More and more data privacy laws are being passed around the world, and they include required actions and potential penalties in the event of a personal data breach. At the same time, more of consumers’ data is stored and shared online. Safeguarding the personal data of users, visitors, and customers to websites, apps, and connected media devices has never been more important.
Legal requirements are only one part of it. A data breach destroys the trust from a company’s customers and damages brand reputation. Through no fault of their own, consumers can be faced with identity theft, fraud, and financial losses. These violations discourage them from wanting to share their information with the company, and can also influence them to stop doing business with the company entirely. This can have serious consequences for growth and revenue long-term.
The time, money and resources spent on a robust data privacy and protection program can be incredibly valuable to companies today and in the future, especially as technologies, regulations, and consumer expectations continue to evolve rapidly. We will look at what constitutes a personal data breach, how they happen, consequences, and preventive measures.
What is personal data?
The general definition of personal data (also called personal information or personally identifiable information) is used fairly consistently across data privacy laws. The version in Art. 4 of the European Union’s General Data Protection Regulation (GDPR) is quite detailed: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
In other words, it applies to information about a person, in digital or physical format, that can be used to identify an individual directly or combined with other information. This information is regularly collected about people during their online activities, including web browsing, playing games, or making ecommerce purchases.
Sensitive personal data
Some forms of personal data are classified under data privacy laws as “sensitive”, requiring specific restrictions and special handling. Sensitive personal data includes information that could be more harmful if misused, often including specific identification numbers like passport or social security; financial, health or genetic information; or personal details like religious or political beliefs; or sexual orientation or gender identity. Any personal data of known children is often also categorized as sensitive by default under a number of data privacy laws.
What is a personal data breach?
A personal data breach involves unauthorized malicious or accidental access, disclosure, alteration, or loss of personal data like names, addresses, social insurance numbers, email addresses, account information, and financial records. Sometimes breaches are intentionally done by actors seeing how vulnerable systems are. More commonly breaches are intentional for financial gain. There are companies that specialize in “white hat” operations to test companies’ systems for security against personal data breaches.
The weakest link in an organization’s security may not be computer systems. Sometimes breaches are the result of human manipulation or error. When an organization detects a personal data breach in its systems or with a third-party service provider, prompt action and notifications are critical.
How does a personal data breach occur?
Personal data breaches can occur in a variety of ways, including through poor corporate security practices, hacking, social engineering, phishing, or physical theft of devices. Those responsible for a breach can be malicious external actors (like hackers), a company’s own employees, or third-party service providers, like contractors or business partners.
Data breaches can hit any kind of organization, from B2B corporate entities to tech giants to retail companies to hotel chains. The larger the company is, the larger the volume of data they are likely responsible for, and thus the larger the potential risk.
The sensitivity of the data varies by organization and industry. For example, a company that manages financial or healthcare information has much more sensitive data stored than a company that only has user account names and email addresses.
Data can often be linked among different sources, so a breach only affecting email addresses isn’t “safe”. Especially if that email address is used to match it to other available (or stolen) information to create a more detailed profile of an individual.
Sometimes an organization learns of a breach very quickly after it’s happened. Other times they may not become aware of it for weeks or months, making mitigation more difficult.
Types of personal data breaches
A personal data breach can take a number of forms, including but not limited to:
- Unauthorized access – an individual or group gains unauthorized access to personal data, bypassing security measures or exploiting vulnerabilities
- Data leakage – inadvertent exposure of personal data due to misconfiguration, human error, or malicious intent
- Data loss – accidental or deliberate loss of personal data, often arising from hardware or software failures
- Malware attacks – intrusions by malicious software such as viruses, ransomware, or spyware that compromise personal data
- Social engineering – manipulation techniques employed to deceive individuals into revealing personal data, often through phishing emails or fraudulent phone calls
Personal data breach examples
There have been many widely publicized personal data breaches around the world, though some of the most prominent have involved US-based companies. It should be noted that while these are massive global examples, personal data breaches can happen at any organization and be as simple as someone sending an email or attachment to the wrong person, or forwarding a document where all the information in the version history is accessible.
The largest personal data breach to date at Yahoo
The largest ever personal data breach by number of affected users happened at Yahoo, involving cyber attacks by a Russian hacker team between 2013-2016, affecting over 3 billion accounts. Backdoors into databases, as well as stolen backups and access cookies were used to steal user account records.
Data stolen included names, email addresses, phone numbers, birth dates, passwords, calendar entries, and security questions.
The personal data breach affecting thousands of companies at Microsoft
Microsoft experienced a breach in January 2021, lasting three months, which affected 60,000 companies worldwide, 30,000 in the United States. The attack centered around Microsoft Exchange email servers.
