Demystifying Tech: Data breaches
Coming off the back of one of the biggest data breaches in history, it seems not a month goes by without another report of some big hack where millions of customer details have been stolen. It can feel like it is inevitable or par for the course that you could also be hacked at some point.
But with greater responsibility on schools to ensure they have robust data protection systems in place, we must not accept this. These breaches should serve as a warning for us to take action to make sure we are not the next target. So what is a data breach? Who causes them and why? And what can we do to protect ourselves?
In this blog we’ll be looking at what data breaches are, how they happen and what you should be doing to protect your organisation from them.
What constitutes a data breach?
In the new world of fast moving tech, making data globally available at the click of a mouse has obvious advantages, but of course storing and managing vast amounts of personal data comes with risk. As the custodian of potentially valuable personal data, the buck stops with the holder to make sure that only authorised people can access that data.
A data breach occurs when an unauthorised person or persons gain access to the data by exploiting a flaw in the system, or by tricking users into giving them access, at which point they extract a large volume of data out of the system. They will then use this data to their own ends, either to gain financially by selling the data, or to expose the fact that the data custodians didn’t have sufficient security protections in place to stop them doing it.
Who are the hackers and why do they hack?
There are generally two types of hackers, known as white-hat or black-hat hackers.
Otherwise known as ethical hackers, this group usually consists of security researchers who work for universities or commercial cybersecurity companies, also concerned citizens who have enough technical knowledge to spot vulnerabilities in computer systems.
Their aim is to help the custodians of data to keep that data secure and improve their handling processes. Unfortunately some organisations don’t like these hackers testing the security of their systems, or simply do not take their warnings seriously. So being able to prove that the breach is real is often very helpful in making the data holders do something about it.
Upon discovering a vulnerability, most white-hat hackers, depending on how they think the news will be taken, will notify the system owners of the vulnerability. If the response is not satisfactory or is ignored, they will test the issue further, build something that will exploit the weakness, and extract enough data to prove their point.
This will normally not be used to extract as much data as possible, but just enough to show to the organisation that their system is vulnerable. This may be accompanied by notification that the exploit will be revealed publically within a certain time frame, so the data owners have time to fix it before it can be exploited by anyone else.
This is the type of hacker that we should all be taking the necessary steps to protect ourselves from. Black Hat hackers are individuals or hacking groups, who hack for money, power or both. Personal data is extremely valuable if you can find the right buyer, as it can be used to generate more cash.
Stolen login details can be used to access data in other systems where the same password has been used, enabling the harvesting of more personal information, ultimately ending up in identity theft, blackmail, and theft. If somebody gains access to your credit card information along with other personal data, they can steal money from you, your bank, or credit agencies. And there are many other ways your data can be exploited for money.
When hackers discover a vulnerability in your system, they will immediately test and explore them and build something to exploit them. The code or methodology will then be sold to third parties for exploitation, or as much data as possible will be extracted. This will then be sold on the black market, usually a forum on the Dark Web (A hidden anonymous internet only accessible through the Tor Network).
Where it becomes extremely dangerous is if unrestricted access to your system can be valuable over time, to monitor your users or steal from you over time.
How do they steal the data?
Whenever you use a system, for example a school computer, that collects, manages, and serves data, there will be tens to hundreds of millions of lines of code in place to run it.
With such a large volume of code it is inevitable that it will contain bugs, logic errors, and architectural errors that enable the flow of the program to be manipulated to reveal more data or access than it should. How data is mishandled is tested by hackers, who input different pieces of data to see what happens, looking for somewhere where the input is mishandled and can be exploited. The process to gain access may take a number of steps, and so this may be written into a piece of code to automate the process.
On the flipside this is the same methodology used to hack computers through a web browser. Hackers test different pieces of code to see how the browser responds, looking for errors. Once found they build a piece of code that uses this vulnerability to gain access to your computer when you visit a webpage set up by the hacker. This is usually used to install other dangerous software on your computer so they can steal details like bank logins.
What can we do to protect ourselves?
There are a number of simple steps you can take, and processes you can put in place to prevent attacks in the first place, and limit the damage should a data breach occur:
Keep software up to date
Keeping your software up to date is critical for mitigating security vulnerabilities, especially known exploits.
Security researchers notify software vendors of vulnerabilities every day, those vendors then patch their software in the next release. After the update is released, the vulnerability will be made public through a database, at which point a black-hat hacker could build an exploit for use against unpatched systems. So if you don’t have the latest software, you’re more likely to be vulnerable to an attack.
Make good passwords
Use strong passwords, the longer you password is, the harder it is to crack if your personal data is stolen. Don’t use any words or dates personal to you as this can massively reduce the security of your password. Best to use something random but easy to remember.
Don’t reuse passwords across multiple systems, as if one of those systems is hacked, it could lead to attackers gaining access to your other accounts.
Never use accounts that get shared across multiple people, if something goes wrong you won’t know who is to blame, and you will have to update everyone with new details should one person’s access need to be revoked.
For more in-depth advice on password management, read The Secret to Secure Passwords, a blog I wrote recently for SWGfL.
Develop data management policy within your organisation
It is critical that everyone in your organisation is reading from the same hymn sheet when it comes to data security. A tool such as 360data can help you to develop policies and procedures around data protection, enabling your organisation to reduce attack vectors, and know what to do if a data breach occurs.
What can I do?
If you’re not already a user of 360data, now may be a good time to sign up and access good-quality advice and guidance from SWGfL, partners in the UK Safer Internet Centre.
Other steps include:
- Ensure you have an up-to-date backup available (and have tested it)
- Update your Windows installation
- Keep your anti-virus up-to-date
- Be cautious, don’t click on links in emails – do you know the sender?
For more information on how to protect your organisation, please visit 360data.org.uk and sign-up or take our FREE 30-second quiz.