Data breach
A data breach is an incident where sensitive or confidential information is accessed or stolen by unauthorized individuals or software. Typically, this information includes personal data such as Social Security numbers, credit card details, and personal health information. Data breaches can occur through various means, predominantly involving hacking, malware, or the physical loss of devices containing sensitive data. The increase in data breaches has been notable since the 1980s, paralleling advancements in computer technology.
High-profile breaches have affected major companies, with incidents involving Target, Equifax, and Yahoo! standing out for the scale of data compromised. According to reports, hackers often follow a systematic approach to infiltrate networks, which includes analyzing weaknesses before gaining access and extracting valuable data. The implications of data breaches can be severe, impacting individuals' privacy and businesses' operational integrity. With the prevalence of personal identifiable information (PII) and protected health information (PHI) being targeted, understanding the mechanisms and consequences of data breaches is crucial for individuals and organizations alike.
On this Page
Subject Terms
Data breach
A data breach occurs when sensitive or confidential information is stolen or accessed by an unauthorized individual, group, or software program. In most cases, the information involved in a data breach is personal information, such as home addresses, Social Security numbers, or credit card numbers. Data breaches may also involve personal health information or business trade secrets. Most modern data breaches are executed through computer technology; however, a breach may occur if the information is physically lost or simply viewed by an unauthorized individual.
According to Infosecurity Magazine, the data and intelligence company Flashpoint had tracked over six thousand data breaches worldwide that had exposed more than seventeen billion personal records in 2023. In the twenty-first century, several notable companies have fallen victim to data breaches. Among the largest were incidents involving the retailer Target, the credit reporting agency Equifax, and the online service provider Yahoo!
Overview
Because most modern information is stored on computer systems, the majority of data breaches occur through hacking intrusions or malware. Hacking refers to the unauthorized access of a computer system. Malware—short for malicious software—is a program designed to infiltrate and spread through a computer or network. The next most likely cause of a data breach is the loss or theft of a portable device that contains sensitive information. Hacking, malware, and device loss account for a significant percentage of all data breaches. Other causes include the unintended disclosure of data, information leaks from an inside source, or information stolen through payment card fraud, such as a credit card skimming device.
Hackers intending to break into a computer network generally follow a pattern to gain access. They first analyze their target, looking for weaknesses in its computer network, employees, and security practices. This phase often lasts weeks or months until the attacker is familiar with the target. The next step is to gain access to the network, usually by injecting harmful code into a system, infecting emails, or by tricking a person into revealing usernames and passwords.
Once inside the system, an attacker tries to establish a presence, gaining additional access and searching for vulnerabilities. Attackers rarely enter a system with full access. They must move around within the network until they find what they are looking for. When they gain access to the sensitive data they are searching for, the attackers remove it and quickly leave. If steps are not taken to close down the pathway to the data, an attacker can exploit the entry point to gain future access to the data.
The majority of data stolen in a breach is personally identifiable information (PII). PII is data that can be used to personally identify an individual. It can range from nonsensitive information, such as names and addresses found in a phone book, to highly sensitive information, such as Social Security numbers. Another prime target of a data breach is financial information—bank account numbers, credit card numbers, etc. Hackers also go after a person's protected health information (PHI), the privacy of which is guaranteed by federal law in many countries. PHI may include personal health data, medical test results, and insurance information. Businesses are at risk of having their trade secrets and intellectual property stolen in a data breach. For example, the cable and satellite television network HBO had several episodes of its popular series Game of Thrones stolen in a 2017 breach.
Topic Today
Data breaches have occurred for many years but began to increase in the 1980s and 1990s after the rapid advancements in computer technology. Modern companies budget a significant amount of money to protect themselves, but hackers often find ways to exploit security weaknesses and gain access to data. Statistics on data breaches have only been compiled since the early twenty-first century, but in that time, several high-profile companies have been the victim of hackers.
In 2013, the retail giant Target announced that the personal information of millions of customers had been stolen in a breach. Hackers gained entry to the system through a third-party heating and air-conditioning contractor used by Target. The attack occurred before Thanksgiving and was not discovered until weeks later. Months after the attack, Target said the hackers had accessed the credit and debit card numbers of 110 million people.
One of the largest data breaches in history occurred in two attacks on the internet provider Yahoo! in 2013 and 2014. The company first announced in 2016 that the names, email addresses, dates of birth, and telephone numbers of 500 million users had been stolen in a 2014 attack. The passwords for most of those users were compromised as well. The company called the attack a "state sponsored" incident, meaning officials believed a foreign nation was behind the intrusion. Later in 2016, Yahoo! announced that an earlier attack in 2013 had accessed the personal information of more than one billion accounts. This attack was initiated by a different group than the 2014 incident. In 2017, Yahoo! revised its estimates, saying that the accounts of all three billion of its users had been compromised. Names, email addresses, and passwords were also stolen in the 2013 attack, as were personal security questions and their answers.
The online auction company eBay reported a data breach in 2014 that accessed the names, addresses, birthdays, and passwords of all of its 145 million users. The company said the hackers gained access using the credentials of three eBay employees.
In 2016, the FriendFinder Network, an online site that specializes in adult entertainment, was the victim of a data breach that affected more than 412 million people. Hackers gained access to twenty years' worth of customer email addresses, personal addresses, and passwords.
In 2017, hackers gained access to the personal information of about 143 million customers of the credit reporting bureau Equifax. Among the data stolen were Social Security numbers, birth dates, addresses, and driver's license numbers; about 209,000 people had their credit card information stolen.
Especially as further advancements in technology, including the greater integration of artificial intelligence (AI) into digital systems, introduced both tools and challenges in data protection, breaches continued to occur in a range of areas. While the late 2010s saw a significant exposure of millions of users of the social media site Facebook's personal information, reports of breaches in the hospitality and telecommunications industries, including the Marriott hotel chain and T-Mobile, also surfaced in the early 2020s.
Bibliography
Coker, James. "17 Billion Personal Records Exposed in Data Breaches in 2023." Infosecurity Magazine, 28 Mar. 2024, www.infosecurity-magazine.com/news/personal-records-exposed-data/. Accessed 13 Jan. 2025.
"Cyber Security: Understanding the 5 Phases of Intrusion." Graylog, 21 Feb. 2023, graylog.org/post/cyber-security-understanding-the-5-phases-of-intrusion/. Accessed 13 Jan. 2025.
"Data Breach." Trend Micro, www.trendmicro.com/vinfo/us/security/definition/data-breach. Accessed 13 Jan. 2025.
"Data Breaches 101: How They Happen, What Gets Stolen, and Where It All Goes." Trend Micro, 10 Aug. 2018, www.trendmicro.com/vinfo/us/security/news/cyber-attacks/data-breach-101. Accessed 13 Jan. 2025.
Fowler, Kevvie. Data Breach Preparation and Response: Breaches Are Certain, Impact Is Not. Syngress, 2016.
Hill, Michael, et al. "The 18 Biggest Data Breaches of the 21st Century." CSO, 12 Sept. 2024, www.csoonline.com/article/534628/the-biggest-data-breaches-of-the-21st-century.html. Accessed 13 Jan. 2025.
Singletary, Michelle. "Yahoo. Target. Equifax. Sonic: All Category 5 Data Breaches. Is Your Information Safe Anymore?" The Washington Post, 5 Oct. 2017, www.washingtonpost.com/news/get-there/wp/2017/10/05/yahoo-target-equifax-sonic-all-category-5-data-breaches-is-your-information-safe-anymore/?utm‗term=.1ef401a8f845. Accessed 24 Nov. 2017.