Home > Publications > Non-Technical > June 2008 - Volume 3, Issue 6 - Data Breach

June 2008 - Volume 3, Issue 6 - Data Breach

What is a Data Breach?

Data breach generally refers to instances where information has been subject to unauthorized access, often where the information is lost, stolen or hacked into.  This is of particular concern when that information is private, sensitive, or confidential.  Organizations and individuals have the responsibility of protecting the information in their care and proper safekeeping of this data is vital. Failure to do so can result not only in a breach, but also result in damage to reputation, significant fines or loss of revenue, and other negative consequences.


Data breaches are occurring all too frequently, and they can occur in large or small organizations, in the public and private sectors.  The scope of this issue can be evidenced by the fact that more than 227 million records nationwide have been involved in a breach since February 2005.  This figure represents only those that have been reported, so it may reflect only a portion of the actual occurrences.  This is an issue that everyone must be aware of and take steps to mitigate.  


In addition to data breach concerns, we must also recognize that data manipulation is a potential threat.  If we cannot trust the integrity of our data, and know that it has not been altered inappropriately, our ability to carry out our mission and serve our customers becomes impaired. 

Some examples of data that must be protected include the following:

  • Customer or employee information with names, addresses, Social Security numbers, credit card numbers, passwords and other identity-related information
  • Intellectual property
  • Financial information
  • Health records of individuals

How is Data Compromised or Disclosed?

Attempts by hackers to steal names, Social Security numbers, credit card accounts and other information is one method of obtaining data.  Attackers may use social engineering, phishing or other similar attempts to gain access.  These activities can translate into very large sums of revenue for those in the organized crime world.  While very sophisticated techniques are sometimes used to steal sensitive data, one of the most common threats comes from within the organization itself.  According to Deloitte’s 2007 Global Security Survey, 65 percent of respondents reported repeated external breaches.   Of those incidents, 18 percent stemmed from unintentional data leakage.  The report also indicates that some of the surveyed data breaches went undetected for extended periods.


The loss or theft of data is not limited to electronic data loss or computer hacking.  Other possibilities include physical loss of hard copy documents, theft or loss of laptops, tapes and flash-drive devices or improper disposal of hard copy documents.


Are there Laws or Regulations to Protect Data?

There are numerous laws and regulations to regulate how organizations must handle and protect sensitive information.  Some of the most notable include the following:


  • Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  • Payment Card Industry (PCI) Security Standard
  • Gramm-Leach-Bliley Act (GLBA applies only to financial institutions)
  • Sarbanes-Oxley Act (SOX applies only to public companies)



There are Breach Notification Laws currently in place in forty-two states and the District of Columbia which govern the notification of an individual whose personal information has, or may have been disclosed.


What Can I Do?

Organizations and individuals must take proactive measures to minimize the risk of data breach. Everyone in an organization has a role in protecting information. The following are examples of steps you can take to help prevent data disclosure:
  • Follow your organization’s cyber/information security policies
  • Know how your organization has classified information and adhere to the appropriate controls in place
  • Follow proper procedures for the destruction or disposal of media that contain sensitive data
  • Participate in security awareness training.


Remember, cyber security is everyone’s responsibility. Don’t be the weak link in the chain.

Online Resources

To learn more about protecting information visit the following online resources:  The information provided in the Monthly Security Tips Newsletters is intended to increase the security awareness of an organization’s end users and to help them behave in a more secure manner within their work environment.  While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization’s overall cyber security posture.

Brought to You by:

MS-ISAC logo