According to the Ponemon Institute, the accumulated cost to a company from a data breach is $3.86 million on average. Hackers may blackmail companies with threats to leak private data by holding information hostage and demanding a ransom. Data breaches are thereby invasive and extremely costly, both financially and in terms of the damage they can have on a company’s reputation.

Stolen data could include:

• Financial information – including bank details and investment details.
• Personal Health Information (PHI) – medical data, details on health conditions, prescriptions and treatments.
• Personal Identifiable Information (PII) – contact information, education, workplace, birth dates and other personal details.
• Corporate information – details of contracts, trade secrets, business plans and marketing information.
• IT data – system structure, encryption keys, passwords and usernames.
• Legal information – information on court cases, acquisition details and regulatory rulings.

This data can then be sold or used for fraud and identity theft. Hackers tend to sell stolen information on the dark web, like in April 2020 when Facebook was breached, leaking the identities of 267 million users. Although passwords were not included, the hacker stole names, email addresses, dates of birth and phone numbers, all information that could be used to target the users by phishing.

Similarly, in May 2014, eBay experienced a data breach that impacted 145 million users. The attacker used three employees’ details to break in and for 229 days accessed names, addresses, dates of birth and encrypted passwords. Although credit card information remained safe, customers were required to renew their passwords and in turn, eBay’s client confidentiality was affected.

An instance of a medical breach was the NHS Highland data breach, where almost 300 patients’ details were sent to members of the public. This included contact details, dates of birth and the name of their clinic.

Breaches often occur by cyber attacks, weak passwords, malware attacks from infected emails, drive-by downloads from compromised webpages, payment card fraud and theft of office computers. It can also occur by human error through accidental insider leaks, as well as intentional disclosure by employees with access to confidential data and systems.

Attackers can use employees as their way into an organisation’s information. They usually exploit weak systems by researching the company’s infrastructure to find loopholes, or target employees by analysing their social media and constructing emails that can trick that employee into clicking on infected links or to follow phishing messages. Fraudsters also make use of phone numbers by making phone calls asking for card details pretending to be a bank employee or a service provider. So, how do you avoid a data breach and protect your sensitive information?

How to avoid a data breach

Remember that banks and regular corporations never ask for personal information over the phone or on email. Look out for correspondence that asks you to reset your password, receive compensation or tells you to act immediately to recover funds.

Ensure that:

• Employees secure all personal and work devices.
• Employees remain mindful of their personal social media accounts.
• Staff are wary of suspicious emails and educated on cyber security.
• Bank accounts and credit reports are regularly monitored.
• Files are backed up and protected by firewalls and antivirus software.
• IT systems are updated to avoid hackers finding vulnerabilities in the system.
• Audits are regularly undertaken to make sure everything is running in order.

There are now laws for companies to inform customers if they have had a data breach, in case personal information has been compromised. To avoid this happening in the first place, get good defences in place and be alert.