There are several technical root causes of data breaches, including accidental or intentional disclosure of information by insiders, loss or theft of unencrypted devices, hacking into a system by exploiting software vulnerabilities, and social engineering attacks such as phishing where insiders are tricked into disclosing information.
Thus, people whose personal data was compromised are at elevated risk of identity theft for years afterwards and a significant number will become victims of this crime.
A data breach is a violation of "organizational, regulatory, legislative or contractual" law or policy[2] that causes "the unauthorized exposure, disclosure, or loss of personal information".
[14] Opportunistic criminals may cause data breaches—often using malware or social engineering attacks, but they will typically move on if the security is above average.
[17] State-sponsored hackers target either citizens of their country or foreign entities, for such purposes as political repression and espionage.
[18] The Pegasus spyware—a no-click malware developed by the Israeli company NSO Group that can be installed on most cellphones and spies on the users' activity—has drawn attention both for use against criminals such as drug kingpin El Chapo as well as political dissidents, facilitating the murder of Jamal Khashoggi.
[19] Despite developers' goal of delivering a product that works entirely as intended, virtually all software and hardware contains bugs.
[27] Hashing is also a good solution for keeping passwords safe from brute-force attacks, but only if the algorithm is sufficiently secure.
[30][29] As a result, outsourcing agreements often include security guarantees and provisions for what happens in the event of a data breach.
Social engineering attacks rely on tricking an insider into doing something that compromises the system's security, such as revealing a password or clicking a link to download malware.
[41] Defense measures can include an updated incident response strategy, contracts with digital forensics firms that could investigate a breach,[42] cyber insurance,[43][7] and monitoring the dark web for stolen credentials of employees.
Daswani and Elbayadi recommend having only one means of authentication,[48] avoiding redundant systems, and making the most secure setting default.
[49] Defense in depth and distributed privilege (requiring multiple authentications to execute an operation) also can make a system more difficult to hack.
[50] Giving employees and software the least amount of access necessary to fulfill their functions (principle of least privilege) limits the likelihood and damage of breaches.
[64][65] Many companies do not have sufficient expertise in-house, and subcontract some of these roles;[66] often, these outside resources are provided by the cyber insurance policy.
[67] After a data breach becomes known to the company, the next steps typically include confirming it occurred, notifying the response team, and attempting to contain the damage.
[68] To stop exfiltration of data, common strategies include shutting down affected servers, taking them offline, patching the vulnerability, and rebuilding.
[69] Once the exact way that the data was compromised is identified, there is typically only one or two technical vulnerabilities that need to be addressed in order to contain the breach and prevent it from reoccurring.
[81] Many companies offer free credit monitoring to people affected by a data breach, although only around 5 percent of those eligible take advantage of the service.
[84] Criminals often sell this data on the dark web—parts of the internet where it is difficult to trace users and illicit activity is widespread—using platforms like .onion or I2P.
[85] Originating in the 2000s, the dark web, followed by untraceable cryptocurrencies such as Bitcoin in the 2010s, made it possible for criminals to sell data obtained in breaches with minimal risk of getting caught, facilitating an increase in hacking.
[82] A person's identifying information often circulates on the dark web for years, causing an increased risk of identity theft regardless of remediation efforts.
[80][92] Even if a customer does not end up footing the bill for credit card fraud or identity theft, they have to spend time resolving the situation.
[96] Other impacts on the company can range from lost business, reduced employee productivity due to systems being offline or personnel redirected to working on the breach,[97] resignation or firing of senior executives,[78] reputational damage,[78][98] and increasing the future cost of auditing or security.
[99] Some experts have argued that the evidence suggests there is not enough direct costs or reputational damage from data breaches to sufficiently incentivize their prevention.
[107] The cost of notifying the breach can be high if many people were affected and is incurred regardless of the company's responsibility, so it can function like a strict liability fine.
[105] Filling this gap is standards required by cyber insurance, which is held by most large companies and functions as de facto regulation.
[78][122] Legal scholars Daniel J. Solove and Woodrow Hartzog argue that "Litigation has increased the costs of data breaches but has accomplished little else.