A data breach refers to any violation of the Data Protection Act. Often, it can also be considered a cyber breach since much of today’s data is stored online using digital information systems. Consequently, when an individual executes a cyber breach, they are essentially granting themselves unauthorised access to protected data. Often, the perpetrator will be seeking to modify, destroy or distribute some form of confidential or personal information. There exists an endless list of possible reasons as to why someone may choose to do this.
Depending on the purpose of the attack and the reasons behind it, a cyber breach can target either a business, its customers, or both. First we’ll start by looking at why businesses may be targeted. To mention a small variety of reasons, these may include:
- Someone is seeking valuable trade secrets or other proprietary information. This could be used for reasons such as competitive purposes or to deprive the business originally holding the stolen property.
- Information pertaining to employees such as personal information, access codes or other details. This could be used to identify key employees, gain access to company systems and more.
- To raise awareness and controversy over consumer trust in corporate security practices. We’ve seen it in the past where a group of hackers have hacked huge corporations for their sole entertainment. Others have done so to raise awareness of different social causes.
On the other hand, a business could be targeted in order to gain access to its customer base. The customers of a business would likely be targeted for access to the personal and financial information of these individuals. The stolen data could include things like:
- Credit card information and records
- Personal contact information and address
- Sensitive medical records and information
- Access to and collection of information that can be used in fraudulent activities
[bctt tweet=”Basically, a cyber breach could be executed for a wide variety of reasons like the ones just mentioned. However, the majority of all data breaches are tied to financially related motives.” username=”totalshredltd”]
Although, we have seen cyber breaches as a tactic used by extreme activist groups for bringing awareness to a particular issue. One of the most well-known groups today that use cyber breaches for these purposes goes by the name, Anonymous. There have been a number of occasions where the organisation has executed data breaches, before later releasing controversial information. All efforts are geared toward exposing different subject matters and bringing awareness to related issues.
Another example of a cyber breach carried out for the sole purpose of raising public awareness is the one executed by Edward Snowden. This exact situation occurred through the events of Edward Snowden which are now being portrayed through cinematic movies. In this case, Snowden chose to leak information for the sake of bringing it to the public’s eye. Other websites like WikiLeaks were conceived on this idea of releasing information in order to bring public attention upon it.
There may be other incidences in which a cyber breach leads to the extortion of the victimised individual. This is something we’ve seen in countless movies and television shows, where a piece of sensitive information is somehow obtained without permission. It is then used through black mail to extract money from the individual who is willing to pay to have the file destroyed. Despite not hearing these types of incidences reported regularly in the news, it could very well be and likely is happening around the world today.
Although it is illegal to execute a data breach, it is especially important to protect your business and customers from these attacks. Especially since information can easily be exposed through the means of the Internet.
What is a Data Breach?
Essentially, a data breach is any violation of the Data Protection Act. Since there are eight guiding principles of the Act, it goes without saying that there are many ways a data breach could occur. We will provide examples for each of the eight principles set in place to protect people from this very occurrence. Here they are:
- Fair and lawful use – a data breach related to the fair and lawful use of personal data involves a situation in which you are dishonest about who you are as the data controller, or you have underlying intentions that are to the detriment of the data subject.
- Clear Purpose – a data breach related to this principle of the Act would be a situation where personal data is used for other purposes other than the one specified. Any use of personal data beyond the initially disclosed purpose is a breach of the Act.
- Adequacy, relevancy and reasonable – a data breach regarding this aspect of the Act would be if you were to go out of your way to collect excessive data about an individual. Specifically, it would be data that isn’t necessarily relevant to the stated task. A perpetrator may ask you questions for a particular purpose, but then use that as a gateway to ask more questions that aren’t relevant to that purpose.
- Accuracy of information – a data breach may occur related to the accuracy of information for both intentional and unintentional reasons. Someone may change information or falsify data for their own personal benefit. In other cases, information may be inputted inaccurately or accidentally modified from the truth without the deliberate intention of doing so.
- Storing and retaining – a data breach of this sort could be a situation where a company claims to delete certain information when it is no longer needed, but doesn’t actually. Another case could be the careless disposal of sensitive information that exposes it to the risk of being obtained by an unwarranted party. Thankfully, document and data shredding services exist that will help you to ensure the secure disposal and destruction of pertinent information.
- Rights – a data breach that conflicts with the rights of individuals and their personal data collection could be something like selling personal information to other companies that will be using it for mass marketing purposes. Another breach could be hiding information about an individual when they ask for full disclosure, despite their right to being granted full access.
