In addition to bringing you the latest in AppSec research and news in this blog, we will begin presenting short educational briefings on key subjects within the application security space. We hope you will enjoy and learn from these short posts. We value your opinion, so please let us know if there are any concepts or topics you would like to hear about from us.
Today, I would like to pen my thoughts on a Data Breach. We hear of data breaches happening ever so frequently, so what exactly is a data breach and how can it occur? Read on...
Webster’s defines “to breach” as literally “the act of breaking”, as in the infraction or violation of a law, obligation, tie or standard. A data breach is an incident during which an encrypted database is broken or hacked, and the valuable information stored within is compromised. The term “data” in this case most often describes sensitive, protected or confidential data such as customer records that are protected by law or required by Federal regulation to be protected. Data breaches may involve personal health information, personally identifiable information, trade secrets or intellectual property.
Most often the term data breach is applied to describe the theft of data – a malevolent action by unauthorized parties such as hackers, fraudsters or spies. The data need only be viewed for a breach to have occurred, but if it is copied and transmitted the potential consequences are ominous. The loss of information by data breach is the nefarious first step in online crimes such as identity theft, credit card fraud, and banking fraud. In these cases crooks target data such as credit card numbers, PINs, bank account numbers, and social security numbers.
However the term can also describe the release of sensitive data to an “untrusted environment” by accident, through the fault of an authorized party. Past incidents have resulted from the careless handling of laptop computers or CD-ROMs. Although malicious intent is not present in such cases, the potential consequences of a data breach are no less dire. In most cases where personally identifiable information is lost, authorities demand that companies or organizations notify everyone whose information may have been compromised, even if they is little risk of malicious intent.
In the information security industry, there exist numerous guidelines and regulatory compliance mandates governing the protection of confidential data from data breaches – from the Payment Card Industry Data Security Standard (PCI-DSS) to the Health Insurance Portability and Accountability Act (HIPAA).
Today there exists a global organized criminal network of “black hat” hackers devoted solely to the stealing of confidential data. The spoils from their illegal activities are then sold on a thriving underground black market, where criminals trade in stolen information that can change hands numerous times.
Companies that suffer a data breach lose more than just confidential information. Their reputation, productivity, and profitability can all be negatively impacted in the aftermath of even a single incident. If a data breach results in actual identity theft or other financial loss, the offending organization may face fines, civil or criminal prosecution.