How Do Data Breaches Happen? What Can You Do About Them?

Has Your Personal Data Been Leaked in a Breach?

Marilyn Young was excited about the ‘80s reunion concert she had just bought tickets for, but she never anticipated what followed [*]. Months after the purchase, she got a notification from Ticketmaster confirming that she had transferred her tickets to someone else.

A scammer had found her username and password online and had taken over her account.

Ticketmaster issued Marilyn a new set of tickets, but most victims aren’t so lucky. When hackers leak passwords, financial data, or other private information, the damage can be devastating and often irreversible.

There were 4,145 publicly disclosed data leaks in 2021 alone, representing over 22 billion compromised data records [*]. And those numbers are mounting — data breaches in the first quarter of 2022 surpassed those in 2021 by 14% [*].

{{show-toc}}

What is a Data Breach?

An intentional or inadvertent security incident that exposes sensitive, confidential data to unauthorized third parties is known as a data breach. The exposed information can include:

• Personally Identifiable Information (PII) such as Social Security numbers (SSNs), driver’s license numbers, or even criminal records.
• Protected Health Information (PHI) such as medical conditions or health insurance information secured by Health Insurance Portability and Accountability Act (HIPAA).
• Other intellectual property (IP) such as trademarks, patents, or trade secrets.

📚 Related: What Is a Data Breach? (And How To Protect Your Data) →

How Do Data Breaches Happen?

A data breach refers to any instance in which someone accesses data that they aren't allowed to see. Most breaches expose consumers’ sensitive information. Criminals can sell this information on the Dark Web or use it themselves to bilk victims.

Cyberattacks

In cyberattacks, threat actors take advantage of security vulnerabilities in the technology that protects important data. This is by far the most common type of data breach, representing 86% of the 2021 attacks reported by the Identity Theft Resource Center [*].

Common types of cyberattacks

• Malware. A user installs malicious software on a computer that harms the operating system. Spyware — a type of malware — then pilfers personal information from vulnerable user accounts.
• Ransomware. This is a type of malware that encrypts the data on a computer or system, making the data unusable unless the victim pays a fee.
• Credential stuffing. Cybercriminals use leaked usernames and passwords on other sites. For example, they will try to log in to your email account with the username and password exposed in a social media breach.
• DNS tunneling. DNS tunneling strong-arms the Domain Name System to connect a victim’s computer to the attacker’s. Since it’s the DNS resolver that facilitates this tunnel, it’s almost impossible to detect the connection.
• Denial-of-service (DoS). DoS attacks flood a website with bogus requests so that the server can’t handle legitimate requests.
• Cross-site scripting (XSS) attack. In this attack, a hacker sends a server code instead of a legitimate entry — e.g., including a JavaScript snippet instead of a username. For applications that aren’t correctly set up, hackers can run this code and harm the user, the application, or both.
• Trojan horse. Like the Greek myth, a Trojan horse is something that looks legitimate on the outside, but cloaks an attack. Trojan malware might look like a harmless attachment, app, or extension — and even operate as such — but it contains malicious code to harm your machine.
• SQL injection. Like an XSS attack, a SQL injection happens when a hacker sends harmful code instead of legitimate requests. SQL refers to the language used for databases, and these kinds of attacks typically involve pilfering information from a database.
• Zero-day exploit. Zero-day attacks use previously unknown security flaws, so  cybersecurity experts have “zero days” of preparation. These are perhaps the most dangerous type of attacks. A 2020 report showed that zero-day vulnerabilities were responsible for 80% of successful data breaches.[*]

📌 Zoom out: Keep constant tabs on your credit and financial accounts with credit monitoring. Aura can alert you in near real-time if someone is trying to open new accounts in your name.

System and human errors

Among the weakest points of any system are its human gatekeepers. Criminals take advantage of misconfigured software or use social engineering — a type of hack meant to manipulate people’s emotions — to perform a breach.

Examples of system and human errors

• Phishing occurs when a hacker purporting to be a trusted authority tricks someone into sharing personal information. A hacker breached the software company Twilio in 2022 by sending fake text messages to employees, warning them of expired passwords [*]. The link in the texts led to a Twilio sign-in page clone designed to steal credentials.
• Physical correspondence. Phishing scams don’t have to be overly technical. A newly emerging way for cybercriminals to install malware is to send victims a USB drive letter from a trusted company. When connected to a computer, the drive immediately installs malware.
• Misconfigured firewalls. Firewalls prevent certain types of information from passing in and out of networks, but require precise settings and permissions. It’s easy for an IT administrator to set these up incorrectly.
• Delay in patching. Patches are software updates that fix known vulnerabilities. But when users put off installing updates, their systems are still at risk. In 2017, Equifax suffered one of the largest data breaches in history because the company failed to install a security patch on time [*].
• Unsecured cloud environment. Many companies today use cloud platforms like Microsoft Azure, Google Cloud Platform, or Amazon Web Services; but they may not have set them up correctly. A 2021 report from Zscaler found that the average business had 40 instances of exposure while using a cloud service [*].

