What is a Data Breach?
A data breach occurs when unauthorized individuals or entities gain access to confidential or sensitive information, typically held by a company, organization, or government. These incidents can result in the loss, theft, or unauthorized disclosure of sensitive data. Data breaches can occur through various means, including hacking, insider threats. Or even just accidental exposure.
Below we’ve outlined some examples of breaches, how to respond at a high level, and some of the peculiarities of responding to security breaches in cloud environments.
Examples of Data Breaches
- Equifax (2017): One of the most significant data breaches in history, affecting approximately 147 million people. Hackers exploited a vulnerability in the company's website software, gaining access to sensitive personal information, including Social Security numbers, birth dates, and addresses.
- Yahoo (2013-2014): In two separate incidents, Yahoo experienced breaches affecting a total of 3 billion user accounts. The breaches involved the theft of email addresses, passwords, birth dates, and other personal information.
- Anthem (2015): In 2015 Anthem, the largest health insurer in the United States, experienced a data breach that exposed the personal information of over 78 million people. The attackers were able to steal names, addresses, birthdates, Social Security numbers, and health insurance information from Anthem's customers. Anthem was fined $16 million by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) for violating the Health Insurance Portability and Accountability Act (HIPAA). The fine was the largest ever imposed by OCR for a HIPAA violation. Anthem has since taken steps to improve its security measures and to prevent future data breaches. The company has also offered free credit monitoring and identity theft protection to affected customers.
Defining Personally Identifiable Information (PII)
Personally Identifiable Information (PII) refers to any information that can be used to identify, contact, or locate an individual, either on its own or when combined with other relevant data. Examples of PII include names, addresses, Social Security numbers, email addresses, and phone numbers. Organizations must take stringent measures to protect PII to prevent unauthorized access and comply with various privacy regulations.
Data Breach Notifications
A data breach notification is a communication from an organization to affected individuals, notifying them of a data breach involving their personal information. Many jurisdictions have enacted laws requiring organizations to notify affected parties and relevant authorities promptly after discovering a data breach. The purpose of data breach notifications is to inform individuals about potential risks to their privacy and security and provide guidance on steps they can take to mitigate potential harm.
How to Respond to a Data Breach
- Assess the situation: Begin by identifying the scope and impact of the data breach. Determine what information was compromised and how many individuals were affected.
- Contain the breach: Take immediate action to prevent further unauthorized access or data loss. This may include disconnecting affected systems, changing passwords, or patching vulnerabilities.
- Notify affected individuals: Comply with applicable data breach notification laws and inform affected parties about the breach, potential risks, and recommended actions to protect themselves.
- Engage with law enforcement: In cases of criminal activity, such as hacking or phishing, report the breach to relevant law enforcement agencies for investigation.
- Implement a recovery plan: Develop and execute a plan to restore systems, recover lost data, and address any vulnerabilities that led to the breach.
- Strengthen security measures: Review and improve your organization's data security policies and practices to prevent future breaches.
Additionally, whilst responding it is important to:
- Maintain legal privilege: Engaging legal counsel early in the breach response process can help organizations maintain attorney-client privilege, which protects communications between an attorney and their client from being disclosed in legal proceedings. This privilege is essential in mitigating potential legal risks and facilitating a thorough investigation.
- Preserve evidence: Organizations should take steps to secure and preserve any evidence related to the breach, including logs, emails, and other electronic records. This will help investigators determine the scope and cause of the breach, as well as support any legal or regulatory actions that may follow.
- Handle public communications: Managing public communications is critical to maintaining an organization's reputation and minimizing potential damage. Develop a clear and consistent message that addresses the breach, provides information about the steps being taken to mitigate its impact, and offers guidance to affected individuals. This messaging should be regularly updated as more information becomes available.
Breach Notifications in the Cloud
Whilst both AWS and Google Cloud provide advice around responding to incidents in their clouds, Azure goes a step further and has detailed advice on handling breach notifications.
Breach notifications in cloud environments can be complicated due to shared responsibility - it is key to understand which party was breached and which has the requirements to notify impacted parties in different locations.
If you would like to learn more - we have published detailed playbooks on how to respond to security incidents in both AWS and Azure.