- Security – a data breach related to the security principle of the Data Protection Act would be a scenario in which someone grants themselves unauthorized access to sensitive records and confidential information. This could occur at any stage of data processing.
- International Use – a data breach may also result from sending information to and making it accessible in countries with lax standards and regulations regarding data protection. This exposes such information to a risk of data breach.
As you can see, data breaches can occur in a variety of scenarios and is not just one concrete situation. This is why the Data Protection Act has been legislated and organizations like the ICO exist to protect consumers in a world that is increasingly reliant upon data collection and processing. Although, there are preventative measures you as a business can take to ensure the proper protection for your customers.
How to Prevent a Data Breach?
A data breach can be difficult to detect, except for once it’s too late. Your safest bet is to take preventative measures and precautions to reduce the likelihood of a data breach. This is especially true for small businesses, since it is said that cyber hackers are targeting more and more small businesses in data breach related crimes. Here are some safety measures you can take to help prevent a potential data breach at your company:
- Have a clear protocol for all aspects of digital security. This involves specific processes for creating, storing and sharing sensitive data. Doing so will help to limit any unwanted spread of sensitive and company pertinent information.
- Take advantage of business graded malware and other antivirus technologies that keep a constant watch over your system. It’s important to stay protected around the clock.
- Ensure customer information and other confidential data are encrypted and secured behind firewalls. You will likely want to have these adapted to your specific business needs by a professional.
- You should have multiple passwords. Each one should correspond to different degrees of access to the complete database of sensitive information. This way, you can control who has access to certain data. It also helps to change these passwords frequently.
- Hire a team of data and document shredding professionals to handle the secure and ethical disposal and destruction of sensitive information and records. Why leave anything up to chance, when there are companies who specialise in this service and guarantee the proper disposal of sensitive information.
- Use secure means of communication that encrypt and protect sensitive data. Don’t allow employees to use personal accounts for transferring company information and unencrypted emails.
- Create specific accounts for each employee or individual with access to create a sense of accountability. This way, you can better track who is accessing certain files and what actions they are taking.
Now that we’ve provided you with some steps to improve your company’s data security, here are some warning signs that may leave you vulnerable to a data breach:
- Lax policies regarding data creation, sharing, storage and disposal. Without strict guidelines for employees to follow, who knows where sensitive data could end up?
- Not having professionally set up firewalls and IT solutions. Each business is unique in its needs so get the solution that’s right for you and will keep your customers and data protected.
- Shared accounts for accessing company data. This erases any form of accountability since individual employee names are not associated with certain actions.
- If sensitive information is being sent via email or other unencrypted means of communication. Don’t leave anything up to chance and potential to be intercepted along the way.
In the case that you still find yourself subject to a data breach, you will need to know how to report the situation. Depending on your line of business, you may not be obligated to report an occurrence of a data breach. However, there are pros and cons of choosing to do so and choosing to ignore it. Keep in mind though, if you choose not to disclose the situation and it is later revealed, you could receive some negative PR and lose customer trust. However, if you choose to report it, the ICO regulates and enforces the Data Protection Act for the UK.
Found on the ICO website there are three different applications for reporting a data breach related crime.
- DPA Security Breach – This is for those companies who are not legally obliged to report data breaches. Although, the ICO recommends that serious cases be reported. It’s in good practice to notify your customers as well if they are at risk for further exposure to effects stemming from the initial breach. For example, if credit card information was stolen you would want to warn customers that these could be compromised. Another example is if a list of user passwords is leaked, then you would want to suggest that users reset their passwords.
- PECR Security Breach – This is required under the Privacy and Electronic Communications Regulations (PECR) that all companies that provide a means of communication for its users be notified of any data breaches. This refers to companies like Facebook, Hotmail, WhatsApp, Snapchat and more. This report application is specifically designed for telecommunication and internet service providers.
- Unlawful Use of Personal Data Breach – This refers to any data that is illegally accessed or obtained and can be reported accordingly.
Depending on the sensitivity of the information that is compromised, you may consider notifying the authorities and other involved institutions. Going back to the example about credit cards, it may be wise to notify the authorities, as well and major credit card companies. After reporting the incident, we strongly recommend you follow some of the tips mentioned earlier in this article to strengthen your company’s data protection systems.
One of the biggest data breaches involving an online UK company, Think W3 Limited, left hackers with access to over one million credit and debit card records. The company was fined a whopping £150,000 for its lack of customer privacy protection. Most recently has been the explosive news which has seen the Yahoo Data Breach expose at least 500 million user accounts.