Data breach vs. data leak explained

The number of reported data breaches and data leaks are on the rise with national data protection authorities such as the ICO, as organizations struggle to deploy effective data security measures that can protect against both external as well as internal threats. High profile data breach incidents, such as the incident related to the hotel chain Marriott International several years ago, exposed the information of over 330 million customers and resulted in a £18.4 million GDPR fine from the ICO.

In the Netherlands, the national health authority (GGD), experienced multiple data leaks with their coronavirus track-and-trace programme. The GGD confirmed the leaks included personal information such as the names, addresses, social security numbers, telephone numbers, and test results for thousands of people.

On the surface, there’s no apparent difference between both incidents. However, they are distinctly opposite in nature. In this article, we’ll outline the differences in both scenarios.

Additionally, we’ll explain what steps you can take to optimize your data security and improve DLP across your organization.

What's a data breach?

A data breach could be a phrase that is more commonly used when talking about the exposure of confidential details from an external data source. A data breach is a direct attack on private data by an unauthorized entity. There are numerous examples of data breaches. For instance, hackers that penetrate a computer database, or somebody who coerces you into giving access to data they should not have. In the case of Marriott International, hackers planted malware in Marriott's systems sometime in 2014 but this was not detected until 2018. It led to the deliberate exposure of millions of guests' private data. It is widely believed that this breach could have been detected sooner if the company had regularly practiced standard security audits.

What's a data leak?

Conversely, a data leak is the unauthorized transmission of information from inside an organization to an external recipient(s). The term is used to describe data that is transferred physically as well as digitally. The majority of data leak incidents happen online, more specifically via email and file transfer exchange. These incidents stem from a variety of causes, often as emails sent to the wrong person due to human error, or sensitive information being disclosed inadvertently in response to a request. Most of the reported data leak incidents are unintentional and non-malicious in nature, and often account for over 80% of reported data leaks in the UK. However, in the case of the GGD data leak incidents and other high profile cases widely-reported by the global media, they are often intended to expose or denigrate an institution or specific individuals. It's important to note that these types of data leaks are relatively uncommon, in comparison with lower profile data leaks that happen every day simply due to human error. 

The key distinction of a data leak incident is that it happens from the inside - out. A data breach occurs the other way around, from the outside - in.  The incidents at the GGD were classified as data leaks, as the sensitive information was put at risk due to internal factors.

The Marriott International case was classified as a data breach. It was a direct attack from an external entity (hackers) that implanted Remote Access Trojan (RAT) along with MimiKatz, a tool for sniffing out username/password combinations in system memory. Together, these two tools gave the perpetrators control of the administrator account. The actions taken by hackers, along with Marriott International's insufficient data security protocol, created the perfect storm for an online security catastrophe. Hundreds of millions of people had their passport and credit card numbers compromised, which could have disastrous personal impact on the affected individuals. 

How to prevent and mitigate data exposure

Unfortunately, it’s impossible to entirely prevent the threat of data breaches related to 3rd party services, such as social networking websites, ecommerce websites, and other online services. Cybercriminals are always adapting their methods, and it's incredibly challenging to stay abreast of their tactics. Nevertheless, there are several techniques you can deploy to reduce the potential threat to your company and customers or other contacts. Security measures regarding data breaches must be addressed on an individual level. 

At a minimum, standard cybersecurity practices should always be in place when connecting to online networks, such as:

  • Use a firewall
  • Document your cybersecurity policies
  • Mobile device security protocols
  • Educate all employees regarding data security best practices
  • Enforce safe password practices
  • Regularly backup all data
  • Install anti-malware software
  • Use multifactor identification

On the flip side, data leakage prevention is much simpler. It may come as a surprise, but the primary source of data leaks come down to simple human error caused by staff. Reports from the ICO routinely show that accidental mistakes due to human error represent more than 80% of data leaks in the UK. Meanwhile, errors that occurred during emailing were responsible for over 60% of the data leaks.

These numbers prove that the implementation of a company-wide secure email platform is imperative, regardless of the size of the organization. Taking this action alone could address up to 60% of the data leakage threat.

There are many players in the secure email industry but most of them focus primarily on encryption. There are other secure email platforms such as Zivver which are additionally designed to prevent human error and help mitigate data leaks.

Zivver, for example, provides organizations with the following: 

  • Real-time monitoring of recipients, email, and attachments
  • Instant email recall 
  • Asymmetrical zero-knowledge encryption
  • 2FA for accessing emails
  • Outlook and Gmail plugin
  • Web and mobile applications
  • Free guest user support
  • Secure Conversation Starters feature
  • Corporate guest branding options

Conclusion

There is currently no solution that addresses the threat of data loss from both breaches (external) and leaks (internal). However, the implementation of a secure communication platform, combined with standard cybersecurity practices, could significantly diminish the threat of a damaging data leak or breach within an organization. Additionally, if an incident occurs, the simple fact of having established online security protocols would help to mitigate the damage. It also demonstrates to your clients and reporting authorities that your company takes data protection and all that it entails very seriously. In a post GDPR and Data Protection Act (DPA) landscape, companies can no longer afford to be lax on email and file transfer security. 

Zivver can help your organization prevent accidental data leaks and comply with data protection regulations such as the GDPR, DPA and CCPA. The service integrates directly with the most popular email clients and can be up and running quickly with minimal training required. 

 

Written by

Renato Zamagna

Originally published on November 28, 2019

Last update on July 16, 2021