The data presented in the previous section paint a broad picture of the extent and impact of data breaches around the world. This section highlights case studies that shine a light on key issues and gives examples of the leading causes of data breaches, and their impact.
As seen in the previous section, the leading trend in data breaches is outside attacks,mostly by hackers for financial gain, but also some state-sponsored attacks, and some by hacktivists for political or moral reasons. These outside attacks can exploit a known vulnerability or use a zero-day exploit. They can directly attack the organisation, indirectly attack it through a connected third party, or via an employee using social engineering.
Other, less prevalent causes of data breaches are inside attacks and accidents (such as employee error). Inside attacks, by employees, may be easier to achieve than an outside attack, given the access required by, or afforded to, employees in the course of their job. The prototypical example of this is the undetected access that Edward Snowden had, as a contractor, to the secrets of the US National Security Agency (NSA). Accidents can include anything from human mistakes in developing a system that unwittingly allows access to simply losing a drive or computer with personal or confidential data.
The case studies also highlight the impact of data breaches on users, third parties, and the organisations. They show how easy some attacks are, but also how difficult it is for organisations to protect against all threats. They also show how large the impact of a data breach can be – both financially and otherwise – extending well beyond the organisation breached.
For users, the case studies highlight the increasing sense of insecurity we feel when going online, as we put trust in organisations whose security we could not possibly assess. An ever increasing number of us have been directly impacted by a data breach, or indirectly via a family member or friend.
Finally, as the world of ubiquitous Internet of Things (IoT) grows, vulnerabilities that lead to data breaches of organisations’ systems can also apply to IoT, with perhaps even greater impact on users. First, of course, connected devices, such as baby monitors, can contain sensors, including for video and audio, that can yield personal information about the users. Beyond data breaches, we may also put our safety in the control of Internet connected devices, such as medical devices or connected cars, which may be susceptible to attack. While this is a broader issue than data breaches, the causes may be the same and should be considered in addressing the general security of these devices as a matter of priority.
In practice, data breaches have a range of causes and impacts. Some of the breaches highlighted here are hard to understand because a known piece of malware, some of which can be purchased online such as the BlackPOS, leads to breach after breach without prevention. Others are puzzling because no one knows, or reveals, how they were accomplished, leading to little learning and no prevention.
All breaches can have an impact on the organisation, its employees, customers, and even third parties. In some cases, the organisations face a steep financial and reputational cost and the CEO resigns. In some cases, employees, and even their families, have their personal details and emails leaked. And in most, cases, the users who put their trust in an organisation for professional financial, health, or even amorous services, bear the brunt of the breach.
Looking forward, the known data breaches may be the tip of the iceberg for users. It is incredibly distressing to have one’s health records stolen and sold. It is potentially fatal to have one’s health devices hacked and overridden. As the Internet of Things is taking hold, people are increasingly putting their lives in the control of devices provided by companies whose core focus is on manufacturing or service provision, rather than data security, and may not understand the vulnerabilities and what attackers are capable of doing to their newly connected devices, or how to prevent it.
The next section raises the known issues contributing to data breaches. If these breaches cannot be addressed, it is hard to see how the next generation of devices and systems will be adequately protected.