Physical attacks

We often consider physical attacks a problem of the past. But because they are often overlooked, physical attacks can be the most crippling.

Examples of physical attacks

• Lost device or document. A lost device that has important data stored on it can find its way into the wrong hands — giving the finder everything on the hard drive and even unauthorized access to secure websites.
• Document theft. An identity thief only needs one identity document, like an ID card or medical record, to launch a successful attack. For example, a New York woman was charged in 2022 for stealing more than $29,700 from a victim’s bank account using only a stolen driver’s license [*].
• Device theft. Personal laptops, tablets, and smartphones are delectable morsels for identity thieves. If a thief steals your device, they can gain access to all your documents and the logins to all your accounts, including bank accounts.
• Improper disposal. Careless disposal of old credit cards, identifying documents, and even junk mail with pre-approved offers can increase the risk of a cybercrime. Thief-turned-consultant Frank Abagnale, of Catch Me If You Can fame, explains that it only takes a few hours to reconstruct documents that have been destroyed with low-security shredders [*].

Here’s How a Data Breach May Affect You

For businesses

Businesses are quickly becoming primary targets for hackers. Businesses have access to more resources — whether through revenue, loans, or stock — than individuals. And there are more entry points. A criminal only needs to trick one employee, out of dozens or even hundreds, to orchestrate a successful, large-scale hack.

And cybercriminals hack small businesses just as often as they do Fortune 500 companies. For example, hackers infiltrated a truck parts company in 2021 exposing the SSNs of over 6,500 people in the company’s database [*].

Types of data stolen

• Personal data of employees, customers, or partners
• Financial information, like company credit card numbers
• Trade secrets, like product designs or forthcoming patent applications
• Internal company documents, like financial reports or memos
• For businesses in healthcare: medical records and insurance information

Potential risks

• Ransomware, which forces companies to pay money to regain access to their data
• Blackmail, i.e., extorting businesses to pay to prevent the release of stolen sensitive data
• Market attacks, like stock shorting or insider trading that is based on stolen information
• Corporate espionage, based on stolen trade secrets
• Cryptojacking, i.e., installing cryptocurrency mining software on compromised machines
• “Hacktivism,” in which hackers defame brands in the name of a cause
• Damaged brand image, for any company that’s had sensitive user data exposed

📚 Related: How To Freeze Your Social Security Number (SSN Self Lock) →

For government agencies

Government agencies are similar targets as businesses, but often with much more sensitive and important data. For example, a 2022 California Department of Justice breach leaked the names, addresses, and permit types of all conceal-carry permit holders in the state [*].

Types of data stolen

• Personal data of employees, citizens, or government officials
• Government or military secrets
• Classified documents, sealed records, or other private data
• Financial information, like account numbers of financial institutions

Potential risks

• Exposing information of private citizens
• Ransomware, forcing governments to spend taxpayer money
• Disinformation, changing official data, or publishing falsehoods
• Stolen funds from compromised financial accounts

For individuals

Nearly everyone has fallen victim to a data breach, even if you don’t know it. The most valuable use for this sensitive data is identity theft, in which a criminal fraudulently pretends to be you — typically for financial gain.

Types of data stolen

• PII like dates of birth or phone numbers
• Bank account credentials and credit card numbers
• Medical records and insurance information
• IDs like driver’s licenses or SSNs
• Private photos, videos, or text messages
• Login credentials, like usernames and passwords, or mobile device passcodes

Potential risks

• Loan fraud, using your identity to apply for loans in your name
• Medical fraud, using insurance benefits or receiving healthcare in your name
• Tax fraud, using your identity to claim a fraudulent tax refund
• Financial fraud, stealing money from your accounts or maxing out credit cards
• Account takeovers, using stolen login information to commandeer accounts
• Blackmail, threatening to expose private data for money
• Internet of Things (IoT) compromise, controlling smart devices around your home

📚 Related: What To Do if Your SSN Is on the Dark Web →

How Much Does a Data Breach Cost?

A 2022 report from IBM shows that the average breach worldwide costs $4.35 million — with an average of $9.44 million in the United States [*]. These figures can increase with ransomware threats. The average ransom paid in 2021 was $511,957 [*].

This average includes large-scale cyber attacks that aren’t applicable to small businesses. The data showed an average cost of $164 per compromised record. 

So a small business that keeps information on 1,000 customers, employees, and suppliers could estimate the cost of a breach to be around $164,000.

These costs include the price of fixing the vulnerability, informing customers, losing business, and paying fines for violating laws like the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR).

And it’s not just companies that are affected. For 60% of the breached companies, those expenses resulted in higher prices trickling down to consumers.

