How to Tech Cyber Security

What To Do After Data Breach – Ultimate Guide

What to do after data breach

Data breaches can affect any organization, regardless of its size. With victims including, but not limited to industries such as healthcare, education, finance, technology, and automobiles, the sheer number (and types) of assets that can be compromised is huge. According to a 2020 study, compromised assets across small and large organizations mostly deal with social attacks now, whereas in 2013 ATMs and POS (points of sale) were attacker favorites.

(Source: 2020 Data Breach Investigations Report)
Compromised Assets in Data Breaches

Since there is no particular metric that allows organizations to determine how likely they are to face a data breach – besides insecure system, network, and endpoint policies – it is necessary for everyone to be adequately prepared ahead of time. In case your organization has already fallen prey to an attack, you must take prompt action to isolate targeted systems, assess the breach, inform all victims, seek professional help, and protect your organization against future breaches.

What To Do After Data Breach – Steps

Isolation and Containment

The very first step you must take after detecting a breach is to isolate each system that has been compromised. This would prohibit the attacker(s) from accessing other systems that are a part of the same network. This involves taking away internet connectivity, disabling SSH, ensuring that the organizational firewall is operating as intended, and updating the overall network and endpoint security.

Assess the Situation

Prevention comes only after analysis – unless you know what went wrong, you can’t stop it from happening again. In order to assess the data breach and figure out what went wrong and how it happened, the following questions must be answered:

  1. How was the breach initiated?
  2. Which endpoints were active during the breach?
  3. Which type of data and systems did it target?
  4. In which order were these nodes attacked?
  5. Which types of attacks were carried out?

This can be done by scanning all emails, checking the security logs of your firewall provider, and going through the data logs of your Intrusion Detection System or your antivirus software.

Inform Victims

The data breach your organization faced may affect both, individuals and organizations. It is important to inform all victims on time – whether they are employees, partners, vendors, or customers – and stick to facts. They must be told about all the data that was affected, and how severe the breach was. Transparency and honesty are of utmost importance in such situations, where your organization’s brand value is at stake. The disclosure must always come from your side, not from media outlets or the attacker’s side. Failure to do so may result in public distrust.

In case personally identifiable information such as phone numbers, bank account/card details, birthdays, or names was leaked, individual victims will have to secure their personal and professional accounts on time. This can be done by following necessary password protocols to ensure maximum security at the personal level.

Contact Security Analysts

Seeking professional help is necessary, especially if your organization is large and/or deals with sensitive data. Security analysts can not only perform vulnerability assessments to determine the current level of (in)security in your organization, but they can also help you with remediation steps, system security patching, and future protection options.

Invest in Insurance

While anticipating data breaches might not be possible, arranging for financial protection in their wake surely is. Cyber Liability Insurance aims to shield clients from data breaches and provide financial assistance in case one takes place. Possible expenses include legal fees, recovery spending, PR damage recovery, loss in market shares, etc.

Now that you know how to start securing your organization, you can start learning about these attacks in – depth. So what exactly are data breaches, who is behind them, and what can you do to stay safe?

Data Breach 101

You must have come across the term ‘Data Breach’ numerous times, but do you truly understand what it means, and what it entails? Probably not. We imagine data breaches to be a part of high – level, fully funded business wars in which corporations pay hackers to steal competitor data, and get an edge over them. While this is certainly one example of a data breach, it isn’t the definition.

A data breach is simply an instance of unauthorized access to information. It may be intentional or unintentional, involving internal or external perpetrators, dealing with individual – level or organization – level victims, and could be carried out through a large variety of attacks.

Data Breach Motive

(Source: 2020 Data Breach Investigations Report)

It has been observed that while attackers, victims, and targeted industries don’t necessarily share backgrounds, they still include some commonalities – as seen above. Financial motivation is almost always present in targeted and intentional attacks, and 43% of all data breaches take place using web applications at some point or the other. Unauthorized access to user credentials has been noted in 37% of breaches, while only 22% of them involve phishing. These statistics give us an insight into the mindsets of attackers who carry out data breaches to exploit data and systems – costing organizations $3.86 million on average, every year.

Types of Data Breaches

As mentioned earlier, data breaches don’t always affect businesses and aren’t always financially motivated attacks. There is a wide range of attacks that can be a part of data breaches, and they can be used individually or in a combination.

