Data breach vs. Data leak explained

You probably remember when Facebook's founder Mark Zuckerberg testified before the American Congress and UK lawmakers regarding the Cambridge Analytica data leak scandal. The political consulting firm harvested raw data from 87 million Facebook profiles while working for Donald Trump's presidential campaign in 2016. You might also recall the massive data breach incident related to the hotel chain Marriott International which exposed the information of over 500 million customers.  

On the surface, there is no apparent difference between both events. However, they are distinctly opposite in nature. In this article, we will outline the differences in both situations. Additionally, you will learn the steps to take to optimise your data security.

What's a data breach?

A data breach could be a phrase that is more commonly used when talking about the exposure of confidential details from an external data source. A data breach is a direct attack on private data by an unauthorized entity. There are numerous examples of data breaches. For instance, hackers that penetrate a computer database, or somebody who coerces you into giving access to data they should not have. In the case of Marriott International, hackers planted malware in Marriott's systems sometime in 2014 but this was not detected until 2018. It led to the exposure of millions of guests' private data. This could have been detected sooner if the company had practiced standard security audits.

What's a data leak?

Conversely, a data leak is the unauthorized transmission of information from inside an organization to an external recipient(s). The term is used to describe data that is transferred physically as well as digitally. The majority of data leak incidents happen online, more specifically via email and file transfer exchange. These incidents stem from a variety of occurrences, often as emails sent to the wrong individuals due to human error, or specific information being disclosed inadvertently in response to a request. Most of the data leak incidents are unintentional and non-malicious in nature. However, in the case of the Cambridge Analytica leak and other high profile cases widely-reported by the global media, they are often intended to expose or denigrate an institution or an individual(s). It's important to note that these types of data leaks are relatively rare, in comparison with less high profile data leaks that happen every day simply as a result of human error. 

The key distinction of a data leak incident is that it happens from the inside - out. A data breach occurs the other way around, from the outside - in. In regards to the Facebook Cambridge Analytica scandal, it emerged in the form of a whistleblower (a person who speaks out against unethical methods). This person(s) disclosed confidential information obtained while working for the company. It exposed how Cambridge Analytica was gathering Facebook’s user data to manipulate public opinion in an unethical manner (fake news). 

The Marriott International case was classified as a data breach. It was a direct attack from an external entity (hackers) that implanted Remote Access Trojan (RAT) along with MimiKatz, a tool for sniffing out username/password combinations in system memory. Together, these two tools gave the perpetrators control of the administrator account. The actions taken by hackers, along with Marriott International's lackluster data security protocol, created the perfect storm for an online security catastrophe. Hundreds of millions of people had their passport and credit card numbers compromised, which could have disastrous personal impact on the affected individuals. 

How to prevent and mitigate data exposure

Unfortunately, it’s impossible to entirely prevent the threat of data breaches related to 3rd party services, such as social networking websites, ecommerce websites, and other online services. Cybercriminals are always adapting their methods, and it's challenging to stay abreast of their tactics. Nevertheless, there are several techniques you can deploy to reduce the potential threat to your company and customers or other contacts. Security measures regarding data breaches must be addressed on an individual level. It’s recommended to hire an IT security professional to create a custom-made actionable plan for your organization.  

At a minimum, standard cybersecurity practices should always be in place when connecting to online networks, such as:

  • Use a firewall
  • Document your cybersecurity policies
  • Mobile device security protocols
  • Educate all employees regarding data security best practices
  • Enforce safe password practices
  • Regularly backup all data
  • Install anti-malware software
  • Use multifactor identification

On the flip side, data leakage prevention is much simpler. It may come as a surprise, but the primary source of data leaks come down to simple human error caused by staff. In a recent report by the Information Commissioner UK (ICO), human error was responsible for a whopping 88% of all data loss incidents in the UK in 2019. Errors during emailing were responsible for over 60% of the data leaks.

These numbers prove that the implementation of a company-wide secure email platform is imperative, regardless of the size of the organization. Taking this action alone could address up to 60% of the data leakage threat, according to the report.

There are many players in the secure email industry but most of them focus primarily on encryption. There are other secure email platforms such as ZIVVER which are additionally designed to prevent human error and help mitigate data leaks. ZIVVER, for example, provides: 

  • Real-time monitoring of recipients, email, and attachments
  • Email retraction
  • Asymmetrical encryption
  • 2FA for accessing emails
  • Outlook plugin
  • Web and mobile applications
  • Guest user support
  • Secure conversation starters
  • Corporate guest branding

Conclusion

There is currently no solution that addresses the threat of data loss from both breaches (external) and leaks (internal). However, the implementation of a secure email platform, combined with standard cybersecurity practices, could significantly diminish the threat of a data leak or breach within an organization. Additionally, if an incident occurs, the simple fact of having established online security protocols would help to mitigate the damage. It also demonstrates to your clients and reporting authorities that your company takes data protection and all that it entails very seriously. In a post GDPR and Data Protection Act landscape, companies can no longer afford to be lax on email and file transfer security. 

ZIVVER can help your organization become GDPR and DPA 2018 compliant in no time. Check out our pricing plans.

Get started with ZIVVER today

RELATED
work-from-home_ZIVVER

Work from home securely by following these simple tips

The battle against the Coronavirus has entered a new phase. Many governments have asked employees - if at all possible - to work from home to prevent further spreading of the virus. Working from home sounds appealing to most people: no rush getting to the office, working in your pajama pants, always your favorite coffee at hand. It is fortunate that many organizations […]

Read more

Improve your Office 365 security with ZIVVER

Prevent data leaks, improve compliance and save on costs when you combine the flexibility of Office 365 with the enhanced security of ZIVVER!  Did you know that Office 365 is the most popular cloud-based office solution used by enterprises across the globe today? There are currently over 180 million subscribers worldwide and growing. Office 365 has achieved this market […]

Read more

The secret to thwarting data leaks? Securing your outbound email.

Did you know that over 160,000 data breaches have been reported across the EU since the General Data Protection Regulation (GDPR) came into force in May 2018? That amounts to hundreds of incidents every single day. While some of these data breaches generate headlines, such as the massive Marriott International or British Airways incidents (currently under appeal), the […]

Read more
Encryption for Beginners_locks_ZIVVER_email

Encryption for Beginners 1: (A)symmetric encryption

Most people don't realize how easily an email can be sent to the wrong recipient. A typo in the address, a mistake in the configuration of a server, the wrong name selected from the automatic address book: they are all simple and common mistakes. In addition to the human error element, there is always a risk that hackers could compromise the mail server of a provider […]

Read more
FromAtoZivver

Cybersecurity Awareness Month: Email and File Transfer Security

When people think about email security, they typically associate it with widely reported hacking incidents, often nefarious in nature. These breaches tend to be higher in profile for a multitude of reasons, but actually account for a lower percentage of data breaches overall. For many organizations, the biggest threat to protecting privacy-sensitive data simply comes […]

Read more