Four zero-day vulnerabilities (meaning unknown to the vendor) were exploited, enabling unauthorized access to companies’ accounts on the servers. Malware was also deployed and backdoors used to gain access to other systems. The US federal government and the FBI accused a Chinese state-sponsored hacker group for being responsible for the attack.
The personal data leak from poor security and design at First American Financial Corp.
In May 2019, financial services company First American Financial experienced a data leak of ~885 million files. This breach was classified as a leak instead of a breach because no external forces (e.g. hacking) were involved. The cause was poor data security and website design.
Private information was accessible without verification or authentication via the website, all a person needed to view sensitive documents was a link, and due to sequential record logging additional customers’ documents were easily accessed by changing a single number in the URL.
Data accessed included: drivers’ license numbers, Social Security Numbers, bank account numbers, bank statements, mortgage payment documentations, and wire transfer receipts.
The company was fined ~ US $500,000 by the Securities and Exchange Commission for errors that included ignoring security red flags the previous year.
The highly sensitive personal data breach of the Equifax credit monitoring and reporting service
Typically if you’re the victim of a personal data breach, you will make use of a credit reporting agency to monitor for any unauthorized activities. But what if the breach is at the credit reporting agency? This happened to Equifax in 2017, affecting 163 million people worldwide. The public was not notified for over a month after the company discovered the breach.
Given the highly sensitive data the company handled, they were heavily criticized for negligence and poor security practices. There were multiple breaches via a backend vulnerability, but internal servers were not adequately patched even after the initial breach was discovered. Poor network security and unnecessarily broad user access permissions also enabled the hackers to move among servers and access massive amounts of sensitive data.
Equifax settled with the FTC, other authorities, and various territories and states in 2019 for US $575 million. The company also invested over US $1.4 billion to clean up the damage and rebuild their data protection infrastructure.
The many personal data breaches affecting Facebook
The social platform has the dubious distinction of having experienced multiple very large personal data breaches. These include incidents in March 2019 (over 600 million user accounts) and April 2019 (540 million user records), also later in 2019 (over 300 million user accounts). The Cambridge Analytica scandal in 2018 (50-90 million user records) was one of the most highly publicized breaches, and there was another in April 2021 (530 million user accounts).
Breaches involved hacker exploits, poor internal security storing user account information in plaintext files, a third-party developer failing to password-protect their dataset, hackers abusing a Facebook API, and data theft via a quiz app loophole.
Data involved included names, account names and IDs, passwords, phone numbers, and more.
Facebook was found to have been aware of the Cambridge Analytica issue in 2015, but didn’t act until a whistleblower made it public in 2018, earning the company a record US $5 billion fine from the FTC for continuous violations of data security and poor data protection practices. The FTC also sued Cambridge Analytica, forcing the resignation of the company’s CEO.
The personal data breach at Marriott International caused by weak data security
500 million guests were affected by a personal data breach in September 2018 when the company’s Starwood reservation database, which included records for all of the chain’s hotel brands, was accessed by an unknown third party.
Four years’ worth of guest data was copied, duplicated, and encrypted. Names, addresses, and emails were stolen for about 173 million customers, and names, credit card information, home addresses, email addresses, phone numbers, passport numbers, Starwood account information, birth dates, genders, and reservation details were stolen for about 327 million customers.
Marriott was found to have lax data security, having failed to update the reservation system for years, leaving it vulnerable to unauthorized access. The UK Information Commissioner’s Office fined Marriott the equivalent of US $24 million for failure to meet cybersecurity standards.
The most wide ranging and damaging personal data breach with the Indian Aadhaar identification database
Aadhaar is the world’s largest identification database, containing the identity and biometric data of over 1 billion Indian citizens. Accounts in the system are used for bureaucratic functions like applying for state aid or financial assistance, opening a bank account, or utilities enrollment.
The database was hacked prior to January 2018 (which is when the news broke). Hackers accessed the database via the website of a state-owned utility company that used an API that had no access controls. Extensive personal data, including names, addresses, ID photos, phone numbers, emails, and biometric data like fingerprints and iris scans had been unprotected for years and were freely accessible. The unique 12-digit ID numbers stored in the database were also connected to bank account information, making the incident also a credit breach.
A security researcher raised the alarm about the breach and risks in January, but was ignored. Despite increasing news coverage, the vulnerable API wasn’t taken down for two months, after ZDNet published the story for its American audience. (The news outlet had also previously reached out to Indian authorities, to no avail.) The consequences of the breach are ongoing and nearly impossible to calculate, as stolen data remains easily accessible, enabling cheap and easy identity theft.
What is a security incident and how is it different from a data breach?
