In addition to bringing you the latest in AppSec research and news in this blog, we will begin presenting short educational briefings on key subjects within the application security space. We hope you will enjoy and learn from these short posts. We value your opinion, so please let us know if there are any concepts or topics you would like to hear about from us.

Today, I would like to pen my thoughts on a Data Breach. We hear of data breaches happening ever so frequently, so what exactly is a data breach and how can it occur? Read on...

Webster’s defines “to breach” as literally “the act of breaking”, as in the infraction or violation of a law, obligation, tie or standard. A data breach is an incident during which an encrypted database is broken or hacked, and the valuable information stored within is compromised. The term “data” in this case most often describes sensitive, protected or confidential data such as customer records that are protected by law or required by Federal regulation to be protected. Data breaches may involve personal health information, personally identifiable information, trade secrets or intellectual property.

Most often the term data breach is applied to describe the theft of data – a malevolent action by unauthorized parties such as hackers, fraudsters or spies. The data need only be viewed for a breach to have occurred, but if it is copied and transmitted the potential consequences are ominous. The loss of information by data breach is the nefarious first step in online crimes such as identity theft, credit card fraud, and banking fraud. In these cases crooks target data such as credit card numbers, PINs, bank account numbers, and social security numbers.

However the term can also describe the release of sensitive data to an “untrusted environment” by accident, through the fault of an authorized party. Past incidents have resulted from the careless handling of laptop computers or CD-ROMs. Although malicious intent is not present in such cases, the potential consequences of a data breach are no less dire. In most cases where personally identifiable information is lost, authorities demand that companies or organizations notify everyone whose information may have been compromised, even if they is little risk of malicious intent.

In the information security industry, there exist numerous guidelines and regulatory compliance mandates governing the protection of confidential data from data breaches – from the Payment Card Industry Data Security Standard (PCI-DSS) to the Health Insurance Portability and Accountability Act (HIPAA).

Today there exists a global organized criminal network of “black hat” hackers devoted solely to the stealing of confidential data. The spoils from their illegal activities are then sold on a thriving underground black market, where criminals trade in stolen information that can change hands numerous times.

Companies that suffer a data breach lose more than just confidential information. Their reputation, productivity, and profitability can all be negatively impacted in the aftermath of even a single incident. If a data breach results in actual identity theft or other financial loss, the offending organization may face fines, civil or criminal prosecution.

Read more:

Privacy Rights Clearinghouse, Data Breach Year in Review 2011
SC Magazine’s Data Breach Blog
Open Security Foundation’s Data Loss Database

About Michael Teeling

Michael Teeling is a software marketing veteran who has advised more than 50 companies on go-to-market strategy since 2001. He is an expert in content marketing, message strategy, brand identity, and reaching the key influencers that move technology markets. Mike founded Influential Strategies a decade ago and has represented numerous information security companies. Visit Mike’s blog.

Comments (2)

Tim Mathias | March 27, 2012 12:52 pm

Im not sure i agree that data needs to be encrypted to qualify as a formal data breach. In fact, many such breaches occur when data is _not_ encrypted. Un-encrypted credit card data comes immediately to mind.

I would argue that what defines a data breach is really a function of the data, and the individuals or companies expectation of privacy & confidentiality.

fglynn | March 27, 2012 1:50 pm

Tim, You bring up a good point. I agree. A recent study by Ponemon Institute which surveyed over 500 IT professionals reported that over 60 percent of respondents said the lost data was not encrypted, which is shocking considering the legal ramifications for organizations.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.