Data Breach: when the personal data of millions of people are exposed to the public. Here is what they are, how they occur, and what to do when the private information of our users is breached.

When we use Facebook or other social media, we often authorize other apps to access our personal information, that we shared on social media. These applications do not always (identified by the term of third-party apps) comply with stringent parameters regarding our privacy.

Here in April of this year, two third-party services – Cultura Colectiva and At The Pool – have brought the public exposure of 540 million strings of personal information of Facebook users, through Amazon servers.

This is what is technically referred to as a data breach, a data breach. This is now a global problem, affecting even smaller companies compared to giants like Facebook. Because we all now use the Internet for any activity, including business (consider cloud computing). And although this offers us many advantages, if we are not careful, we are also exposed to numerous risks.

Let's explore more on the topic together.

What is meant by data breach

First, let's see a more precise description of data breach. 

According to Norton, it concerns “a security incident during which there is unauthorized access to information. As in the case of Facebook, therefore, the information of individuals, companies, or other organizations is made public without the consent of the users themselves. 

As can be seen from the definition, it is not necessary for the violation to occur due to a cyber-attack. In the example illustrated at the beginning of the article, the data breach it would have occurred due to the reckless use of data by third-party apps rather than the malicious intent of some web criminals.

That said, according to IBM behind the data breach there is often the hand of hackers interested in confidential information. 51 percent of data breaches that have occurred so far in 2019, according to the company, are precisely due to cyber-attacks. In 2014, the percentage was only 21 percent. The remaining part is instead caused by human errors and errors (glitch) of systems.

When an data breach, users are primarily affected, whose sometimes sensitive information ends up in the public space, available to anyone who wants to use it (even criminally). They are then companies are also severely affected, first and foremost from a reputational standpoint. However, there are also significant costs involved in recovering the information, as we will see.

Data breaches are becoming increasingly widespread. IBM has consistently calculated that in 2019 companies had a 29.6 percent probability of experiencing a data breach within two years. In 2014, the figure stood at 22.6 percent.

Causes and effects

We have already mentioned the main causes of the data breach, but let's delve into the topic by listing the six main sources of data breaches, according to the report of Verizon2018 Data Breach Investigations Report.

1. Hacking. The main cause is due to the actions of a criminal hand. Hackers, according to Verizon, often try to steal access credentials to private companies' systems using various stratagems: they find them on the dark web, they find them written in offices (beware of the photos we publish on social media from the office) or use software for automatic password generation. Once access is gained, hackers can then collect all the information they want and launch further attacks on company systems.
2. Malware. Strictly linked to the activities of cyber criminals, malware can be used for numerous illicit activities. An example of malware is the so-called RAM Scraper, which scans the memory of digital devices to collect sensitive information. These systems are used, for example, to scan POS. Another form of malicious software is the so-called ransomware, which lock electronic devices: hackers will only unlock them upon payment of a ransom (from English riscatto).
3. Human error. As mentioned, there is no guarantee that there is a criminal hand behind a data breach. Even an employee's mistake can lead to an information breach. Simply sending an email to the wrong person, with another's sensitive data. According to Verizon, human error is the third leading cause of data breach. 
4. Social engineering. Let's return to illicit activities. Phishing is the sending of emails that appear identical to those from major companies (consider Poste), often requesting users to restore their account data. In reality, recipients access fake portals, inadvertently sending their information. These attacks are very dangerous, especially because they often aim to access bank accounts and prepaid cards. The pretexting it is a similar activity, but conducted over the phone.
5. Unauthorized access by employees. In companies, some users often have the ability to access the data of their colleagues and subordinates, perhaps because they have an account with privileged or higher access. This can result in a data breach, in many cases accidental. 
6. Physical actions. Yes, indeed, data breaches can also occur offline. According to Verizon, 10 percent of data breach occurs outside the Network. An example is credit card cloning that can occur at an ATM.

So far the causes. But what can be the consequences of a data breach?

For private individuals, the consequences they can be both financial and personal. As we have seen, many hackers attempt to access people's bank accounts and credit cards by various means. From a personal perspective, there is the risk of allowing strangers to violate our privacy. Our smartphones now contain everything: from photos with our families, to personal emails, and even private messages. It must not be pleasant to know that someone has accessed all this information without our consent.

For companies, according to IBM, the consequences of the data breach they are of at least two types. First of all, financial. 

In 2019, the average cost for an organization affected by a data breach was 3.92 million dollars. The figure is enormous because, obviously, cyber-criminals primarily target large companies. However, the consequences for smaller businesses are not absent. IBM also explains that the average cost of a breach is $204 per employee for companies with at least 25,000 employees. For businesses with between 500 and 1,000 employees, this cost rises to $3,533.

Then there is the reputational cost of a data breach. How much would you trust a company that allows the violation of your personal information? According to IBM, affected companies can lose an average of 1.42 million dollars for each attack. The study also highlighted an unusual consumer loss of 3.9 percent following privacy breaches. 

Finally, it is necessary to consider the recovery times for data that may have been lost or damaged following an attack. IBM estimates that the detrimental consequences of data breaches can occur even more than two years after the violation. 

The data breach in the GDPR

We have spoken on many occasions about the GDPR (for example here) the new General Data Protection Regulation of the European Union, which came into force last year. The regulation provides specific guidelines for data breaches, particularly regarding the actions to be taken by affected companies.

Specifically, the regulation refers to data breach in case of destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed. Therefore, the definition is broader in this case.

What should companies "affected" by the violation or that have accidentally caused it do?

First of all, they must send a notification to the Privacy Guarantor, within 72 hours from the discovery of the violazione. When the violation poses a high risk to individuals' rights, the obligation to communicate extends to all concerned parties.

As a preventive measure, the Data Controller — the company or professional who collects data for any reason with the consent of the data subjects — must then adopt a specific "Response Protocol." This is an exact procedure to be implemented in the event of data destruction or loss, bringing together the work of the company departments involved in the issue, as well as the relevant public bodies, such as ministries, healthcare companies, the Privacy Authority, and so on.

For more information on cybersecurity, also read: Online security: 10 tips to protect yourself from hackers and "thefts"