A primer on data breaches

Most data breaches are due to human errors or the predictability of our behaviour. That’s what makes them hard to prevent. In any data breach, the most important question is how much Personally Identifiable Information (PII) is lost. The PII could be name, address, email address, date of birth, telephone number, clear text / weakly hashed password, passport/Pan/Aadhar details, credit / debit cards numbers, CVV.

This data is usually sold on the blackmarket and the market value of each record is dictated by the type of PII available. This makes startups like BigBasket, Zomato, Paytm etc—which have millions of active users—a prime target for data breach attacks. In BigBasket’s case, the PII of 20 million users was breached.

Some of the common causes of data breaches are 

1. Physical loss of data/credentials stored on a laptop or a pen drive or a mobile device that is stolen or misplaced. Or improperly disposed/recycled documents 
2. Data shared with partners who might not have the same standards of security.
3. Improperly configured security policies. As more companies move their infrastructure to the cloud, the risk of a large data breach also increases. The flexibility and ease provided by the cloud comes at the price of setting up correct policies and access permissions. An oversight, however temporary, can open up the data to public access. One of the most common reasons for a data breach is an improperly configured S3 bucket in AWS (which is a low-cost object store used for storing large volumes of data).  
4. Developer oversights. Some of the common mistakes developers make are leaving credentials in the code (open to reverse engineering), leaving APIs open to unauthorised access, saving PII in debug logs.
5. Weak/stolen credentials. Most of us tend to use the same password across multiple sites with possibly minor variations. Hackers use this to their advantage by attempting to login to various sites using the user names, passwords from a data breach. This is called credential stuffing. There have been cases where a corporate email ID and password obtained from a data breach was used to sign in to a code repository where database credentials were stored. 
6. Phishing/social engineering. Getting unsuspecting users to share their credentials by masquerading as a legitimate party. Again, hackers use PII from data breaches to make the attempt seem legitimate. Experienced developers have fallen for this. 
7. Malware. Getting users to download malware that detects key presses or provides remote access to hackers.  
8. Disgruntled/malicious insiders 

What can you do in case your PII is part of a data breach? 

1. Change your password on the site. If you have used the same password on any other sites, change the password there too.
2. Avoid using the same password on multiple sites. 
3. Use longer passwords (at least 12 characters) and change them every few months. Consider using passphrases which are easier to remember. 
4. Use a password manager to store passwords for different sites if it is hard to remember so many. 
5. Enable two-factor authentication on every site that supports it.
6. Beware of phishing attempts.
7. Avoid clicking on untrusted links and attachments.