Iubenda logo
Start generating

Documentation

Table of Contents

What is a data breach and how to prevent it

What is a data breach? How does it happen? In this post, we answer these questions and explain what steps you can take to prevent one.

What is a data breach

What is a data breach?

A data breach is a security incident, that can lead to the destruction, loss, alteration, or unauthorized sharing of personal data. The causes of a data breach can be both accidental or deliberate, with malicious intentions.

You should note that a data protection breach isn’t only the loss of data. Examples of data breaches are also the access to the data by an unauthorized third party, the loss or theft of devices containing personal data, the alteration of personal data without permission, etc.

Therefore, data protection breaches can happen for the most various reasons, and it would be wrong to assume they’re always caused by external hackers.

What are examples of data breaches?

To better understand what is a data breach, let’s look at some examples:

  1. Target data breach: In 2013, hackers gained access to Target’s payment system and stole the credit and debit card information of more than 40 million customers.
  2. Equifax data breach: In 2017, Equifax, one of the largest credit reporting agencies in the United States, suffered a data breach that exposed the personal information of 147 million people, including names, birth dates, social security numbers, and addresses.
  3. Yahoo data breaches: In 2013 and 2014, Yahoo experienced two separate data breaches that affected all of its 3 billion user accounts. The breaches exposed users’ names, email addresses, birth dates, and phone numbers.
  4. Marriott International data breach: In 2018, Marriott International announced a data breach that exposed the personal information of up to 500 million customers who had stayed at the hotel chain’s Starwood properties.
  5. Uber data breach: In 2016, Uber suffered a data breach that exposed the personal information of 57 million customers and drivers, including names, email addresses, and phone numbers.
  6. Capital One data breach: In 2019, Capital One suffered a data breach that exposed the personal information of over 100 million customers, including names, addresses, credit scores, and social security numbers.

These are just a few examples of data breaches, but they demonstrate the serious impact that data breaches can have on individuals and companies alike.

How do data breaches happen?

Now you know what is a data breach, let’s look at how they happen. Indeed, some of the most common causes of a data breach are the lack of appropriate security systems and carelessness. Devices containing the company’s data get lost or stolen, employees give access to data to the wrong person.
Even though unintentional and probably harmless, these are still data breaches.

Then, there are data breaches caused by external cyberattacks, meant to weaken a company’s security system and steal personal data. The Kaspersky team has listed some of the most popular methods hackers use to breach a company’s security:

  • phishing: is an attack that fools people into causing a data breach because it sends messages from what seems like a trusted source and asks for access to personal information;
  • brute force attacks: these attacks are caused by software tools that try to guess your password to enter your devices or accounts;
  • malware: it stands for “malicious software”, and it exploits the gaps in your device’s security system to enter your device.

Data protection breaches can affect anyone, from businesses to government organizations and individuals.

If you run a business that collects and stores users’ personal data, the consequences of a data breach can be really serious: it can damage your users, as their personal information could be stolen and used unlawfully, and it can damage your company because your confidential information could be shared or sold.
Not to mention how badly a data breach can affect your reputation and reliability as a business.

That’s why it’s so important to implement effective security measures.

How to prevent a data breach?

Data protection breaches can be prevented. Here are some steps you can consider:

  • Invest in your business’s security system and train your staff appropriately.
    Everyone in your company should know the basics of cybersecurity, such as using strong passwords and enabling multi-factor authentication. You don’t want a security breach because of somebody’s lack of knowledge or carelessness.
  • Encrypt your data.
    This step is fundamental, especially if you handle sensitive data. Encrypted data is very difficult to decipher without the proper key. In this way, if a data protection breach were to happen, it would be difficult to understand what the data are about. Make sure you’re keeping your encrypted data and their encryption keys stored in different places.
  • Add extra layers of security to your files when using external storage platforms.
    As experts often say, online storage platforms are just someone else’s computer and, though they’re generally safe, they’re also easier to access. That’s why it’s safer to take further security steps.
  • Consider hiring a security expert, especially if you perform large-scale processing of sensitive data.
  • Assess the risk of your processing activities.
    If you process personal data, it’s best to assess the risk of each processing activity before starting it. This can be achieved through a Data Protection Impact Assessment (DPIA). You can learn more here.

However, despite the most sophisticated security system and measures, a data breach could still happen.

So, along with preventive measures, you and your company should also set up a plan to face one:

  1. Make sure you’re able to recognize a data breach: as we said above, a data breach isn’t just the loss of data.
  2. Appoint a team or a person to manage data breaches.
  3. Set up a response plan for addressing data breaches: you should know which authority to alert, how to inform your users, the kind of documents you need to report the breach.

What to do after a data breach

According to Article 33 of GDPR, if you’ve been involved in a data protection breach, you need to report it to the Supervisory Authority within 72 hours (unless it’s unlikely to result in a risk to individuals’ rights and freedoms). Users whose data was affected by the breach also need to be informed within the same time frame.

👀 More on GDPR Breach Notifications here →

Failing to report a data breach can expose you to fines up to €20 million or 4% of the annual worldwide turnover, whichever is greater.

Please note that, whether you should report the breach or not, you need to keep records of all the breaches that happened to your company, no matter how insignificant they may be. Records will help authorities assessing that you’re complying with the law.

💡 It’s a lot easier to face a data breach when you keep clear and detailed records.

Records can help you assess the level of risk of your processing activities, and determine if you need to implement new security measures.

How iubenda can help

iubenda’s Register of Data Processing Activities can help you record all your processing activities, security measures, and every party you share your data with.

About us

iubenda

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

See also