information technology

How do data breaches occur? Explaining infosec concepts.

As one of many people whose personal data has been involved in multiple corporate and governmental data breaches, I get tired of finding out my data’s been stolen again. But I understand how difficult it can be to keep data secure in an environment where just about everything is connected.

If someone has data on their unencrypted laptop, and that laptop gets stolen or hacked, that’s one way data breaches occur. Someone else has physical access to your unencrypted computer. They now have access to everything on your computer AND everything online that your computer knows how to access.

But generally, criminals don’t need to get physical access. All they need is virtual access, and they get that through social engineering. Forget most of the movie hacking you’ve seen. It’s not that exciting.

Social engineering means manipulating people’s trust so that they volunteer the information the criminal needs. Social engineering is the same as a con, short for confidence game.

The Target data breach from 2013 happened when criminals gained access to Target’s systems by sending phishing emails to a third-party contractor. The contractor had access to Target’s heating, ventilation, and air conditioning (HVAC) systems. An employee of the contractor fell for the phishing email, clicked on a link that installed malware, and that was the only opening the criminals needed. The malware on the contractor’s systems then revealed logins and passwords to Target’s HVAC system.

“That’s just their HVAC system. What’s the big deal? Are they going to crank up the heat?”

Almost every system is connected to other systems now. Access to one system can lead to accessing all the systems, if they’re connected and vulnerable. The perpetrators eventually were able to access the point-of-sale terminals, allowing them to steal credit card data.

For more details on the Target breach, check out this article: Anatomy of the Target data breach: Missed opportunities and lessons learned | ZDNet.

Other times there’s no social engineering involved. If there’s a vulnerability discovered either by researchers or criminals, and system administrators (sysadmin) either can’t or don’t patch the vulnerability fast enough, criminals can continue to take advantage of it with no one the wiser. Exploits like this can go on for months until someone happens to notice what’s going on.

The truth is, the odds are in favor of a breach, rather than against, because there are so many ways for a breach to happen. Whereas those defending against breaches only need one weak link to leave their data vulnerable.