Alina Benny is a writer and editor at Aura, covering the gamut of security topics for the company, including online safety, identity theft, and fraud. Before Aura, she oversaw part of Nextiva’s marketing efforts. She holds a bachelor's degree in Electronics Engineering from the Cochin University of Science and Technology and has nearly a decade in content marketing. Twitter: @heyabenny
Jory MacKay is a writer and award-winning editor with over a decade of experience for online and print publications. He has a bachelor's degree in journalism from the University of Victoria and a passion for helping people identify and avoid fraud.
Marilyn Young was excited about the ‘80s reunion concert she had just bought tickets for, but she never anticipated what followed [*]. Months after the purchase, she got a notification from Ticketmaster confirming that she had transferred her tickets to someone else.
Ticketmaster issued Marilyn a new set of tickets, but most victims aren’t so lucky. When hackers leak passwords, financial data, or other private information, the damage can be devastating and often irreversible.
There were 4,145 publicly disclosed data leaks in 2021 alone, representing over 22 billion compromised data records [*]. And those numbers are mounting — data breaches in the first quarter of 2022 surpassed those in 2021 by 14% [*].
{{show-toc}}
What is a Data Breach?
An intentional or inadvertent security incident that exposes sensitive, confidential data to unauthorized third parties is known as a data breach. The exposed information can include:
Personally Identifiable Information (PII) such as Social Security numbers (SSNs), driver’s license numbers, or even criminal records.
Protected Health Information (PHI) such as medical conditions or health insurance information secured by Health Insurance Portability and Accountability Act (HIPAA).
Other intellectual property (IP) such as trademarks, patents, or trade secrets.
{{hacker-view-widget}}
How Do Data Breaches Happen?
A data breach refers to any instance in which someone accesses data that they aren't allowed to see. Most breaches expose consumers’ sensitive information. Criminals can sell this information on the Dark Web or use it themselves to bilk victims.
Cyberattacks
In cyberattacks, threat actors take advantage of security vulnerabilities in the technology that protects important data. This is by far the most common type of data breach, representing 86% of the 2021 attacks reported by the Identity Theft Resource Center [*].
Common types of cyberattacks
Malware. A user installs malicious software on a computer that harms the operating system. Spyware — a type of malware — then pilfers personal information from vulnerable user accounts.
Ransomware. This is a type of malware that encrypts the data on a computer or system, making the data unusable unless the victim pays a fee.
Credential stuffing. Cybercriminals use leaked usernames and passwords on other sites. For example, they will try to log in to your email account with the username and password exposed in a social media breach.
DNS tunneling. DNS tunneling strong-arms the Domain Name System to connect a victim’s computer to the attacker’s. Since it’s the DNS resolver that facilitates this tunnel, it’s almost impossible to detect the connection.
Denial-of-service (DoS). DoS attacks flood a website with bogus requests so that the server can’t handle legitimate requests.
Cross-site scripting (XSS) attack. In this attack, a hacker sends a server code instead of a legitimate entry — e.g., including a JavaScript snippet instead of a username. For applications that aren’t correctly set up, hackers can run this code and harm the user, the application, or both.
Trojan horse. Like the Greek myth, a Trojan horse is something that looks legitimate on the outside, but cloaks an attack. Trojan malware might look like a harmless attachment, app, or extension — and even operate as such — but it contains malicious code to harm your machine.
SQL injection. Like an XSS attack, a SQL injection happens when a hacker sends harmful code instead of legitimate requests. SQL refers to the language used for databases, and these kinds of attacks typically involve pilfering information from a database.
Zero-day exploit. Zero-day attacks use previously unknown security flaws, so cybersecurity experts have “zero days” of preparation. These are perhaps the most dangerous type of attacks. A 2020 report showed that zero-day vulnerabilities were responsible for 80% of successful data breaches.[*]
📌 Zoom out: Keep constant tabs on your credit and financial accounts with credit monitoring. Aura can alert you in near real-time if someone is trying to open new accounts in your name.
✅ Take action: If you think someone is misusing your personal information, try Aura’s identity theft protection free for 14 days to secure your identity.
System and human errors
Among the weakest points of any system are its human gatekeepers. Criminals take advantage of misconfigured software or use social engineering — a type of hack meant to manipulate people’s emotions — to perform a breach.
Examples of system and human errors
Phishing occurs when a hacker purporting to be a trusted authority tricks someone into sharing personal information. A hacker breached the software company Twilio in 2022 by sending fake text messages to employees, warning them of expired passwords [*]. The link in the texts led to a Twilio sign-in page clone designed to steal credentials.
Physical correspondence. Phishing scams don’t have to be overly technical. A newly emerging way for cybercriminals to install malware is to send victims a USB drive letter from a trusted company. When connected to a computer, the drive immediately installs malware.
Misconfigured firewalls. Firewalls prevent certain types of information from passing in and out of networks, but require precise settings and permissions. It’s easy for an IT administrator to set these up incorrectly.
