What is Data Leakage and How to Prevent It?
While data leakages do not get as much attention as data breaches, a leak can be just as devastating to a business. Suffering a data leakage can lead to lawsuits, permanent data loss, monetary fines, and irreparable damage to a company’s reputation.
This article is an introduction to data leakages and the risks of these incidents. Read on to learn what data leaks are, how they typically happen, and what steps you can take to lower the likelihood of leakages in your company.
What is a Data Leak?
A data leak is an unauthorized release of data from within a company to an external recipient. The unapproved data transfer can be either digital or physical, but most leaks happen due to one of two reasons:
- Someone from inside the company shares data with a third party.
- An employee leaves a security gap that enables unapproved data access.
Both actions can be unintentional or deliberate. However, most data leaks happen by accident, so the person accessing the data does not need to put much effort into reaching the content. The most common data types a company can leak are:
- Financial info (invoices, credit card numbers, income details, tax forms, etc.).
- Personally identifiable information (PII) (names, addresses, phone numbers, emails, usernames, etc.).
- Personal health information (PHI) (diagnoses, treatment details, test results, prescriptions, etc.).
- Intellectual property (patents, trade secrets, blueprints, customer lists, contracts, etc.).
- Business data (meeting recordings, roadmaps, emails, protocols, agreements, statistics, projections, etc.).
- Activity data (order and payment history, browsing habits, usage details, etc.).
A leak can happen when data is:
- In transit (emails, chat rooms, API calls, etc.).
- At rest (misconfigured cloud storage, unsafe databases, lost devices, etc.).
- In use (screenshots, printers, clipboards, etc.).
No matter how you lose sensitive data, the impact of a leak can be devastating. Short-term, you can expect steep mitigation costs and fines. Long-term, a company can suffer a damaged reputation and lose customer trust.
Read about the basics of cybersecurity and see how careful companies keep their data safe from leaks, breaches, and permanent loss.
Types of Data Leaks
The most common causes of data leaks are:
- A deliberate or accidental action by an employee or a person of trust.
- Software misconfiguration.
- A system error.
- Poor data security practices.
Based on what causes the incident, there are four main types of data leakages:
- Accidental data leaks.
- Malicious insider data leaks.
- Data leaks caused by IT misconfiguration.
- Malicious outsider data leaks.
Every type includes both physical and digital leaks. Below is a closer look at each data leakage type and how they typically happen.
Accidental Data Leaks
An accidental leak is the most common type of data leakage. These leaks occur when an employee or a person of trust within a company unknowingly shares sensitive info with an unauthorized user. The most common examples of accidental data leaks are:
- Sending emails with critical data to the wrong recipient.
- Misplacing a USB with sensitive data.
- Losing files.
- Exposing a laptop by leaving it switched on and without password protection.
- Leaving a document in the printer’s tray.
- Transferring data to a personal device against a BYOD policy.
Unfortunately, an unintentional data leak leads to the same penalties and reputational damage as any other type of leakage. A company does not receive preferential treatment just because a leak had no malicious origin.
Malicious Insider Data Leaks
This type of data leakage happens when a privileged user abuses permissions and moves data or files outside the organization. Common examples of these leaks are:
- Thefts of confidential documents.
- Pictures of sensitive info.
- Transferring data onto a USB drive.
- Sending files to a personal Dropbox account.
While some insiders cause a leak due to being disgruntled, most malicious employees are pursuing financial gain. Insiders typically try to sell the data to competitors or offer them on the black market.
Our article on insider threats teaches how to identify, react to, and prevent malicious insiders in your company.
Data Leaks Caused by IT Misconfiguration
Even industry-leading companies have misconfigured systems that can leave content vulnerable to data leakage. The most common issues are:
- Misconfigured integrations with third-party tools.
- A flaw in security policies or controls.
- Excessive permissions to critical files.
- Misconfigured databases.
- Poorly set up cloud data storage services.
While this type of data leak was always prominent, the pandemic in 2020 caused a steep increase in misconfiguration-related leakage. Abrupt business changes and sudden turns towards remote workforces were the main reasons behind the rise of this leak type.