A personal data breach is different from a security incident. A security incident is any event that compromises the security, confidentiality, or integrity of information. The information compromised may not specifically be personal data. Also, personal data may not have been the explicit target or stolen content from the event.
A personal data breach, on the other hand, specifically involves the unauthorized access, disclosure, or loss of personal information. For example, if a company experiences a cyber attack that results in the loss of customer data, this would be considered a security incident. However, if the cyber attacker specifically targeted personal information and was able to access it, this would be considered a personal data breach.
Risks and penalties from a personal data breach
Personal data breaches can have serious consequences for individuals and organizations. It can also be difficult to accurately determine the damage as effects may continue for years (like with the Aadhaar breach) and not all damage or malicious usage of stolen data may come to light.
Individuals victimized by personal data breaches can experience identity theft, financial loss, and reputation damage. To say nothing of the time and stress in dealing with it all, which can drag out for years.
Organizations can face legal and financial penalties from regulatory authorities, as well as financial loss from fines and expenses. Under the GDPR, organizations can be fined up to 2% or €20 million of annual global turnover for a violation, whichever is greater, for many types of violations. Or 4% or €40 million for repeated or particularly serious offenses.
When must data breaches involving personal data be reported?
In most jurisdictions, organizations are required to report personal data breaches to the relevant authorities. The exact requirements for reporting personal data breaches may vary depending on the jurisdiction and the nature of the breach.
For example, under the GDPR, organizations must report personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach. Under other regulations there is not a specified length of time, but it must be done in a “reasonably” timely manner.
Organizations must also notify affected individuals if the breach is likely to result in substantial risk to their rights and freedoms. It is not uncommon for organizations to offer mitigating measures to affected customers, such as a year or two of free access to credit monitoring and reporting services.
The website haveibeenpwned.com reports on data breaches and notifies people who register their contact information if their email address or phone number has been involved in a breach. Users can also search for email addresses or domain names to see if they have been breached.
How to prevent a personal data breach
Preventing personal data breaches requires a combination of technical and organizational measures. Some key steps that organizations can take to prevent personal data breaches include:
- Audit the organization’s data to know what data they collect and store, where it is, how it’s stored, who can access it, and for what purposes.
- Appoint a Data Protection Officer to oversee data protection operations and enforcement. This is a requirement of some data privacy laws.
- Conduct regular security assessments to identify vulnerabilities and address them proactively.
- Implement strong access controls, such as two-factor authentication and role-based access.
- Provide regular security awareness training to employees to help them identify and avoid common security threats, such as phishing attacks.
- Encrypt sensitive data both in transit and in storage.
- Develop and implement a comprehensive data protection policy that outlines how personal data is collected, used, stored, and shared. Making this information publicly available, e.g. on the website, is a requirement of most data privacy laws.
- Limit the amount of personal data collected, how long it is kept, and who has access to it to the minimum necessary for the purpose that it was collected.
What to do if a personal data breach occurs
If a personal data breach does occur, it is important to take immediate action to mitigate the impact of the breach and to comply with legal responsibilities. Under many data privacy laws, once a violation is reported to the organization accused, they have a “cure” period where they can fix the issue and take steps to prevent it from happening again. If they meet these responsibilities within the cure period (often from 30 to 90 days), they can avoid fines and other penalties from the violation.
Some key steps to take when a personal data breach occurs:
- Contain the breach by disconnecting affected systems from the network and limiting access to sensitive information.
- Assess the impact of the breach to determine what information has been compromised and what risks exist for affected individuals.
- Notify the relevant authorities and affected individuals in accordance with applicable laws and regulations.
- Where possible, recover affected data or ensure it’s destroyed.
- Conduct a thorough investigation to determine the cause of the breach and identify any vulnerabilities that need to be addressed.
- Implement measures to prevent similar breaches from occurring in the future. (Which, in addition to system improvements, can include training or termination of employees.)
Conclusion and next steps
Personal data breaches are a serious threat to individuals and organizations alike. Unfortunately, with so much personal data online these days, they happen often, and too many companies’ lax security practices make them desirable targets.
Demands from customers and users for robust data security and privacy, as well as comprehensive data privacy and protection laws can help push companies towards stronger data security and lower the risk of a personal data breach.
Understanding what personal data breaches are, how they occur, and the steps that can be taken to prevent them, individuals and organizations can reduce their risk of experiencing a breach. By taking data protection seriously and demonstrating a commitment to privacy and security, organizations can build trust with their customers and stakeholders and protect their reputations.
If you don’t have a consent management solution in place on your website yet, try Cookiebot CMP free for 14 days and see for yourself how our industry-leading technology can help you automate data privacy compliance.
Usercentrics A/S (Cookiebot™) does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.