Data leakage is a term we hear about all the time but what does it mean? A data leak is when data is remitted from within an organization to an unauthorized user or location. In cybersecurity there is an old saying: you cannot secure what you do not know exists. In this blog entry, we will provide a data leakage definition, answer several key questions about data leaks, provide some examples of what can be done to prevent them, and more.
Question 1: How does a data leak happen?
There are many ways that data can be exfiltrated from an organization, but here are the four most common routes:
- Unknowing insider. These data leakages typically happen when someone who works for an organization stumbles into access that they should not have and takes it home with them. This could be when they simply take home their laptops and connect to an unsecured network thus exposing the data, or even something more literal, where they print out a form that has sensitive information on it and put it in their work bag. Unknowing insider leaks can be notably harder to detect, as they often start with an innocuous action – but can be dangerous nonetheless.
- Malicious insider. This data leakage example has drawn a lot of unfortunate headlines lately. This may be where someone who no longer works at an organization – be it an employee who has been terminated, left for greener pastures, or a third-party contractor whose contract is cut short – acts out. Another example could be a company selling off data that they should not be (more to come on this). These malicious insiders may be looking to settle a score with their previous employer, knowingly poking around data they know they should not to gain leverage, or otherwise.
- Financially motivated attacks. Verizon’s latest Data Breach Investigation Report showed that 76% of all data breaches were financially motivated. When looking at why, or how data leaks happen, it can usually be traced back to people trying to seek out data they can use to sell, like patient information, customer information, critical and confidential company information, and more.
- Politically motivated attacks. These types of data leaks often get picked up broadly by news outlets because of their global impact. With the world still dealing with fallout from the conflict in Ukraine, some nation-states are capitalizing on the discord and finding their way into the networks of leading organizations, rival government agencies, and civilians, and exfiltrating data where it can be used for espionage and unethical intelligence.
Question 2: Why does knowing about the types of data leaks matter?
The answer is rather simple, if we try to think like the attacker, we can know what to do to prevent data leakage. Let’s go through some examples from question number one:
- Take the example listed above where an employee leaves the office and takes with them an external hard drive that has data that should never leave the office, like customer payment information. While nearly impossible to monitor what people physically take in and out of the office with them, an organization can learn to prevent this type of data leakage by monitoring what data lives where and implementing policies for data loss prevention that can track when data access is out of band.
- Understanding why malicious insiders are looking to exfiltrate their current or former employers can be, sadly, easy to comprehend. However, stopping these types of attacks that lead to data leakage can be difficult to prevent, particularly when the unruly insider is still employed. In this scenario, setting up Role Based Access Control to ensure that people only have essential access that is required to perform their job functions is a good way to implement least privilege, and prevent some data leakage. Further, if someone is leaving the organization, whether on their own volition or not, having processes in place to immediately and automatically revoke access when they are no longer an active part of the organization can also greatly reduce risk of data leaks.
- With financially motivated attacks, the goal should be setting up controls and policies to restrict access to the most sensitive data. This includes things like only providing access to an organization’s most critical data to those that absolutely need it, and certifying that access is still necessary on a regular basis. Finally, having controls in place to be able to detect when anomalous activities are occurring in real-time, and being able to restrict access in a pinch can be the difference between a leak and not.
- For politically motivated attacks, the controls and guidance are mostly the same. Attackers typically look for the path of least resistance to breach a network, and move laterally until they reach data they are looking for. Enabling controls and policies to limit lateral movement, restricting access to a ‘need-to-know’ basis, and putting up a fortress around the most sought-after data will be critical in the fight against state-funded attackers. Even though they can be sophisticated and well-funded, they still may change targets if met with resistance.
Question 3: What is an example of a known data leak?
Sadly, there are many to choose from. Data leaks are so common because they revolve around the four most common types of attacks highlighted earlier. One example is Oklahoma Student Loan Authority and EdFinancial disclosing that 2.5 million individuals who took out student loans with them had their personal data exposed, as part of a breach of a third-party organization that had access to both organization’s databases.
In light of the breach, borrowers were warned that their full names, addresses, email addresses, phone numbers, and, critically, social security numbers may have been leaked.
This data breach bears a sobering reminder: Even if an organization figures out how to secure all of its internal resources, people, and systems, it also needs to manage identities and access rights from third parties.
These third parties are still trusted insiders and should be treated as if they are employees. Further precautions must be taken to ensure that once third-party contracts expire, that access is swiftly removed.
Another example related to data leaks is the information that the cosmetics giant, Sephora, has settled with the state of California to pay $1.2 million for selling customer data without telling them. This type of situation should be remedied within corporate policy to not do anything unruly with customers, or any sensitive data.
However, the real lesson learned here is the importance of organizational reputation, and how it may affect where consumers choose to trust with their business, and also that compliance mandates continue to become more relevant and important for organizations to follow.
Question 4: What is data leak prevention?
Data leak prevention is a comprehensive approach to prevent the unauthorized disclosure of sensitive information by implementing measures such as monitoring, policy enforcement, and user education within and outside an organization. Preventing data leakage is no small feat, but with sensible cybersecurity practices, and a commitment to keep attackers at bay, damage can be mitigated. At the core of the issue is enabling strong identity security and ensuring that only the right people have access to your organization’s most critical data.
Question 5: How to prevent a data breach?
By understanding what a data leak is, how they happen, and precautionary measures that your organization can take to prevent a data breach, you can successfully fortify your organization’s defences and avoid the legal and reputational complications that come with a data leak. By taking the necessary cybersecurity measures like proper role based access control and implementing policies for data loss prevention to track when data access is out of band, your organization will be stronger, safer, and more secure.
Learn more about how to implement core processes for identity governance and administration, with Omada IdentityPROCESS+.
