Report on Data Breach

What is Data Breach????

A data breach is a security incident in which information is accessed without
authorization. Data breaches can hurt businesses and consumers in a variety of
ways. They are a costly expense that can damage lives and reputations and take
time to repair.
It may seem like stories of massive data breaches pop up in the news frequently
these days. But it shouldn’t be all that surprising.
As technology progresses, more and more of our information has been moving to
the digital world. As a result, cyberattacks have become increasingly common and
costly.
Globally, the average total cost to a company of a data breach is $3.86 million,
according to a study by the Ponemon Institute. This means that at $148 on average
per stolen record, online crime is a real threat to anyone on the internet.
According to Symantec, personally identifiable information — such as full names,
credit card numbers, and Social Security numbers — was the most common form
of data lost to data breaches in 2016, with personal financial information close
behind.
Corporations and businesses are extremely attractive targets to cybercriminals,
simply due to the large amount of data that can be nabbed in one fell swoop .

Why do data breaches occur?

Cybercrime is a profitable industry for attackers and continues to grow. Hackers
seek personally identifiable information to steal money, compromise identities, or
sell over the dark web. Data breaches can occur for a number of reasons, including
accidentally, but targeted attacks are typically carried out in these four ways:

 Exploiting system vulnerabilities. Out-of-date software can create a hole

that allows an attacker to sneak malware onto a computer and steal data.
 Weak passwords. Weak and insecure user passwords are easier for hackers
to guess, especially if a password contains whole words or phrases. That’s
 why experts advise against simple passwords, and in favor of unique,
complex passwords.
 Drive-by downloads. You could unintentionally download a virus or
malware by simply visiting a compromised web page. A drive-by download
will typically take advantage of a browser, application, or operating system
that is out of date or has a security flaw.
 Targeted malware attacks. Attackers use spam and phishing email tactics
to try to trick the user into revealing user credentials, downloading malware
attachments, or directing users to vulnerable websites. Email is a common
way for malware to end up on your computer. Avoid opening any links or
attachments in an email from an unfamiliar source. Doing so can infect your
computer with malware. And keep in mind that an email can be made to
look like it comes from a trusted source, even when it’s not.

What do criminals do with my data?

Stolen data typically ends up on the Dark Web. As the name implies, the Dark
Web is the part of the Internet most people never see. The Dark Web is not indexed
by search engines and you need a special kind of browser called Tor Browser to
see it. So what’s with the cloak and dagger? For the most part, criminals use the
Dark Web to traffic various illegal goods. These Dark Web marketplaces look and
feel a lot like your typical online shopping site, but the familiarity of the user
experience belies the illicit nature of what’s on offer. Cybercriminals are buying
and selling illegal drugs, guns, pornography, and your personal data. Marketplaces
that specialize in large batches of personal information gathered from various data
breaches are known, in criminal parlance, as dump shops.
The largest known assemblage of stolen data found online, all 87GBs of it, was
discovered in January of 2019 by cybersecurity researcher Troy Hunt, creator
of Have I Been Pwned (HIBP), a site that lets you check if your email has been
compromised in a data breach. The data, known as Collection 1, included 773
million emails and 21 million passwords from a hodgepodge of known data
breaches. Some 140 million emails and 10 million passwords, however, were new
to HIBP, having not been included in any previously disclosed data breach.
Cybersecurity author and investigative reporter Brian Krebs found, in speaking
with the cybercriminal responsible for Collection 1, that all of the data contained
within the data dump is two to three years old—at least.
Is there any value in stale data from an old breach (beyond the .000002 cents per
password Collection 1 was selling for)? Yes, quite a bit.
Cybercriminals can use your old login to trick you into thinking your account has
been hacked. This con can work as part of a phishing attack or, as we reported in
2018, a sextortion scam. Sextortion scammers are now sending out emails claiming
to have hacked the victim’s webcam and recorded them while watching porn. To
add some legitimacy to the threat, the scammers include login credentials from an
old data breach in the emails. Pro tip: if the scammers actually had video of you,
they’d show it to you.
If you reuse passwords across sites, you’re exposing yourself to danger.
Cybercriminals can also use your stolen login from one site to hack into your
account on another site in a kind of cyberattack known as credential stuffing.
Criminals will use a list of emails, usernames and passwords obtained from a data
breach to send automated login requests to other popular sites in an unending cycle
of hacking and stealing and hacking some more.