Delay in patching. Patches are software updates that fix known vulnerabilities. But when users put off installing updates, their systems are still at risk. In 2017, Equifax suffered one of the largest data breaches in history because the company failed to install a security patch on time [*].
Unsecured cloud environment. Many companies today use cloud platforms like Microsoft Azure, Google Cloud Platform, or Amazon Web Services; but they may not have set them up correctly. A 2021 report from Zscaler found that the average business had 40 instances of exposure while using a cloud service [*].
Physical attacks
We often consider physical attacks a problem of the past. But because they are often overlooked, physical attacks can be the most crippling.
Examples of physical attacks
Lost device or document. A lost device that has important data stored on it can find its way into the wrong hands — giving the finder everything on the hard drive and even unauthorized access to secure websites.
Document theft. An identity thief only needs one identity document, like an ID card or medical record, to launch a successful attack. For example, a New York woman was charged in 2022 for stealing more than $29,700 from a victim’s bank account using only a stolen driver’s license [*].
Device theft. Personal laptops, tablets, and smartphones are delectable morsels for identity thieves. If a thief steals your device, they can gain access to all your documents and the logins to all your accounts, including bank accounts.
Improper disposal. Careless disposal of old credit cards, identifying documents, and even junk mail with pre-approved offers can increase the risk of a cybercrime. Thief-turned-consultant Frank Abagnale, of Catch Me If You Can fame, explains that it only takes a few hours to reconstruct documents that have been destroyed with low-security shredders [*].
Here’s How a Data Breach May Affect You
For businesses
Businesses are quickly becoming primary targets for hackers. Businesses have access to more resources — whether through revenue, loans, or stock — than individuals. And there are more entry points. A criminal only needs to trick one employee, out of dozens or even hundreds, to orchestrate a successful, large-scale hack.
And cybercriminals hack small businesses just as often as they do Fortune 500 companies. For example, hackers infiltrated a truck parts company in 2021 exposing the SSNs of over 6,500 people in the company’s database [*].
Types of data stolen
Personal data of employees, customers, or partners
Financial information, like company credit card numbers
Trade secrets, like product designs or forthcoming patent applications
Internal company documents, like financial reports or memos
For businesses in healthcare: medical records and insurance information
Potential risks
Ransomware, which forces companies to pay money to regain access to their data
Blackmail, i.e., extorting businesses to pay to prevent the release of stolen sensitive data
Market attacks, like stock shorting or insider trading that is based on stolen information
Corporate espionage, based on stolen trade secrets
Cryptojacking, i.e., installing cryptocurrency mining software on compromised machines
“Hacktivism,” in which hackers defame brands in the name of a cause
Damaged brand image, for any company that’s had sensitive user data exposed
Government agencies are similar targets as businesses, but often with much more sensitive and important data. For example, a 2022 California Department of Justice breach leaked the names, addresses, and permit types of all conceal-carry permit holders in the state [*].
Types of data stolen
Personal data of employees, citizens, or government officials
Government or military secrets
Classified documents, sealed records, or other private data
Financial information, like account numbers of financial institutions
Potential risks
Exposing information of private citizens
Ransomware, forcing governments to spend taxpayer money
Disinformation, changing official data, or publishing falsehoods
Stolen funds from compromised financial accounts
For individuals
Nearly everyone has fallen victim to a data breach, even if you don’t know it. The most valuable use for this sensitive data is identity theft, in which a criminal fraudulently pretends to be you — typically for financial gain.
A 2022 report from IBM shows that the average breach worldwide costs $4.35 million — with an average of $9.44 million in the United States [*]. These figures can increase with ransomware threats. The average ransom paid in 2021 was $511,957 [*].
This average includes large-scale cyber attacks that aren’t applicable to small businesses. The data showed an average cost of $164 per compromised record.
So a small business that keeps information on 1,000 customers, employees, and suppliers could estimate the cost of a breach to be around $164,000.
These costs include the price of fixing the vulnerability, informing customers, losing business, and paying fines for violating laws like the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR).
And it’s not just companies that are affected. For 60% of the breached companies, those expenses resulted in higher prices trickling down to consumers.
PayPal, 35,000 accounts (January 2023). A credential-stuffing attack compromised the PayPal accounts of tens of thousands of users. While not as large in scope as some of the other data breaches, the direct access to victims' PayPal accounts makes this one of the worst data breaches of the year [*].
LinkedIn, 500 million (April 2021) and 700 million users (June 2021). LinkedIn suffered two data compromises in 2021. The first happened in April and exposed the data of 500 million users, and the second in June exposed the data of 700 million users — 92% of all users on the site [*].
Facebook, 533 million (April 2021). The personal data of over 500 million Facebook users was leaked on a hacking forum in April 2021 [*]. The data included users’ full names, phone numbers, email addresses, locations, and biographical information.
