Data Breaches: What Are They and How Do They Happen?

The Neeva Team on 03/10/22

Data breaches are, unfortunately, becoming a part of everyday life. Even people who don’t have a lot of online accounts can be affected because of how much information companies and government agencies keep online. For example, if you have a credit card or loan, your personal information could have been leaked (along with 147 million other people’s) during the Equifax data breach in 2017.

A data breach is an event in which confidential or sensitive information is accessed or shared without permission.

In the 2021 Annual Data Breach Report, the Identity Theft Resource Center (ITRC) shares that there were 1,862 data compromise incidents in 2021—a 68% increase compared to the previous year and a record high. Of these, 80% included leaks of sensitive information.

While you might not have a lot of control over a company’s cybersecurity measures,  understanding how data breaches happen and what the perpetrators do with victims’ personal information can help you protect yourself from fraud as a result of these events.

What is a data breach?

A data breach is an event in which confidential or sensitive information is accessed or shared without permission. Data breaches commonly happen as the result of a cyberattack—when an individual or group gains unauthorized access to an organization’s systems. But you could also consider the improper disposal of physical documents that are later stolen from the trash a data breach.

The ITRC uses an all-encompassing term “data compromise” in its annual report to describe any incident when an unauthorized person accesses your personal data, or when an authorized person accesses your info for an unauthorized purpose. It defines a data breach as a more specific incident, when an unauthorized person accesses or removes personal information from its proper storage place.

Personal information that could be stolen or exposed in a data breach includes:

  • Social Security numbers (SSN)
  • Medical records
  • Driver’s licenses
  • Email addresses, usernames, and passwords
  • Financial account details

Equally concerning are what the ITRC calls data leaks—when your information is publicly available online, scraped, and sold.

For example, in 2021, attackers auctioned off the names, social media profiles, email addresses, and other personal information of about 500 million LinkedIn users. They released two million profiles as a free sample on a hacker forum, with the entire archive going to the highest bidder.

How do attackers carry out data breaches?

Most data breaches are the result of a cyberattack, but attacks are carried out in many different ways.Some data breaches aren’t caused by outside attackers at all.

Common causes of data breaches include:

  • Social engineering. Nearly 40% of the data breach incidents that resulted in confirmed data disclosure (1,080 total) in North America involved social engineering, according to the Verizon 2021 Data Breach Investigations Report (DBIR). Social engineering is a general term for manipulating people, and it’s often a component of a cyberattack or data breach. Phishing emails, texts, and calls are a common example of social engineering.
  • Malware. Attackers may use different types of malware, such as spyware, to gain access to systems and steal data. The malware can be delivered in different ways, such as when someone downloads a malicious file, clicks on a link and visits an infected website, or plugs an infected USB thumb drive into their computer.
  • Insider threats. An insider is someone who works at the company. The breach could be malicious, such as when an employee knowingly steals and sells data. But small data breaches can also happen by accident, such as when an employee shares confidential data with an unauthorized colleague, family member, or friend.
  • Hacking. In this kind of data breach, hackers find and exploit weaknesses in a system. These can be the result of automated brute force attacks (repeatedly guessing username and password combinations) or credential stuffing attacks (trying username and password combinations that were previously leaked). Human error, such as a misconfigured firewall, can be a contributing cause.

There are less prevalent types of attacks that can lead to data breaches as well. For example, someone could steal computers or mobile devices that have, sensitive information. Attackers may also use zero-day attacks to access systems, but these attacks can be difficult to develop and expensive to buy, so they might be reserved for high-value targets.

What do hackers do with the data?

Data breaches can affect victims for years after the breach occurs. According to the DBIR, many attackers are part of organized crime groups and most attackers are out to make money. However, they can use their access in different ways:

  • Resell the data. The stolen data could be packaged and offered for sale on the dark web. Buyers may even be able to buy “fullz”—a full package of information that could include someone’s name, date of birth, SSN, address, driver’s license, and financial or medical information.
  • Use the info. The data breach could be the initial part of a multi-step attack. For example, hackers might use the personal information to steal the victim’s identity, create a new identity, or to trick the victim as part of a social engineering attack.
  • Extortion. Attackers may also be able to deliver ransomware that encrypts an organization’s data, making it unusable unless the victim pays a ransom. This was the case with the Colonial Pipeline attack in 2021. Ransomware attackers can also threaten to expose sensitive information—a data breach—which can convince organizations to pay up even if they have backups.
  • Advance an agenda. Instead of making a profit, sometimes, the goal is to collect valuable, sensitive information that could help advance an agenda. Such as the hack and release of documents and emails from the Democratic National Committee and Clinton Campaign in 2016.

How to see if your data has been compromised in a breach

Organizations might warn you if your account or other personal information was leaked in a data breach. In some cases, they’ll advise you to change your password or offer some sort of consolation, such as a temporary subscription to a credit monitoring service.

You can also check HaveIBeenPwned.com to see if your email addresses or phone numbers were leaked in previous data breaches. Additionally, the site has a password checker that you can use to see if a password was exposed in a data breach. You definitely shouldn’t use passwords that were previously exposed, as they may have been added to dictionaries that hackers use to crack passwords.

What to do after a data breach

Data breaches can affect millions of people at a time, and individuals can’t do much to prevent companies from getting breached. However, there are steps you can take to help protect yourself and your identity after a breach.

  • Change your passwords. If your account’s username and password were leaked, you’ll want to change the password immediately. If you use the same password for other sites, you’ll also want to change those as well.
  • Use a password manager. Password managers like 1Password and LastPass can make it easier to create strong, unique passwords for all your accounts. They can also be set up to fill in your passwords in your browser and on mobile devices, meaning you only have to create and remember one very strong master password. Some password managers may also warn you if one of your passwords was exposed in a data breach.
  • Enable multifactor authentication. Adding multifactor authentication to your accounts can give you an additional layer of protection. Even if someone has your username and password, they won’t be able to get into your account unless they also have the extra form of authentication—such as a code you receive by text or in an app.
  • Apply for an IRS IP PIN. As of 2021, the IRS allows anyone to apply for an identity protection personal identification number (IP PIN). Once you opt-in to the program, you’ll need to get a new IP PIN each year and will use the six-digit PIN to verify your identity when you file your tax return. The PIN can help keep fraudsters from filing a tax return with your information.
  • Freeze your credit. You can freeze and unfreeze your credit reports at each of the major consumer credit bureaus, Equifax, Experian, and TransUnion, for free online. Freezing your credit report can keep companies from accessing your report to open a new credit account (they may still be able to access it for other reasons), which can help block identity thieves who are trying to open an account in your name.

These best practices are an important part of keeping your information safe and protecting yourself from becoming a victim of identity theft.

If you’re ready for a safer and more private search experience, you can try Neeva. It’s the world’s first private, ad-free search engine, committed to showing you the best result for every search. And we’ll never sell or share your data with anyone, especially advertisers.