Data leakage is a term we hear about all the time. But what does data leakage mean? A data leak is when data is remitted from within an organization to an unauthorized user, or location. There is an old saying in cybersecurity that you cannot secure what you do not know exists, and in this blog entry we will provide a data leakage definition, and answer several key questions around data leaks, what they are, some data leakage examples, what can be done to prevent data leaks, and more.
Question 1: How does a data leak happen?
There are many ways that data can be exfiltrated from an organization, but here are the most common four routes:
- Unknowing insider. This type of data leakage typically happens when someone who works for the organization stumbles into access that they should not have and then takes it home with them. This could be when they simply take home their laptops and connect to an unsecured network thus exposing the data, or even something more literal, where they print out a form that has sensitive information on it and puts it in their work bag. These types of data leaks can be notably harder to detect, as they often start with an innocuous action, but can be dangerous, nonetheless.
- Malicious insider. This data leakage example has drawn a lot of unfortunate headlines lately. This may be where people who no longer work at an organization, be it an employee that has been terminated, left for greener pastures, or a third-party contractor whose contract is cut short, and they act out. Another example could be about a company also selling off data that they should not be (more to come on this). These malicious insiders may be looking to settle a score with their previous employer, knowingly be poking around data they know they should not have to gain leverage, or otherwise.
- Financially motivated attacks. Verizon’s latest Data Breach Investigation Report showed that 76% of all data breaches were financially motivated. When looking at why, or how data leaks happen, mostly it can be traced back to people trying to seek out data they can use to sell, like patient information, customer information, critical and confidential company information, and more.
- Politically motivated attacks. These types of data leaks often get picked up broadly by news outlets because of their global impact. With the world still dealing with fallout from the conflict in Ukraine, some nation-states are capitalizing on the discord and finding their way into the networks of leading organizations, rival government agencies, and civilians, and exfiltrating data where it can be used for espionage and unethical intelligence.
Question 2: Why does knowing about the types of data leaks matter?
The answer is rather simple, if we try to think like the attacker, we can know what to do in preventing data leakage. Let’s go through some examples from question number one:
- Take the example listed above where an employee leaves the office and takes with them an external hard drive that has data that should never leave the office, like customer payment information. While nearly impossible to monitor what people physically take in and out of the office with them, an organization can learn here to prevent data leakage by monitoring what data lives where and implementing policies for data loss prevention that can track when data access is out of band.
- Understanding why malicious insiders are looking to exfiltrate their current or former employers can be, sadly, easy to comprehend. However, stopping these types of attacks that lead to data leakage can be difficult to prevent, particularly when the unruly insider is still employed. In this scenario, setting up guardrails to ensure that people only have essential access that is required to perform their job functions is a good way to implement least privilege, and prevent some data leakage. Further, if someone is leaving the organization, whether on their own volition or not, having processes in place to immediately and automatically revoke access when they are no longer an active part of the organization can also greatly reduce risk of data leaks.
- With financially motivated attacks, the goal should be setting up controls and policies to restrict access to the most sensitive data. This includes things like only providing access to an organization’s most critical data to those that absolutely need it, and certifying that access is still necessary on a regular basis. Finally, having controls in place to be able to detect when anomalous activities are occurring in real-time, and being able to restrict access in a pinch can be the difference between a leak and not.
- For politically motivated attacks, the controls and guidance are mostly the same. Attackers typically look for the path of least resistance to breach a network, and move laterally until they reach data they are looking for. Enabling controls and policies to limit lateral movement, restricting access to a ‘need-to-know’ basis, and putting up a fortress around the most sought-after data will be critical in the fight against state-funded attackers. Even though they can be sophisticated and well-funded, they still may change targets if met with resistance.
Question 3: What is an example of a known data leak?
Sadly, there are many to choose from. Data leaks are so common because they coalesce around the four most common types of attacks, highlighted earlier. One recent example is Oklahoma Student Loan Authority and EdFinancial disclosing that 2.5 million individuals who took out student loans with them had their personal data exposed, as part of a breach of a third-party organization that had access to both organization’s databases. As part of this breach, borrowers were warned that their full names, addresses, email addresses, phone numbers, and, critically, social security numbers may have been leaked.
While details are still being sorted about the severity and reality of the breach, it bears a sobering reminder that even if an organization figures out how to secure all of their internal resources, people, and systems, they also need to manage identities and access rights from third parties. This can be a very critical component of data leak prevention. These third parties are still trusted insiders, and should be treated as if they are employees. Further precautions must be taken to ensure that once third party contracts expire, that access is swiftly removed.
Another example related to data leaks, is news that cosmetics giant, Sephora, has settled with the state of California to pay $1.2 million for selling customer data without telling them. This type of situation should be remedied within corporate policy to not do anything unruly with customer, or any sensitive data. However, the real lesson learned here is the importance of organizational reputation, and how it may affect where consumers choose to trust with their business, and also that compliance mandates continue to become more relevant and important for organizations to follow.
Question 4: What can I do about preventing data leakage?
Preventing data leakage is no small feat, but with sensible cybersecurity practices, and a commitment to keep attackers at bay, damage can be mitigated. At the core of the issue is enabling strong identity security and ensuring that only the right people have access to your organization’s most critical data. Learn more about how to implement core processes for identity governance and administration, with Omada IdentityPROCESS+.