How to establish if you have been affected by a data breach & what to do next
Think you’ve been involved in a data breach?
Think you’ve been involved in a data breach? This post can support you in finding out where and when, and it lists a suggested course of action to take.
THE SOURCES AND COMPONENTS OF A BREACH
Generally speaking, there are 3 types of data breaches : A) A physical breach. This involves the physical theft of documents or equipment such as PCs, POS systems and bank cardholder receipts. B) An electronic breach, where a LAN is purposefully attacked. C) Skimming, where data on the magnetic strip of POS systems are captured and recorded.
Which type of breach happens most frequently? If we can know, then we can take action. Upon investigating we found that according to DarkReading, a leading online source of Cyber Security Information, the 3 most common sources of data breaches in 2021 were:
1) Phishing or stolen credentials as a result of a cyber-attack (87%)
2) A mistake, such as lost devices or incorrect configuration a system (10%)
3) A physical attack, such as a skimmer at a gas station pump that steals payment card data (3%). Over a third (38%) of data breaches did not reveal the root cause of a compromise (not specified, unknown, or not available), a 190% increase since 2020. (DarkReading 02/04/2022)
This means that 97% of attacks are theoretically speaking mostly preventable as much can be done to prevent attacks and human error.
THE IMPACT OF A BREACH
THE IMPACT OF A BREACHDepending upon the type of data involved, a breach can result in:
- Destruction or corruption of databases,
- The exposure of sensitive and confidential information,
- And theft of intellectual property.
Regulatory requirements to notify and possibly compensate those affected. Consumers want to conduct business at companies that they deem safe so known cyber incidents will impact the reputation of a business leading to loss of clientele.
This culminates in statistics which are hard to digest: 60% of small businesses will shut down within six months of an attack and larger companies report an average loss of $4.24 million in revenue as a loss of business as a result of an attack.
Moreover, what makes attacks difficult to deal with is not only the loss of data, money and trust but also the psychological impact of the incident itself, heaving the executive team feeling they have been robbed or an equivalent thereof.
YOU ARE NOT ALONE
According to the Identity Theft Resource Center’s 2021 Data Breach Report, there were 1,862 data breaches in 2021. This was a 68% increase as compared 2020. Unfortunately, the previous record of 1,506 set in 2017 was shattered that year. The reason for this increase according to PBS, is that more companies are choosing to pay the ransom to get their data back, and cyber criminals feel encouraged as a result.
Statistics are showing that the majority of cyber attacks in Q4 of 2021 took place in the Finance Industry (17%), closely followed by the Healthcare (14%), Professional (13%), Public Administration (12%), Information (11%) and Manufacturing Industries (9%).
HOW TO FIND OUT IF YOU WERE BREACHED
Some telltale signs that you might be under attack are the following:
- Notices of Failed Login Attempts – this would be a sign of malware being present.
- Unauthorized downloads where you do not remember downloading an application and one suddenly appears.
- The cursor moves by itself.
- Your antivirus software is disabled.
- Your contacts are starting to receive strange messages from you.
If you use a password manager service, such as LastPass or Dashlane you could take a look at the security dashboard offered. It is also possible they may notify you.
A free online resource available to you is a website called HaveIBeenPwned.com. It was founded by Microsoft Regional Director Troy Hunt and contains a database which lets you check if one of your email addresses or passwords has been compromised.
If you suspect a breach, we recommend you visit the site and enter all of your work and personal email addresses to verify if you have been compromised. The site will let you know their findings.
If you think you have been hacked, take the following steps in order of importance:
- Secure your operation (Source: Data Breach Response: A guide for Business):
- Secure physical areas suspected to be related to the breach. Unfortunately, a breach can also come from inside.
- Mobilize your response team.
- Assemble a team of experts to conduct a comprehensive breach response: Identify a data forensics team. Consult with legal council. Do not destroy evidence.
- Stop additional data loss by monitoring in and outbound traffic.
- Change all of your passwords as soon as possible and make sure those passwords are very strong. This might prevent certain damage from happening.
- Remove improperly posted information from the web.
- Interview people who discovered the breach.
- Secure physical areas suspected to be related to the breach. Unfortunately, a breach can also come from inside.
- Notify employees. The attack may still be underway.
- What happened
- How you are fixing the issue
- Steps they must take to protect themselves
- Notify your Cloud Provider and MSP or IT vendor so they can assist you. Make sure the best trained IT personnel is handling your case. This is the equivalent of your house being on fire in the virtual world.
- Never pay a ransom. Contact local law enforcement instead and file a police report as soon as you can after the breach has been contained.
- Assess and contain the damage. Ensure your damage control team activates your disaster recovery or business continuity plan.
- Use your checklist:
- Is the breach contained?
- What has been damaged?
- What steps are we taking next?
- Who needs to know – if confidential data was exposed take steps to notify those who are potentially impacted as well as the appropriate government agencies.
- Use your checklist:
- Take data restoration steps. This is different for every company.
- Take systems offline until security updates can be applied.
- Restore files from back-up.
- Enable multi-factor authentication.
- Ensure all password are changed on all end points.
- Notify customers and consumers. If you post on social media notify followers, friends and family members.
While this does might feel counterproductive, communicating with the outer world disempowers hackers. The reason is that most hackers attempt to extort funds by leveraging their power and the way they go about is by scamming or blackmailing you or your customers through social engineering, creating a chain of victims where one friend chained to the next gets effected. Second, hackers might post sensitive content on your own profile. If you are an employee or have important positions this might impact your reputation. Write a short note explaining you have been hacked. Asked your contacts to let you know as soon as they see suspicious activity while you are mitigating the incident.
AFTER THE FIRE HAS BEEN PUT OUT – WHAT TO DO TO PREVENT FUTURE BREACHES
After the attack, take the following steps:
- Full understand your risk profile – every industry has particular attack vectors and carry certain information valuable to the organization. Identify and classify different cyber attach scenarios.
- Enforce policy and train staff.
- Make sure to back-up critical information offline.
- Invest intelligently in security solutions.
To read more, please see this brief from the CISA, listing the steps to take to prevent ransomware attacks.
