the network. Someone, say a data engineer, wants to send it to an analyst or someone in a C-level role, or someone else in the organization, but instead they mistakenly hit ‘reply all’ and send it to 50 people. This type of accident is considered a data leak since the information contained in the email was distributed to persons for which it wasn’t intended, even if they’re all part of the same organization.
User-related accidents like this happen all too often, whether it’s replying all on an email, accidentally sending the data to the wrong person or even just leaving sensitive data accessible for unauthorized eyes. Accidental user actions can lead to detrimental data leaks, and can be particularly damaging to businesses who go through the painstaking process of segmenting their access.
Insecure Applications and Website
Another example of data leaks has to do with using applications in improper ways. Someone might mistakenly send sensitive data from a peripheral application through communications platforms where it winds up vulnerable to theft. Or, specific kinds of hacking can take that data through an unsecured API.
Employees often rely on many apps and websites in order to complete their daily tasks but each of these applications and sites come with their own risks and vulnerabilities. Between unsecured and stolen API keys and vulnerable backdoors to apps, hackers are exploiting the service supply chain to conduct their attacks.
That leads into one of the broader fundamental types of data leaks – data breaches. Hackers have all sorts of creative and inventive ways of drawing that sensitive data out of systems and revealing it for the world to see!
Essentially, how these hacks happen is related to the spectrum of vulnerabilities that hackers might spy as they roam the digital seas. These include things like devices left unsecured, users sending unencrypted emails, or failing to securely delete confidential files. Then there’s connecting to unsecured wireless networks, downloading files through peer-to-peer sharing networks, and using personal apps and devices for sending and receiving files, all of which can give black hats access to a system.
How Does a Data Leak Affect Me?
Now let’s talk about what data leaks do as their effects reverberate around a network and its environment.
For a business leader, data leaks are costly. They may involve expensive and difficult remediation, too, and often need to be addressed immediately. With an estimated average cost of over $100 per record, as per the Ponemon/IBM study on the subject, they also affect the bottom line in a big way.
For a company’s frontline employees, data leaks are extra work. When the alarm bells ring, the data leak becomes top priority, and other kinds of work may get ignored. So protecting against data leaks is helpful to the employee, too.
But some of the worst aspects of data leaks are experienced by the consumer. A data leak often means the public exposure of the customer’s identifiable or financial information – names, Social Security numbers, credit card information and more. Being a victim of an organization’s data leak opens customers up to attack. Data leaks leave customers vulnerable to identity theft, or their private data may be sold on the dark web. For consumers, a lot of the effect of the data leak is in the uncertainty that follows, and the chore of checking on their own data and identity security.
Examples of Data Leaks
These real life examples of data leaks prove the need for dynamic data protections.
In a recent data leak this year, the Neopets company reported it was the victim of a data breach that exposed the information of 69 million users, and spokespersons specifically indicated email addresses and passwords were taken. Hackers reportedly also stole the Neopets source code.
News of a third party database breach at the social media engine has led to significant confusion. Forbes is reporting on hackers’ assertions that they took “internal backend source code” and data connected to 2 billion accounts. Meanwhile, TikTok spokespersons have denied that data was exposed.
An Oktapus data leak affected 130 companies, including Cloudflare and DoorDash, as well as all three major telecom carriers (AT&T, Verizon, and T-Mobile).In this case, the data consisted of exposed Personally Identifiable Information where hackers reportedly targeted mailing lists.
In 2018, the hotel chain had to deal with the compromising of 500 million customer accounts. “Staff and customer information” was exposed, according to public reports, including customer credit card details, in a massive 20GB data hack. Spokespersons have characterized it as a leak at least partially accomplished through social engineering.
Best Practices for Data Leak Prevention
Companies are best protected against data leaks and associated breaches by following these best practices.
Securing Data and Hardware
Data and hardware security is a very core part of company cybersecurity. A collection of techniques helps to harden systems in this way.
End to end encryption is one of these. End to end encryption means that even if hackers are able to get access to some type of data stream through a system, all they’re getting is a mishmash of text characters. They are unable to use the results, because the data is encrypted and effectively shielded from outside eyes as it moves through some architecture.
Companies can also focus on endpoint protection, monitoring devices like smartphones and computers in specific ways.
Backing up data is also a best practice for protecting against ransomware attacks and other instances where the stolen data could mean business interruptions.
Of course, companies also have to secure hardware through good on-premise management and prevent employees from stealing or releasing data through personal devices. That type of site security is another pillar of hardware protection that can cut down on the chances of a data leak.
Data Classification and Discovery
This type of work is also key to preventing data leaks.
Modern professionals are often talking about something called data governance, which involves procedures for handling business data.
They talk about data stewardship, where specific roles have the responsibility to fine-tune data governance.
They also talk about something called a data catalog.
What all of these things have in common is that they contribute to a better classification and ordering of data assets. Why is this important? Because when these things are organized, you can analyze them deeply in a way that promotes better cybersecurity outcomes.
Companies can tag data that is more sensitive and give it better protection. They can start to anticipate where vulnerabilities might be, and limit how data gets used without opening up sensitive data to exposure.
By doing so, the data catalog process and classification has a clear, functional impact on preventing data leaks.
Password Hygiene and Multifactor Authentication
Companies are also working on hardening systems by making users create stronger passwords. But beyond that they’re also taking advantage of multifactor authentication, where smartphones are used as an additional validation device. This can really bypass some of the risks around password sharing, because hackers can only get access if they have the credentials, along with someone’s smartphone. So MFA is a very integral part of protecting systems.
Vendor Risk Management
As many experts point out, you’re only as strong as your vendor’s security. That’s because many third-party vendor tools have access to internal system data. So it makes sense to turn a significant portion of scrutiny into third party apps.
Part of that process is making sure that APIs, as the connective tissue of disparate systems, are secure. Insecure APIs are a major threat vector to be aware of. Also, it’s a good idea to review the vendor’s sales level agreement to make sure that it speaks to all of your security concerns. In general, the vendor’s commitment has to match what’s being done in-house. Otherwise, something like a zero trust policy for example, that relies on constantly authenticating entities and users, only extends to part of the whole system.
Training and Onboarding
In some ways, a comprehensive response starts with employee training and onboarding. This type of work sets the stage for better cybersecurity and better network protection. It clues everyone in that the corporate culture regards cybersecurity very highly, and makes people aware of things that they shouldn’t do – clicking on sketchy links, sharing files carelessly, etc.
So along with setting specific policy provisions, training and onboarding gets those goals front and center to make sure that everyone’s on the same page from day one.
Learning about data leaks is part of becoming proactive about cybersecurity scenarios and how to appropriately safeguard against them.. It’s incumbent on executives and others, as well as dedicated security professionals, to know the risks and how to address them. Companies can’t afford to keep ignoring some of the biggest data threats on the horizon. Tightening up systems against data leaks is very much worth the work that is involved.