Malicious Outsider Data Leaks
In this data leak type, a malicious outsider tricks an employee into sharing sensitive data. In most tactics, the attacker relies on social engineering to persuade the victim into transferring data.
Most leakages involving a malicious outsider are a result of a phishing attack. While some data leaks rely on malware or code injection, cases with these elements typically fall under the data breach category.
Data Leak vs. Data Breach
While some use the terms data breach and leak interchangeably, the two words stand for different incidents. The main distinction between a data leak and breach is:
- A data leak happens inside-out and is a result of a mistake within the organization.
- A data breach occurs outside-in and is a result of a criminal initiating a cyberattack.
Unlike a breach, most data leaks are typically a result of an accident and not malicious action. However, both incidents have dire consequences and can result in lawsuits from users, penalties from regulatory agencies, and damage to business reputation.
Our article on data breach statistics demonstrates the impact these incidents had on businesses in 2020.
Biggest Data Leakages Recently
Data leaks are a widespread incident and a concern for SMBs and enterprises alike. Below is a list of the most notable data leaks in 2021 (so far).
Volkswagen Group of America
In June 2021, Volkswagen revealed that a third party obtained data about US and Canadian customers through an unsecured vendor. The company initially collected data for sales and marketing purposes between 2014 and 2019, but the vendor did not protect the database between August 2019 and May 2021.
As a result of poor security, there was a leak of info from roughly 3.3 million individuals. Buyers had their driver’s license and vehicle numbers exposed, while a smaller number of customers had additional sensitive information disclosed, such as social insurance and loan numbers.
Infinity Insurance Company
In March 2021, Infinity Insurance Company reported temporary, unauthorized access to files on the company’s servers on two days in December 2020. The exposed servers contained PII of current and former Infinity employees, allowing unauthorized access to their:
- Names.
- Social security numbers.
- Driver’s license numbers.
- Medical leave info.
- Compensation claims.
In addition to the employees’ PII, servers with sensitive customer data were also available for access. As a result, millions of social security and driver’s license numbers were open to the public.
Jefit
In March 2021, workout tracking app Jefit found a security bug that impacted client accounts created before September 20, 2020. Perpetrators were able to exploit the fault to gain access to data of more than 9 million users, including their:
- Account usernames.
- Email addresses.
- Encrypted passwords.
- IP addresses.
Luckily, there were no sensitive financial data on the servers as Jefit does not store customer payment info.
Clear Voice Research
In April 2021, Clear Voice discovered that an unauthorized user shared a database with profile data of survey participants from August and September 2015. The perpetrator offered some info to the public but demanded payment for data such as:
- Contact information.
- Passwords.
- Users’ responses to questions about health, political affiliation, and ethnicity.
The source of the data leak was an unsafe backup in the cloud.
ParkMobile
In March 2021, ParkMobile discovered a cybersecurity incident that exploited a vulnerability in a company’s third-party software. The security team immediately started to investigate, but the perpetrator already accessed and presumably downloaded basic user info, such as:
- License plate numbers.
- Email addresses.
- Phone numbers.
- Mailing addresses.
While the security gap allowed thieves to steal encrypted passwords, the intruders were luckily unable to get the deception keys thanks to the company’s careful key management practices.
How to Prevent Data Leaks?
Preventing data leaks comes down to enforcing cybersecurity best practices and ensuring employees stick to company policies and rules. Below is a list of measures and methods you can implement to minimize the chance of data leaks in your organization.
Set Up Data Loss Prevention (DLP)
DLP is an umbrella term that includes various techniques, technologies, and practices companies use to:
- Detect and prevent data leaks and breaches.
- Stop data exfiltration attempts.
- Prevent unwanted destruction of data.
A robust DLP solution identifies, protects, and tracks all sensitive data within a company. As a result, a company can:
- Keep confidential data safe.
- Gain high levels of data visibility.
- Protect intellectual property.
- Comply with relevant regulations.
- Reliably enforce security policies and rules.
- Maintain reliable chains of custody for sensitive data.
