Open in app

Sign in

Write

Sign in

Data breach and the CIA

Andrew David Bhagyam
4 min readAug 4, 2018

“High-profile data breaches are a wake-up call to enterprises everywhere. However, they pose the question: Why did IT fail to stop the data breach? The answer is that it’s an enterprise-wide issue, not just a technology problem.”

Data breach is a commonly heard term now-a-days. With new stories seeming to crop up every few weeks, the term “data breach” is quickly becoming a household phrase.

What is a breach?

A quick looking up the dictionary defined the term ‘breach’ as :

An act of breaking or failing to observe a law, agreement, or code of conduct.

What is a ‘data’ breach?

By a formal description, we can say a data breach is a confirmed incident in which sensitive, confidential or otherwise protected data has been accessed and/or disclosed in an unauthorised fashion. Data breaches may involve any kind of data such as PII (Personally Identifiable Information), PHI (Protected Health Information), Financial data, Biometric data or any data that may potentially be under the umbrella definition of ‘personal data’.

What is ‘personal data’ breach?

It is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

A data breach is a type of security incident but GDPR only applies where there is a breach of personal data.

All personal data breaches are security incidents but not all security incidents are necessarily personal data breaches.

When is something called as a ‘breach’?

Simple. As the term ‘breach’ is defined, it happens when we break or fail to observe and to do something the way it’s supposed to be. How can we know if something can be qualified as a breach? What do we classify as an actual breach? What can our failure result in? What are the categories and the types of breaches?
Keep reading..

What constitutes a Data Breach?

Below mentioned are the common things that constitute a breach.

  • Destruction of personal data — this is where the data no longer exists, or no longer exists in a form that is of any use to the controller
  • Damage to personal data — this is where personal data has been altered, corrupted, or is no longer complete
  • Loss of personal data — this can be interpreted as ‘the data may still exist, but the controller has lost control or access to it or no longer has it in its possession’
  • Unauthorised or Unlawful processing of personal data — this may include disclosure of personal data to (or access by) recipients who are not authorised to receive (or access) the data, or any other form of processing which violates the GDPR or other applicable privacy laws
  • Unauthorised disclosure of personal data — this includes instances when personal data has been made available or disclosed to unauthorised parties. How do we know who ‘authorises’ this? This depends on the role a person or entity takes up, the relation between the data subject & the third party, lawful basis for this disclosure, notification to the data subject & the reasonable expectation of the data subject

What are the categories of data breach?

This is based on the CIA Triad. No, not the Central Intelligence Agency but Confidentiality, Integrity and Availability.

Personal data breach can be categorised into:

  • Confidentiality breach — where there is an unauthorised or accidental disclosure of, or access to, personal data
  • Integrity breach — where there is an unauthorised or accidental alteration of personal data
  • Availability breach — where there is an accidental or unauthorised loss of access to, or destruction of, personal data

However, the following are some common daily scenarios which may lead to or qualify as a data breach:

  • Sharing a document with more people than actually required
  • Sharing files with a wrong person to whom it was not intended to be shared with
  • Migration failures which may result in loss of data or alteration of data
  • Not following the organisational procedures for data handling
  • Keeping printed documents unattended
  • Some technical mistakes on our side due to which customer cannot access his data

Types of data breaches

Physical Breach

A physical breach involves the physical theft of documents or equipment by physically accessing the machine (eg. stealing hard copies of documents from the printer)

Electronic Breach

An electronic breach is the un-authorized access or deliberate attack on a system or network environment by acquiring access via web servers or websites to a system’s vulnerabilities through application-level attacks (eg. ahh, we all know!)

Skimming

Skimming involves the capture and recording of card magnetic stripe data using an external device which is sometimes installed on a merchant’s point of sale system (POS) or using an RFID device.

The causative agents for a breach to occur can be broadly categorised into two:

  • Intentional (malicious)
  • Non intentional

A word of caution — Though there are a number of data breach types, as more and more companies go digital, the vulnerabilities of electronic document management systems have been exploited. However, while focusing on digital security is important, it is critical that companies don’t let physical document security measures fall by the wayside.

Consequences of Data Breach

Data breaches could lead to:

  • Loss of control of personal data
  • Limitation of rights
  • Identity theft or fraud
  • Financial loss
  • Unauthorised reversal of de-identified data
  • Damage to reputation
  • Loss of confidentiality of personal data protected by professional secrecy
  • Any other significant economic or social disadvantage to individuals

Ten tips to reduce the likelihood of a Personal data breach

Understand the threats you’re facing

  • Know what personal information you have, where it is, and what you are doing with it.
  • Know your vulnerabilities(not just VAPT, but even the using of third parties)
  • Know your industry(our products & the customers industry we target)

Think beyond the hacker

  • Encrypt laptops, USB keys and other portable media
  • Limit the personal information you collect, as well as what you retain
  • Don’t neglect personal information’s end-of-life(information life cycle is very important)
  • Periodic training for employees(very very important)
  • Limit, and monitor, access to personal information

But don’t forget about the hackers either

  • Maintain up-to-date software and safeguards
  • Implement, and monitor, intrusion prevention and detection systems
Security
Data Breach
Hack
Personal Data Breach
Risk Assessment

--

--

Andrew David Bhagyam

Written by Andrew David Bhagyam

13 Followers

Security & Privacy geek, Data protection thought leader, hacker, musician, Christian(I don't believe in religion, but I believe in Jesus Christ)

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams