A data breach is an incident wherein information is stolen or taken from a system without the knowledge or authorization of the system's owner.

Figure. 1. Data Breach

Data Breach Laws

Data breach legislation differs in every country or region. Many countries still do not require organizations to notify authorities in cases of a data breach. In countries like the U.S., Canada, and France, organizations are obliged to notify affected individuals of a data breach under certain conditions.[1]

Examples of a breach might include

• loss or theft of hard copy notes, USB drives, computers or mobile devices
• an unauthorised person gaining access to your laptop, email account or computer network
• sending an email with personal data to the wrong person
• a bulk email using 'to' or 'cc', but where 'bcc' (blind carbon-copy) should have been used
• a disgruntled employee copying a list of contacts for their personal use
• a break-in at the office where personnel files are kept in unlocked storage[2]

Where a breach occurs, the organisation should first establish

• the facts of what happened
• what personal data was involved
• the number of people likely to be affected
• the likelihood and severity of impact on the people affected

Three Types of Data Breaches

1. Physical Breach

A physical breach involves the physical theft of documents or equipment containing cardholder account data such as cardholder receipts, files, PCs, and POS systems. It can also be referred to as corporate espionage, and items at risk include

• Laptop and Desktop Computers
• External hard drives
• Any other technologies that may contain cardholder data such as Point-of-Sale Equipment (Standalone Dial-Up Terminals)
• Any other physical asset that may contain cardholder data, including hard-copy bills, faxes, credit card receipts, or blank checks
2. Electronic Breach

An electronic breach is an unauthorized access or deliberate attack on a system or network environment where cardholder data is processed, stored, or transmitted. This can be the result of acquiring access via web servers or websites to a system’s vulnerabilities through application-level attacks.

3. Skimming

Skimming involves the capture and recording of magnetic stripe data on the back of credit cards. This process uses an external device that is sometimes installed on a merchant’s POS without their knowledge.
Skimming can also involve a dishonest employee utilizing an external device to collect the card’s magnetic stripe data. These identity thieves collect data and use it to create counterfeit credit and debit cards.[3]

References:

1. https://www.shrednations.com/2015/08/different-types-of-data-breaches/
2. https://www.nicva.org/data-protection-toolkit/templates/personal-data-breaches-are-you-prepared
3. https://www.trendmicro.com/vinfo/us/security/definition/data-breach

Cite this article:

Nithyasri S (2022), Data Breach, Anatechmaz, pp. 40