Our guide to data loss prevention explains the key ideas behind this practice and helps create an effective DLP policy.
Control Devices with Mobile Device Management (MDM)
Storing sensitive files on phones and tablets is a common practice in modern workplaces. In addition to device usage policies created by the security team, you can also use an MDM solution that monitors and controls what devices employees use for work. An MDM should:
- Enforce the use of strong passwords.
- Allow the team to service the device remotely.
- Control what apps can and cannot run on a device.
- Ensure quick screen lock times.
For additional control, look for an MDM solution that can also track device locations and allow you to wipe the contents remotely in case of an incident.
Use Zero Trust Security
Limit the number of users who have access to sensitive data by employing zero-trust security. This principle of least privilege reduces the risk of data leakage by ensuring employees can only access files and data necessary to perform their roles.
To employ zero-trust, you first need a complete data audit. You should:
- Identify all the data in your organization.
- Assess each info’s value to the company.
- Classify data based on its value, sensitivity, and regulatory requirements.
The more valuable a piece of data is, the fewer people should have the ability to access it. You can use an Identity Access Management (IAM) solution to assign access and permissions to users and systems.
Improve Email Security
Emails are a common cause of data leaks, whether malicious or accidental. Strict rules and email controls can help you limit the risk and protect the business.
Even simple techniques like blocking messages sent outside of the company’s domain or email content filtering can drastically reduce the chance of a data leak.
Our article on email security best practices teaches nine different techniques you can employ to reduce the risk of data leaks and improve overall cybersecurity.
Control the Way Employees Use Printers
To ensure a printer does not become an opportunity for a data leak, you should:
- Require users to sign in before they use a printer.
- Limit the functionality of the printer based on the user’s role.
- Ensure users can only print files with sensitive data once.
You should also ensure users do not leave any documents with sensitive data in the printer tray, whether copies or originals.
Use Data Encryption
Encryption makes data unreadable without the appropriate decryption key. You can encrypt data in use, at rest, and in transit, and you can also use full-disk encryption tools to ensure lost or stolen devices do not result in a leak.
If you decide to use encryption to protect your data, managing decryption keys becomes a top priority. Our article on key management offers guidance and explains how to keep encryptions safe throughout a key’s lifecycle.
Real-time Data Auditing and Reporting
Deploy a solution that allows your team to monitor sensitive data. The auditing program should provide real-time notifications and track whenever someone accesses, moves, shares, modifies, or deletes data.
If an action appears suspicious, the program raises an alert, and the admin can investigate the issue.
Recognizing risky activity on time helps avoid or reduce the scope of a data leak. For example, detecting an attempt to copy sensitive data to a local machine enables you to intervene before the device leaves your premises.
Run Security Awareness Training
The most common causes of data leaks are accidents and negligence, so educating your staff is a top priority. Regular security awareness training ensures employees understand the risks of:
- Sending emails to wrong recipients.
- Leaving unlocked devices when away from the workstation.
- Visiting unsafe websites.
- Downloading apps from unofficial sources.
- Not correctly protecting documents with sensitive info.
The training should also enable employees to recognize:
- Signs of data breaches and exfiltration.
- Most common types of cyberattacks.
- Signs of insider threats.
Ensuring employees are informed about security best practices and main risks is the most effective way to eliminate mistakes that lead to data leaks.
Prepare a Response Plan
Data leaks can happen no matter how many measures you adopt, so your team should prepare a response plan for sensitive data leakage. A response strategy should enable you to recover any content the company loses in a leak and help mitigate the immediate damage.
Once you prepare a plan, run occasional drills to ensure the team is ready for real-life scenarios. Besides a response plan, you should also have data backup strategies for sensitive info as another assurance you do not permanently lose content in case of a leakage.
Our article on incident response plans helps create an effective strategy that minimizes the impact of a data leak.
Protect Your Business Against Data Leakages
A single data leak can lead to declining revenue, tarnished reputations, and massive financial penalties. Severe consequences make these incidents a priority concern, so ensure your organization does everything in its power to limit the possibility of data leaks.
Leave a Reply
You must be logged in to post a comment.