Transfin.
HomeNewsGuidesReadsPodcastsTRANSFIN. EOD
  1. Reads
  2. Deep Dives

What are Data Breaches? How Can You Protect Yourself from Data Breaches?

Editor, TRANSFIN.
Apr 13, 2021 8:13 AM 6 min read
Editorial

Facebook, LinkedIn, Microsoft, BigBasket, Upstox, Mobikwik…

What connects them all?

Data breaches.

If data is the new oil, data breaches are the mega oil spills that make a massive mess, inflict untold economic damage, and take a lot of time and effort to fix.

If you consider the timeline from January 2020, more than 13,000 data breaches have been estimated to have occurred around the world. The cost of these breaches in monetary terms was an estimated $2.1trn last year (yes, trillion with a T!). 

 

What is a Data Breach?

Simply put, a data breach is a violation of data security wherein confidential information is leaked (intentionally or unintentionally) to an unauthorised environment or stolen by hostile actors for malicious purposes.

These actors can be lone wolves acting for personal gain (aka black hats), criminal syndicates or even state-sponsored parties. The victims can be individual users, big companies or government bodies. And the data being stolen can be anything from names, passwords and phone numbers to medical records, corporate secrets and intellectual property.

The impacts of data leaks are manifold. For companies that fall victim, the costs are both direct (investigation, damages, increased cybersecurity expenditure etc.) and indirect (reputational damage, loss of clients etc.). For users, the costs can involve compromised data, credit card fraud, phishing attacks or identity theft.

 

Types of Data Breaches

  1. Ransomware - Malicious software that locks down systems until a certain fee is paid to the hackers (ergo, "ransom"). Payment is usually made in a cryptocurrency.
  2. Malware - Malicious software that is designed to harm or shut down systems. Sometimes, malware masquerades as anti-malware software or downloads to hoodwink users.
  3. Brute-force attacks - This involves attackers submitting many passwords or passphrases with the hope of eventually guessing a combination correctly. This seems like an endless task, but don't forget that these attacks can be automated + many people have familiar or simple passwords sans capitalisation or special characters.
  4. Keylogging - One of the older forms of cyber threats, this involves spyware that tracks and records everything you type on to your keyboard and sends that information to a third party. (Fun fact: Keyloggers were first used by the Soviet Union in the 1970s to monitor IBM's electric typewriters.)
  5. Phishing - When someone mimics a reliable entity to gain access to sensitive data. Often, phishing is a consequence of a data breach where bad actors launch phishing attacks on the email IDs or phone numbers that were leaked.
  6. Distributed Denial-of-Service - This is when hackers make it impossible for a company to log in to its systems (ergo, "denial of service"). They are usually done by internet trolls or activists as a form of digital vigilantism.

Additionally, the EU’s General Data Protection Regulation (GDPR) rules categorise data leaks thus:

  • Confidentiality breach, where there is an unauthorised or accidental disclosure of or access to personal data. (This type of breach is most common with patients' records.)
  • Availability breach, where there is an accidental or loss of access to or destruction of personal data.
  • Integrity breach, where there is unauthorised or accidental alteration of personal data.

 

Some Examples of Data Breaches

Data breaches are a serious issue. Especially for a country like India, which is increasingly embracing digitisation and technology in all sectors from payments and banking to health and education. Especially at a time when more and more companies are relying on digital databases or cloud computing to store sensitive information.

What’s more, the problem seems to be escalating. In 2020, the volume of records that were compromised by data leaks jumped 141% YoY to a colossal 37 billion. And since not all organisations report such breaches, the actual toll is likely to be much higher.

When it comes to the number of data breaches, it has been rising steadily in recent years. (Again, actual numbers may be higher.)

FYI: In 2020, this number nearly halved, possibly on account of increased vigilance and the shift to working-from-home, which dissuaded in-house bad actors from accessing sophisticated hacking tools (since they were stuck at home).

What are the Laws Designed to Tackle Data Breaches?

Broadly speaking, they can be of two kinds - (1) defensive or preventive measures that mandate adequate digital infrastructure to protect against leaks and (2) remedial measures that ensure a breach is reported and acted upon.

One: This encompasses broad legislation against cybercrime as a whole. Globally, 154 countries (79%) have enacted cybercrime legislation, but Asia and the Pacific have the lowest adoption rate at 55%.

Two: Security breach notification laws mandate organisations that have been affected by a data breach to notify their customers of the same at the earliest and take steps to shore up their cybersecurity infrastructure so that such attacks don't take place again. Such laws are important because they let consumers know if their data is compromised + incentivise companies to ensure data security.

The strength of such regulations varies by country. In some (like New Zealand, Qatar and the Philippines), data leak notifications are mandated by law. In others (like the US), there are legal provisions for the same but they vary by state. And in some countries (like Argentina, Malaysia, Russia, Saudi Arabia, Serbia etc.), such measures are either not yet in place or in place only for the private sector or certain sectors of the economy.

The holy grail of data security legislation, of course, is the EU’s GDPR, the implementation of which in 2018 sparked similar policies in other countries and brought the conversation about data privacy to the mainstream (yet another example of the Brussels effect). Article 33 of the GDPR requires any data breach to be reported “without undue delay and where feasible, within 72 hours after having become aware of it”. 

 

India and Data Breaches

The Indian Constitution guarantees all citizens privacy as a fundamental right. When it comes to the legal protection of this right, as of today, there are a myriad of laws regarding data protection. These include the IT Act, Consumer Protection Act, SPDI Rules, and various rules imposed by the RBI, SEBI, Government and others.

To ensure uniformity under one law, the Personal Data Protection Bill was approved by the Cabinet and tabled in Parliament in 2019. It is yet to be passed and has proven to be controversial, with proponents saying it simplifies the law and champions data localisation but critics argue it gives the Government open-ended exemptions that could lead to the surveillance of citizens.

In its current form, the Bill envisages the establishment of a Data Protection Authority (DPA) which would receive reports of breaches, investigate the same, and take remedial action if necessary. In the event of a breach, the “data fiduciary” would be required to report the breach to the DPA "as soon as possible". The DPA would then judge the severity of harm that may have been caused (“harm” here can be mental, emotional or physical).

 

How Can You Prevent Data Breaches?

The internet is a great place, an infinite repository of all kinds of information, much of it freely available to anyone and everyone. But the internet can also be a dangerous place, one that will be risky even with the strongest safeguards in place. But don’t resort to fatalism - there’s still much you can do to protect yourself from data breaches:

  • Invest in a good antimalware or antivirus software. Additionally, invest in tools that scan your systems for vulnerabilities and give you cybersecurity ratings so that you know where you stand.
  • Things don't stop with installing such protective applications. Scan your systems regularly + keep the applications updated.
  • Keep yourself (and your co-workers/employees) aware of new forms of cyber threats and how to protect oneself against them. Even something basic like how to identify phishing emails can go a long way.
  • Keep strong passwords + try not to have the same password for different log-ins + try using a password manager.
  • Back up important files on an external hard disk (and store the same safely) so that in the event of a breach you don't lose access to what's important.
  • Speaking of which, have a plan ready in the event of a breach so that you immediately alert the affected accounts and the authorities, who can try to catch the hackers.

Prevention is better than cure! Suspicious email? Delete it. An app asking you for too much personal information? Uninstall it. A website with too many pop-up ads? Shut it down.

In the end, always be vigilant and on the lookout for anything phishy. (Sorry!)

FIN.
 

Congratulations! You've made it to the end. Looking for more takes on Business, Finance, Markets and Investing? Subscribe to TRANSFIN. E-O-D for informative and insightful daily news updates