(Source: 2020 Data Breach Investigations Report)
Trends in Attack Type

While RAM scraping malware was a favorite amongst attackers who caused data breaches back in 2015, phishing has taken over in 2020. Awareness about viruses, their propagation, and their effects – along with affordable and complex, automated protection services – has caused Trojan attacks to go down from being the third most popular attack to the sixth. The high percentage of phishing and stolen credentials suggests that perpetrators now prefer social engineering attacks over technical attacks.

Besides the various types of attacks involved in data breaches, the breaches themselves can be of different types – depending on the industry that is being targeted. The most common examples are:

Government Data Breach

Government data breaches can take place at various levels – local bodies, state bodies, or national bodies. This includes different ministries, defense forces, and federal bodies. Any type of information that is leaked from such organizations constitutes a data breach.

These breaches are especially harmful as governments have unimaginably extensive records of highly sensitive data – including names, relatives, birthdates, bank details, social security numbers, educational and professional histories, etc of millions of people.

Attackers who gain unauthorized access to such sensitive information can use it for a number of nefarious purposes – such as identity theft, credential sale, tax fraud, etc.

Financial Data Breach

Bank fraud, employment fraud and identity theft are the most common results of financial data breaches – i.e., the accidental exposure of your financial details by a company you’re associated with. Using your details – such as name, bank account, phone number – perpetrators can apply for loans, make purchases, indulge in expensive subscriptions, etc – draining you of money and possibly trapping you in criminal behavior.

Healthcare Data Breach

The healthcare industry is one of the most insecure industries, because of which it is constantly under attack from hackers. With a (dark) market price of up to $1000, medical records are extremely attractive for attackers trying to get easy money. The usage of thousands of Internet of Things (IoT) devices in every hospital building makes unauthorized access child’s play, and gives extremely high returns.

Education Data Breach

Educational institutions often hold records of details such as student grades and attendance, parents’ government-issued identities, financial aid records. Additionally, they have employee records like any other workplace.

This highly sensitive information can be misused with ease, once obtained. Besides the misuse of personal information, alteration of data is also possible. Since schools and universities don’t always update their security systems promptly, they’re extremely vulnerable to malware.

Service Industry Data Breach

This is a huge industry, spread across multiple fields. Ranging from OTT platforms and gaming websites to e – commerce applications and event ticketing companies, the service industry is money – driven and PII – fueled.

Since almost everyone participates in this industry at some point or the other, we’re all at risk – constantly. A single data breach could (and has!) result in millions of names, email IDs, phone numbers, financial details, addresses – and much more – getting leaked and misused.

Perpetrators Responsible for Data Breaches

While the popular image of perpetrators responsible for data breaches is a team of hoodie – clad young people sitting in dark basements, typing away furiously at their complex computer systems, this is far from the reality. While external – paid or unpaid – attackers are definitely a majority of perpetrators, research shows that unorganized threat actors could also be responsible for data breaches.

(Source: 2020 Data Breach Investigations Report)
Threat Actors

With over 30% of all data breaches involving internal members of affected organizations, data breaches can be caused by anyone. They could be intentional and organized, or unintentional and arbitrary. Only around 55% of data breaches are caused by organized criminal groups who have a clear motive behind the attack, and still 70% of these attacks are carried out by external parties.

(Source: 2020 Data Breach Investigations Report)
Types of Attacks

Successful breaches typically involve a series of well thought – out, organized attacks that work together to expose the required data. However, this is not necessary. Accidents by authorized users within an organization could also leak data, as seen in 8% of all data breaches. Since all employees are humans, the problem of human error exists as well.

Social engineering attacks are a part of 22% data breaches, using this human error to weed out gullible internal actors, for exploitation. Another problem is malware. Since it can be delivered over a wide range of platforms – emails, text messages, links, downloadable applications – it is very hard to eliminate the risk of unintentional passage being provided to malicious parties.

Industry – Wise Steps for Safety

While the post-breach procedure is roughly the same for each industry, there is a certain way to go about it for different types of data breaches in different industries. As an individual victim, you must follow the outline given below:

Government Data Breach

Once you have confirmed the occurrence of a government data breach with the affected authorities, find out what type of data was accessed. If details like your name, phone number, social security, etc were exposed, seek the agency’s help and monitor your accounts for suspicious activity. Make sure you change all your passwords promptly.

