About Data Breach

Introduction

Data breach is a suspected breach of sensitive data by exposing the data to the risks of accidental loss, or unauthorised or accidental access, processing, erasure or use. Data breaches could result from cyber attacks to computer systems, networks or cloud storage during which cyber criminals gain unauthorised access to sensitive data such as personal data and financial data. Besides outsiders, data breaches could be caused by vicious insiders (e.g. privilege abuse), human errors (e.g. security misconfiguration) and negligence of users (e.g. loss of USB drive).

Typically, cyber criminals will target personal data such as name, identity card number, email address, username, password, credit card number or any data that can be used for criminal or dishonest purposes (e.g. deception). For businesses, valuable data such as financial record, intellectual property, trade secret and customer data can be targeted by cyber criminals for financial gain.

Causes and Impacts

Common causes of data breaches:

The six common causes of data breaches are vulnerabilities, phishing scams and social engineering, device theft or loss, data theft or malicious insiders, misconfiguration and human error, and insecure cloud storage or services.

Possible Impacts of data breaches:

For organisations:
  • Reputational damage – clients and business partners may lose their trust and cast doubt on the organisation.
  • Penalty and legal liability – the organisation may be subject to fines by regulators and lawsuits by data subjects.
  • Disruption to business and financial losses – it may be costly and time-consuming to recover operations resulting in disruption to business and financial loss.
For end users:
  • Financial loss – personal data may be used in financial frauds (e.g. taking over the victim's account for making unauthorised transactions).
  • Impersonation – stolen personal data may be used to gain access to a system or network in order to commit fraud, industrial espionage or identity theft.
  • Emotional distress – individuals may become worried about the adverse consequences of data breaches, for example, the personal data may be used to humiliate the victim and cause emotional distress (e.g. celebrity photo breach). 

Preventive Measures
  • Keep electronic devices in safe custody and encrypt any sensitive data stored.
  • Use up-to-date firewall, anti-malware and anti-phishing software.
  • Patch and update systems and applications regularly.
  • Configure systems and devices to allow only authorised user(s) to access the sensitive data.
  • Avoid transfer sensitive data to portable devices or any unknown third parties.
  • Use strong password and multi-factor authentication if applicable.
  • Be mindful of solicitations for sensitive data in suspicious emails and websites.
  • Use secure cloud storage or services with proper security configurations and end-to-end encryption.
  • Erase all sensitive data in storage devices thoroughly before repairing or disposing or the devices.
  • Do not use untrusted communication channels (e.g. public Wi-Fi) or devices to conduct sensitive transactions (e.g. on-line banking) or access sensitive data.
  • Use the Data Security Scanner provided by the Office of the Privacy Commissioner for Personal Data, Hong Kong to conduct a quick and easy self-assessment on the sufficiency of data security measures for information and communications technology systems.

Detection

Signs indicating that you may have fallen victim to data breach:

Receive suspicious calls or transaction records with your personal data exposed.

Detect email accounts being compromised or involved in data breach incidents based on some reference sources such as "Have I Been Pwned".

Detect suspicious activities in your accounts.

Mitigation

You may consider taking the following measures:

Contact the respective service providers of your compromised accounts and check for any suspicious transactions.

Reset the password of any of your online accounts suspected to have been compromised.

Stay vigilant against phishing emails or other attempted scams using the breached data.

Consider reporting the case to the Hong Kong Computer Emergency Response Team Coordination Centre and the Police

  • Report the case to the Police (if any criminal activity is involved) and lodge a complaint with the PCPD (if personal privacy is infringed). Seek advice from the Hong Kong Computer Emergency Response Team Coordination Centre on incident response and recovery, if necessary.
  • For organisations, develop a response plan for handling data breach incidents and notification arrangements for issuing data breach notifications to the affected users timely.

Take appropriate actions to remove the breached data from public access (e.g. submit requests to the administrator of the websites and forums concerned).

Extended Readings

Some references on data breach and what you need to know:

  1. Advanced Micro-Electronics - Data Security Breach: 5 Consequences for Your Business
  2. Hong Kong Computer Emergency Response Team (HKCERT) - Cloud Storage Security
  3. Malwarebytes - Data Security Breach: 5 Consequences for Your Business
  4. Office of the Australian Information Commissioner - Data Breaches
  5. Office of the Privacy Commissioner for Personal Data (PCPD) - Protecting Privacy
  6. Symantec Corporation - What to do if you become involved in a data breach

Disclaimer: Users are also recommended to observe the Important Notices of this website and read the user agreements and privacy policies of the security software and tools before download and use them. 

Back to Top