Types of data breaches

What is a data breach?

Data breaches occur when sensitive, confidential, or protected information is accessed or disclosed without proper authorization. 

Go deeper: Healthcare data breaches: Insights and implications

Types of data breaches

Physical breaches

These breaches involve the unauthorized access or theft of physical devices or documents.

• Lost or stolen devices: A misplaced laptop or smartphone containing unencrypted sensitive data can lead to significant exposure.
• Improper disposal: Failing to shred documents or securely wipe electronic storage devices before disposal leaves data vulnerable to unauthorized access.

Example:Community Mercy Health Partners (CMHP) inadvertently disposed of patient lab records in a public recycling dumpster. The records, which included sensitive patient data such as names, health information, and Social Security numbers, were found in the dumpster by law enforcement.

Electronic breaches

According to the 2020 Internet Crime Report (IC3) report, the FBI received 15,421 internet/digital crime complaints related to tech support fraud and from victims in 60 countries. This makes digital environments a common target for attackers. 

• Hacking and malware attacks: Cybercriminals exploit vulnerabilities in systems to access confidential information.
• Phishing: Deceptive emails trick individuals into revealing personal data.
• Ransomware: Hackers encrypt critical data and demand payment for its release.
• Man-in-the-Middle attacks: Intercepting data during transmission, often through unsecured networks, compromises sensitive information.

Example: In February 2024, Change Healthcare, a subsidiary of UnitedHealth Group, fell victim to a ransomware attack that significantly impacted the US healthcare system. This attack disrupted key services, including claims processing and prescription management, and delayed patient care across the country. Sensitive medical data, such as diagnoses, medications, and test results, was exposed, affecting millions of Americans.

Read also: Types of cyber threats

Insider threats

Threats can also come from within an organization. The 2024 Insider Threat Report found that in the past year, 83% of organizations reported at least one insider attack.  

• Malicious insider: Employees or contractors with access to sensitive data may intentionally leak or steal it for personal gain.
• Negligent insider: Unintentional errors, such as sending an email with sensitive data to the wrong recipient, can lead to breaches.

Accidental breaches

Mistakes can lead to significant data exposure.

• Misdelivery: Sensitive documents or emails sent to the wrong address can result in unintended disclosure.
• Unintended exposure: Misconfigured databases or cloud servers leave data accessible to anyone online.

Example: A recent example of an accidental breach in the US healthcare sector is the case where a family practice group experienced a breach due to a misdelivery of an email. In this incident, an employee from a billing company sent an email containing sensitive patient information for 70 individuals to the wrong address. The email was not encrypted, and efforts to contact the unintended recipient were unsuccessful. The breach led to the disclosure of protected health information (PHI), and the healthcare group had to comply with HIPAA breach notification requirements. 

Third-party breaches

Organizations rely on third-party vendors, which can become weak links.

• Vendor compromise: If a vendor with access to sensitive data is breached, the repercussions can cascade to your organization.

Example: In July 2024, HealthEquity fell victim to a supply chain attack that resulted in the theft of sensitive patient data. A compromised personal device of a business partner allowed threat actors to access HealthEquity's systems.

Social engineering attacks

Cybercriminals exploit human behavior to gain access to sensitive information.

• Impersonation or pretexting: Attackers pose as trusted individuals to manipulate victims into revealing data.
• Baiting: Offering rewards to lure individuals into downloading malware or clicking malicious links.

Example: On 12 August 2024, Linus Sebastian, the founder of Linus Tech Tips (LTT), received a suspicious email claiming to be from X (Twitter). 

In the news: Black Basta Ransomware group targets Microsoft Teams for attacks

Distributed denial of service (DDoS) attacks

While primarily disruptive, DDoS attacks can serve as distractions for data theft.

Example: In early 2023, the KillNet group, a pro-Russian hacking collective, targeted several healthcare organizations with distributed denial-of-service (DDoS) attacks.

Credential stuffing

Stolen login credentials from previous breaches are used to gain unauthorized access to accounts.

Example: Roku, the streaming service, revealed that 576,000 accounts were compromised due to a credential stuffing attack. Hackers used automated bots to enter stolen login credentials from other websites into Roku's login pages, targeting users who use the same passwords across different platforms.

Data leakage

Unauthorized sharing or exposure of data due to improper handling.

• Unsecured data sharing: Sharing files through unencrypted or public channels can lead to breaches.

Example: Real Estate Wealth Network accidentally exposed sensitive personal and financial information of millions of individuals, including high-profile celebrities, because they left database folders unprotected by passwords. This was a clear case of unsecured data sharing, as the data was accessible to anyone who knew where to find it, without any cyberattack being involved.

Application vulnerabilities

Exploiting weaknesses in software applications can grant attackers unauthorized access.

• SQL injection attacks: Malicious code inserted into a database query can expose sensitive information.

Example: Between November and December 2023, ResumeLooters, compromised retail and recruitment websites using open source tools and penetration testing frameworks in its SQL injection attacks. 

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

What are the main causes of data breaches?

• Human error: Misdelivery of emails, weak passwords, or accidental exposure of sensitive information.
• Cyberattacks: Phishing, malware, and hacking.
• Insider threats: Malicious or negligent employees.
• Third-party vulnerabilities: Breaches at vendors or contractors with access to your data.

Who is most at risk for a data breach?

Organizations handling large amounts of personal, financial, or health-related data are at higher risk. This includes industries such as:

• Healthcare
• Retail and e-commerce
• Education
• Financial services