Android apps, 100+ million users (May 2021). In May 2021, Security firm Check Point Research discovered at least 23 popular Android apps with misconfigured database settings that let anyone pull data from the cloud [*]. Potentially exposed data included emails, passwords, dates of birth, payment information, phone numbers, locations, chat histories, photos, and more.
T-Mobile, 76.6 million users (August 2021). A hacker infiltrated T-Mobile servers in 2021 and exposed the names, driver's license numbers, SSNs, and device identification numbers of employees and current, former, and prospective customers [*].
Neiman Marcus, five million customers (September 2021). In September 2021, retailer Neiman Marcus discovered a data breach that had occurred in 2020 and exposed the names, contact information, and payment card details of almost five million customers [*].
Once your data has been breached, it can stay on the Dark Web indefinitely. You may also be the victim of these large attacks from years past:
Robinhood: five million affected users in November 2021[*]
Microsoft: 250 million breached customer service records in January 2020[*]
Marriott: 500 million affected customers in November 2018[*]
U.S. voter data: 198 million affected Americans in 2017[*]
Equifax: 147 million affected consumers in September 2017[*]
📌 Pro tip: Protect your entire family against losses and damages from identity theft and fraud. Every adult member on any Aura plan is covered by a $1,000,000 insurance policy for eligible losses due to identity theft.
Think Your Data Is at Risk? Do This
If you learn that you’ve been a victim of a data breach or see suspicious activity on your accounts and think that you may have been hacked, here’s what to do.
Confirm the breach and identify what data was leaked
State law requires companies to inform users of data breaches, but don’t trust an email by itself. Fraudsters use these messages as phishing attacks to steal your personal information.
Don’t click on links in any data breach notification — instead confirm it on news sites or the official company website. You can also learn if your data has been leaked using a Dark Web scan.
Once you know your data has been exposed in a security breach, change the password of the affected account and that of any other account that uses the same password.
Choose unique passwords that are at least 12 characters long and include numbers, symbols, and uppercase and lowercase letters. A password manager like the one that is included with every Aura plan can securely store all of your passwords, so you don’t have to remember each one.
If possible, set up two-factor authentication (2FA) for all sensitive accounts. Continue to monitor your accounts for unfamiliar logins, new transactions, or other signs that someone else has accessed them.
Affected companies may also send other specific follow-up instructions as part of their data breach response plan. These steps may not just contain an existing data security gaps but also prevent data breaches in the future.
Secure your credit
If personal data like your Social Security number has been leaked, criminals may apply for credit in your name. Secure your free credit reports from AnnualCreditReport.com and review it for any suspicious activity, such as new accounts, incorrect balances, or credit checks that you don’t recognize.
Also consider setting up a fraud alert or security freeze at the three major credit bureaus (Experian, TransUnion, and Equifax). If you set up a fraud alert, you only need to contact one bureau. To set up a freeze, you’ll need to contact all three credit reporting agencies.
If your data has been exposed in a breach, follow the specific recommendations for data breaches from the Federal Trade Commission (FTC) at IdentityTheft.gov/databreach.
If you know someone has already used your data fraudulently, report identity theft at IdentityTheft.gov and follow the prompts for next steps.
Also report the theft to the FBI’s Internet Crime Complaint Center at IC3.gov. Finally, file an identity theft report with local law enforcement for additional documentation that you may need during the recovery process.
✅ Take action: Aura’s $1,000,000 identity theft insurance covers lost wages, phone bills, and other expenses due to identity theft. Try Aura free for 14 days and see if it’s right for you.
Sign up for identity theft monitoring
Identity theft monitoring can help protect you by tracking your personal details across the Dark Web and alerting you of any suspicious activity.
Many companies offer free identity theft monitoring after a security breach, typically for one year. Consider this if it fits your needs.
Even if you’re not the victim of a data breach, consider protecting yourself with identity theft monitoring.
Some of the most critical tasks needed for cybersecurity protection are laborious or nearly impossible for humans to do. Imagine spending hours (or days) scanning credit statements, Dark Web archives, and up-to-date breach information.
That’s why millions of Americans use an identity and credit monitoring service like Aura. Aura protects your entire family — including children, who are particularly susceptible to identity theft.
Aura also secures your devices and Wi-Fi network from malware and phishing attacks so that you can continue to safely browse, bank, shop, and use social media online.
Editorial note: Our articles provide educational information for you to increase awareness about digital safety. Aura’s services may not provide the exact features we write about, nor may cover or protect against every type of crime, fraud, or threat discussed in our articles. Please review our Terms during enrollment or setup for more information. Remember that no one can prevent all identity theft or cybercrime.
Is this article helpful so far?
Yes
No
Skip
Need an action plan?
No items found.
Is your child ready for a cell phone? Take this quiz to find out.
The Dangers of Using Public Wi-Fi (and How To Stay Safe)
Public and unsecured Wi-Fi networks are convenient. But are they safe? Learn the 10 hidden dangers of unsecured and public Wi-Fi networks (and what to do).