In August, instant messaging service Discord announced that it had suffered a data leak exposing the personal information of more than 670,0000 users on the dark web. The third-party breach occurred after their custom invite messaging service Discord.io was compromised, disrupting the service to 1.5 million users as the company took down the site while investigating the breach.
These types of third-party data leakage incidents are in the media headlines almost every day. Why are they so common, and what is being done to prevent them from occurring?
What is Data Leakage?
Although data leakage is the unauthorized use of data from your organization to an external source, most data leaks occur by accident. For example, an email containing a password can be delivered accidentally to the wrong recipient, giving unauthorized access to that user. The user doesn’t necessarily have malicious intent.
This is in contrast to a data breach, which is usually intentional and malicious. Sometimes, however, the difference isn’t clear because the first step for malicious attackers is a data leak. Only after they have access to the sensitive data and confidential information can they use it for malicious purposes, at which point it is considered a data breach.
The Main Causes of Data Leakage
Although there are many different types of data leakage, they typically occur as a result of internal practices within your organization.
Common data leakage threats include:
- Human error. Weak employee credentials, misconfigurations and excessive permissions allow access to sensitive information.
- Outdated software and hardware. Failing to update hardware and software systems exposes your network and infrastructure to unpatched infrastructure and misconfigurations that can be exploited by attackers to expose data.
- Physical theft. Removable USB drives, discarded documents, and stolen or misplaced laptops can all be sources of future data leaks if an organization’s physical premises are broken into.
- Internal sources. Disgruntled employees or ex-employees with malicious intent can leak data for financial gain (e.g. ransomware attacks) or revenge against an organization.
- Third-party risk. If your third parties aren’t adopting the right internal practices to keep safe, your data can be at risk as well.
- Malicious electronic communications. Social engineering, malware and phishing are all cybersecurity attacks with a high rate of success in exposing sensitive data.
What are the Different Types of Sensitive Data?
The unauthorized transmission of sensitive data can lead to reputational damage, legal fines, data breaches and disruption of operations for a company, resulting in financial loss.
Sensitive information includes:
- Personally identifiable information (PII). Social security numbers, credit card numbers and details that aid attackers in identity theft.
- Confidential data. This can include data such as personal health information (PHI), that if exposed, can hurt patient privacy.
- Financial data. Customer credit card numbers, bank details, and company financial statements and customer invoices are required to be protected, according to various industry regulations such as PCI DSS.
- Company secrets. Trade secrets, intellectual property and other other information that can be used for corporate espionage.
How Can Data Leaks Be Exploited?
Malicious attackers who gain access to exposed data can leverage it for financial gain, such as ransomware attacks or identity theft. Politically motivated groups can use it to shape public opinion, misinformation campaigns and to influence the outcome of elections. Individual attackers might use it to dox an individual by sharing private information in a manner that hurts their reputation or is embarrassing. Famous individuals or those in positions of authority are at particular risk for doxing. Finally, data leaks can disrupt the services of an organization, as in the case of the Discord data leak.
How Organizations Can Prevent a Data Leak
The good news is that data leaks can often be mitigated by putting the right security policies in place.
Policies for data leak prevention can include:
- Implement data security measures
Organizations should enforce data security measures such as data encryption, multi-factor authentication, limiting permissions and a zero-trust approach to security as a first line of defense in preventing data leaks. Additional security policies such as employee keycards can prevent physical theft that leads to leaks of sensitive data.
- Mandate cybersecurity awareness training
Employee training helps your entire organization work together and understand the types of human error (e.g. weak passwords and excessive permissions) they have control of and use this knowledge to better defend against cyberattacks.
- Secure your endpoints
Desktops, mobile phones, laptops and IoT devices all offer entry points an attacker can use to exploit to gain access to your organization’s network. The transfer of data through emails and USB devices is also a common entry point for attackers.
- Use Data Loss Prevention (DLP) tools
A myriad of commerce tools exist that detect data leakage. DLP tools often combine different methods of protection, such as endpoint protection, monitoring services, antivirus software and advanced solutions that incorporate machine learning and artificial intelligence to detect and defend against data loss and leaks.
- Monitor third-party risk
Since third parties are one of the most common sources of data leaks, ongoing monitoring of them is crucial. Many industry regulations and guidelines require it as well, holding your organization accountable in the event of any third-party data leak.
How Panorays Can Help Manage Third-Party Risk
Panorays deliver a 360-degree rating of your supplier’s risk through a combination of automated security and extended attack surface monitoring, enabling third-party risk managers to gain a better understanding of the true business impact of any risk. With its massive database of information, Panorays offers a Smart Match feature that generates AI questionnaire responses based on previous responses of customers, facilitating faster and more accurate responses to questionnaires.
Data leakage is the unauthorized use of sensitive data or information of an organization for external sources. Most data leaks are accidental, while most data breaches occur as a result of malicious intent.
An example of data leakage is when a disgruntled employee exposes the sensitive information of customers by publicizing the credit card and social security numbers of customers on the dark web.
Organizations can prevent data leakage by:
1. Implementing data security measures. These include multi-factor authentication, data encryption, and restricting permissions to only necessary users.
2. Mandating cyber security awareness training. The entire organization needs to be aware of factors such as weak passwords, which allow data leakage.
3. Securing endpoints. Desktops, mobile devices and any other device that connects to the company network must be secure.
4. Using Data Loss Prevention Tools (DLP). These include endpoint security, anti-virus software and advanced solutions to detect and defend against data loss.
5. Monitoring third-party risk. Since third parties are a major source of data leaks and breaches, third-party monitoring is crucial.