📚 Related: Is Kroll Identity Monitoring Legit? What You Need To Know →

The Biggest Data Breaches From 2021–2023

1. PayPal, 35,000 accounts (January 2023). A credential-stuffing attack compromised the PayPal accounts of tens of thousands of users. While not as large in scope as some of the other data breaches, the direct access to victims' PayPal accounts makes this one of the worst data breaches of the year [*].
2. LinkedIn, 500 million (April 2021) and 700 million users (June 2021). LinkedIn suffered two data compromises in 2021. The first happened in April and exposed the data of 500 million users, and the second in June exposed the data of 700 million users — 92% of all users on the site [*].
3. Facebook, 533 million (April 2021). The personal data of over 500 million Facebook users was leaked on a hacking forum in April 2021 [*]. The data included users’ full names, phone numbers, email addresses, locations, and biographical information.
4. Android apps, 100+ million users (May 2021). In May 2021, Security firm Check Point Research discovered at least 23 popular Android apps with misconfigured database settings that let anyone pull data from the cloud [*]. Potentially exposed data included emails, passwords, dates of birth, payment information, phone numbers, locations, chat histories, photos, and more.
5.  T-Mobile, 76.6 million users (August 2021). A hacker infiltrated T-Mobile servers in 2021 and exposed the names, driver's license numbers, SSNs, and device identification numbers of employees and current, former, and prospective customers [*].
6. Neiman Marcus, five million customers (September 2021). In September 2021, retailer Neiman Marcus discovered a data breach that had occurred in 2020 and exposed the names, contact information, and payment card details of almost five million customers [*].

📚 Related: How To Detect and Remove Malware From Your Computer →

Other major data breaches

Once your data has been breached, it can stay on the Dark Web indefinitely. You may also be the victim of these large attacks from years past:

• Robinhood: five million affected users in November 2021[*]
• Microsoft: 250 million breached customer service records in January 2020[*]
• Marriott: 500 million affected customers in November 2018[*]
• U.S. voter data: 198 million affected Americans in 2017[*]
• Equifax: 147 million affected consumers in September 2017[*]

📌 Pro tip: Protect your entire family against losses and damages from identity theft and fraud. Every adult member on any Aura plan is covered by a $1,000,000 insurance policy for eligible losses due to identity theft.

Think Your Data Is at Risk? Do This

If you learn that you’ve been a victim of a data breach or see suspicious activity on your accounts and think that you may have been hacked, here’s what to do.

Confirm the breach and identify what data was leaked

• State law requires companies to inform users of data breaches, but don’t trust an email by itself. Fraudsters use these messages as phishing attacks to steal your personal information.
• Don’t click on links in any data breach notification — instead confirm it on news sites or the official company website. You can also learn if your data has been leaked using a Dark Web scan.

Lock down your accounts

• Once you know your data has been exposed in a security breach, change the password of the affected account and that of any other account that uses the same password.
• Choose unique passwords that are at least 12 characters long and include numbers, symbols, and uppercase and lowercase letters. A password manager like the one that is included with every Aura plan can securely store all of your passwords, so you don’t have to remember each one.
• If possible, set up two-factor authentication (2FA) for all sensitive accounts. Continue to monitor your accounts for unfamiliar logins, new transactions, or other signs that someone else has accessed them.
• Affected companies may also send other specific follow-up instructions as part of their data breach response plan. These steps may not just contain an existing data security gaps but also prevent data breaches in the future.

Secure your credit

• If personal data like your Social Security number has been leaked, criminals may apply for credit in your name. Secure your free credit reports from AnnualCreditReport.com and review it for any suspicious activity, such as new accounts, incorrect balances, or credit checks that you don’t recognize.
• Also consider setting up a fraud alert or security freeze at the three major credit bureaus (Experian, TransUnion, and Equifax). If you set up a fraud alert, you only need to contact one bureau. To set up a freeze, you’ll need to contact all three credit reporting agencies.

📚 Related: Credit Lock vs. Credit Freeze: Which Do You Need? →

Notify authorities

• If your data has been exposed in a breach, follow the specific recommendations for data breaches from the Federal Trade Commission (FTC) at IdentityTheft.gov/databreach.
• If you know someone has already used your data fraudulently, report identity theft at IdentityTheft.gov and follow the prompts for next steps.
• Also report the theft to the FBI’s Internet Crime Complaint Center at IC3.gov. Finally, file an identity theft report with local law enforcement for additional documentation that you may need during the recovery process.

Sign up for identity theft monitoring

• Identity theft monitoring can help protect you by tracking your personal details across the Dark Web and alerting you of any suspicious activity.
• Many companies offer free identity theft monitoring after a security breach, typically for one year. Consider this if it fits your needs.

Even if you’re not the victim of a data breach, consider protecting yourself with identity theft monitoring. 

Some of the most critical tasks needed for cybersecurity protection are laborious or nearly impossible for humans to do. Imagine spending hours (or days) scanning credit statements, Dark Web archives, and up-to-date breach information.

That’s why millions of Americans use an identity and credit monitoring service like Aura. Aura protects your entire family — including children, who are particularly susceptible to identity theft. 

Aura also secures your devices and Wi-Fi network from malware and phishing attacks so that you can continue to safely browse, bank, shop, and use social media online.

Ready for ironclad identity theft protection? Sign up for Aura’s 14-day free trial.