Financial Data Breach

Start off by contacting the company that faced the data breach to avoid falling for fake information being spread by con men pretending to help you. If your sensitive, personal information truly has been stolen, accept the company’s help for remediation. Follow this by contacting other authorities that may be of help to you, and block accounts that could be accessed by attackers. Finally, stay proactive and involved in each development, as attackers often use stolen credentials slowly, and over a long period – to avoid detection.

Healthcare Data Breach

When it has been confirmed that your data was accessed in a breach, proceed further based on what was stolen. While stolen social security numbers require a lot of help, credit or debit cards can simply be blocked and replaced. Go through all your medical records again, as altered records pose a high risk in life and death situations. Identity theft could also take place, resulting in expensive medical procedures taking place in your name, on your cards.

Education Data Breach

The first step after the confirmation of a breach is to assess which type of data has been exposed. If financial data – such as card details, bank account details, and loan details – get leaked, attackers may use it to conduct fraudulent activities that result in a low credit score at best (well, comparatively), and criminal behavior at worst.

To avoid this, accept your institution’s help if it’s being offered. This could include clean – up costs such as legal fees, credit monitoring, etc. Change all passwords immediately, and monitor your accounts for suspicious activity.

Service Industry Data Breach

As always, you must assess what data has been stolen and how you can protect associated assets. If the organization is offering help, take it, but make sure it covers everything you need to recover – whether that’s in the form of resources or finances. If your needs are not being met, look for third-party help, but don’t compromise on your personal security. Follow this up with a change in passwords, and thorough monitoring of accounts.

General Precautions against Data Breaches

There are certain steps that can be taken to minimize the risk of data breaches by organizations and reduce their impact on individuals. Being proactive is of number one importance as it enables quick recovery and low chances of breaches.

Organization – Level

  1. Be attentive and stay updated at all times. Make sure there are dedicated teams keeping track of all the hardware and software assets being accessed by your organization.
  2. Ensure that all endpoints are properly configured and secured.
  3. Employ services that protect all browser activity and incoming or outgoing email.
  4. Invest in a good firewall and overall Intrusion Prevention System.
  5. Make sure all logs are constantly maintained and managed.
  6. Protect your organization’s network by securing all ports.
  7. Implement a no – trust policy and give privileges to users on a need to know basis.
  8. Invest in constant vulnerability management, penetration tests, and red and blue team exercises.
  9. If a data breach still occurs, follow our detailed guide for timely mitigation and damage control.
  10. Heighten security and learn from the experience instead of hiding it.

Individual – Level

  1. Always install software updates on time as they might be providing better security.
  2. Set strong passwords on all accounts and change them periodically.
  3. Always use two-factor or multifactor authentication. Safety over convenience.
  4. Do not trust links from anyone – regardless of whether they are known or unknown, trusted, or untrusted.
  5. Monitor all online and offline activity associated with your accounts. Do not shrug off unrecognizable activity as mistakes, follow up on it to determine how and/ or why it took place.

Data Breach FAQ

What type of data can be stolen in data breaches?

Everything – from names, social security numbers, phone numbers, bank account details, credit and debit card details, medical records, birthdays, academic records, salary details, etc – can be stolen by attackers. It depends on who they attacked, how they attacked, why they attacked, and what data they care about.

How can my data be used?

The most common use of stolen credentials is identity theft. Stolen identities can be used for a wide variety of activities, posing different levels of danger. From buying subscriptions in your name, accessing medical benefits meant for you, using your identity as theirs for illegal activity, etc, identity theft can turn one’s world upside down.

What should I do if my data got stolen?

Contact the organization that faced the breach to assess what’s at risk. Accept their help – data recovery can be expensive and time-consuming. For additional help, talk to government bodies that can provide assistance and make sure you’re always aware of financial activity being carried out in your name. If anything seems suspicious, block your accounts and report them immediately.

I noticed suspicious activity on my accounts – what now?

Firstly, make sure that the activity truly is unauthorized. We often add family members as secondary account holders and forget about it. If you’re convinced that a third – party is responsible, contact customer support for further guidance.

How do I keep myself safe from future breaches?

Always use strong authentication methods and update them every few months. This way, even if your stolen credentials include usernames and passwords, they will not be usable. Look out for scams targeting organizations you’re connected to and monitor all sorts of activity – even when breaches haven’t been reported.

Similar Posts