Which are the biggest data breaches?

It’s the top ten countdown no one wants to be on. Here’s our list of the 10 biggest
data breaches of all time. You may be able to guess many of the companies
featured on this list, but there might be a few surprises as well.
10.LinkedIn|117million
Cybercriminals absconded with email addresses and encrypted passwords for 117
million LinkedIn users in this 2012 data breach. The passwords were encrypted,
right? No big deal. Unfortunately, LinkedIn used that darn SHA1 encryption we
talked about earlier. And if you have any doubts that your stolen passwords are
being decrypted, Malwarebytes Labs reported on hacked LinkedIn accounts being
used in an InMail phishing campaign. These InMail messages contained
malicious URLs that linked to a website spoofed to look like a Google Docs login
page by which cybercriminals harvested Google usernames and passwords. Still
better than that temp-to-perm ditch-digging job recruiters keep sending you.
9.eBay|145million
In early 2014, cybercriminals clicked “Steal It Now” when they broke into the
network of the popular online auction site and pinched the passwords, email
addresses, birth dates, and physical addresses for 145 million users. One positive
takeaway, financial information from sister site PayPal was stored separately from
user information in a practice known as network segmentation (more on that later).
This had the effect of limiting the attack and prevented criminals from getting to
the really sensitive payment info.

How can I help protect my personal information in the

event of a data breach?
To help protect your identity, it’s important to take steps to help protect yourself
and your personal information. These steps can include:

 Use strong, secure passwords. Use a complex and unique password for
each of your online accounts. Keeping track of all those passwords can be
difficult, but there are products, such as Norton Password Manager, that can
help make this task easier to manage.
 Monitor your bank and other financial accounts. Check your accounts on
a regular basis for unfamiliar activity. And if the companies offer activity
alerts via text or email, it may make sense for you to sign up for them.
 Check your credit report. Do so regularly to see if a thief has attempted to
open a new credit card or another account in your name. You’re entitled by
law to a free credit report from each of the three major credit reporting
agencies every 12 months. Visit annualcreditreport.com for more
information.
 Take action as soon as possible. If you see suspicious activity, contact the
financial institution involved immediately. If your information was stolen in
a data breach, let them know that, as well.
 Secure your phone. If your phone doesn’t have a password, give it one.
Although entering a password every time you use your phone is tedious, it
provides a line of defense if your device is lost or stolen. Think about all the
information a criminal could access with your unprotected phone.
 Use only secure URLs. Reputable sites begin with https://. The “s” is key.
This is especially important when entering credit card or other personal
information.
 Implement high-quality security software. Install and use a software suite
that includes malware and virus protection — and always keep it
updated. Norton 360 with LifeLock is one such solution.
 Back up your files and ensure their safety. Norton 360 with LifeLock
Select offers 100 GB of backup for your PC in addition to its other security
features.
  Wipe your hard drive. If you are recycling your old computer, make sure
that you clear your hard drive prior to disposal. The same goes for your
smartphones and tablets.
 Avoid oversharing on social media. Never post anything pertaining to
sensitive information, and adjust your settings to make your profiles private.
While you’re at it, hold off sharing vacation pics on social media while
you’re still on vacation. That tells everyone your house may be sitting
empty, a perfect target for burglary.
 Use an identity theft protection or credit monitoring service. The mess
caused by a stolen identity could take months or even years to fix. Given the
recent number of data breaches, it’s important to consider identity theft
protection or a credit monitoring service. Norton Security now includes
LifeLock identity theft protection, helping to protect your personal
information in an age of data breaches.

What are companies doing about data breaches?

Many companies are tightening security measures and reassessing their procedures
to better protect the consumer data they use and store.
Laws and regulations are in place that require companies to take specific steps in
the event of a data breach or other security incident. Most states require companies
to send data breach notifications to consumers when their personally identifiable
information may have been compromised.
Still, you should never rely solely on others to keep your information secure. It’s
always important to take preventative measures and keep an eye on your
information.