The differences between data theft, data leak and data loss
Anyone involved in data security or data handling MUST understand the semantic difference between data theft, data leak and data loss. Many of us are all guilty of using these terms interchangeably. So why the pedantry?
Because they refer to
-
- different attacks
- on different types of data
- with different breaches impact upon a business
The key takeaway is that these different attack types require different defence mechanisms.
Demystifying Data Loss Terminology
Data Loss
Data loss is an umbrella term used to describe unintentional (data leak) or deliberate (data theft) exposure of data. This could be data held on a device, on a network, or in the cloud.
Undoubtedly data loss can have negative impacts on a business (see below). But the opposite is also true. Studies have shown that customer loyalty can be related to a business’s ability to demonstrate that it takes the protection of the customer’s data seriously. Often a client is prepared to pay a premium for this data protection.
So how can businesses show their commitment to customer data protection? Smaller businesses will aim to obtain a Cyber Essentials certification. Larger businesses might consider a framework such as ISO27001, which is the most widely adopted Information Security standard in the world. Both are technical standards aimed at demonstrating compliance. There isn’t a demarcation point that states that if a company grows above X users then it should upgrade to ISO27001.
Cyber Essentials is a UK government-backed scheme (managed by the National Cyber Security Centre and IASME) to help minimise the likelihood and impact of common cyber-attacks on DIGITAL assets typically connected to the Internet. Typically, this is used to demonstrate a company’s data compliance to its customers.
ISO27001 is a globally recognised standard that protects ALL information assets. ISO27001 can be used to demonstrate an advantage against a competitor when vying for a customer’s business. British Assessment explains this in more detail.
Data Breach
A breach occurs when access to sensitive data is gained by either an unauthorised person or an unauthorised application such as malware.
This refers to
- data access within a company’s secure internal network by an external party, even if the data has not been exfiltrated
- or actual data exposure outside of the secure perimeter, such as the Internet or cloud.
A breach becomes data loss when data has been removed from its secure holding.
A breach can involve any type of data asset, such as Personally Identifiable Information (PII), business-sensitive data, or intellectual property. There are different legal and best practice requirements in protecting these different sorts of data.
Breach example – Equifax
Probably the most well-known data breach is the 2017 cyberattack on Equifax, a credit reporting agency. Over 147 million PII data records were exposed, including names, addresses, and social security numbers. A congressional hearing resulted in a $700 million compensation settlement for the victims. Additionally, Equifax’s stock dropped 31% post-breach.
The differences between data THEFT and Data LEAK
Both data leak and data theft are sub-categories of data loss. A different way to put this would be that there are 2 distinct types of data loss.
The difference between these two types of loss is important. They refer to different attack intentions, on different types of data, with different impacts on a business. Most importantly, the cyber defence strategy is different in each case.
Definition of Data Leak
Behind the loss: A data leak is the unintentional, accidental disclosure of data, usually due to human error. Often the cause of a leak is a user’s lack of understanding of data protection, or the data handling requirements for how the data has been classified (public, internal-only, confidential or restricted).
Type of data: This usually refers to PII data emailed to an unintended third party, a social post, or a web forum, such as email addresses, telephone numbers, credit card details, social security details, religion, etc.
Protection requirement: PII is legally protected by country-defined Data Protection Acts. In the EU, GDPR outlines the processing of personal data of individuals, regardless of the organisation’s location. Some data is protected by regulation rather than by law. PCI-DSS is a global standard to protect payment card data, enforced by major credit card suppliers.
Breach impact: Any business that believes they may have disclosed PII to an unauthorised body is legally obliged to notify the Information Commissioner’s Office of a potential breach. This could result in a monetary fine, or a slapped wrist depending on the volume of data breached or the impact to the individuals concerned.
Cyber defence strategy: Leaks can be mitigated through user training and a strong cyber awareness culture within a company. Data Loss Prevention software, such as Microsoft’s Purview, monitors email for PII disclosure.
Leak example – Police Service of Northern Ireland
In 2023, the names of 10,000 Northern Irish police employees were accidentally leaked in a freedom of information response. The repercussions were not only severe corporate reputational damage and loss of public trust, but put the lives of serving police officers in danger. This leak occurred weeks after the theft of a police-issue laptop containing the names of 200 staff stolen, and a police-issue laptop falling from the roof of a moving police vehicle.
Definition of Data Theft
Behind the loss: Data theft is the intentional, deliberate attempt to exfiltrate data. This could be via a hacker, malware, or insider attack (such as a disgruntled contractor, or employee with an agenda). Theft can be physical (data stolen via thumb drive or printed information), or digital (such as socially engineered data or exfiltrating documents via a backdoor).
Type of data: This is the theft of valuable, sensitive, business-proprietary data or intellectual property such as customer lists, financial statements, trade secrets, etc. The objective is to sell the data on the dark web, ransom the data or disrupt the company. Theft opportunities occur from vulnerabilities or misconfigurations in hardware or software. Today we are increasingly seeing politically motivated, or state-sponsored data theft.
Protection requirement: Unless specific industry regulations insist, there is no legal requirement to protect or declare the loss of this type of data.
Breach impact: The consequences of loss of this type of data can be severe. It can lead to financial loss, corporate reputation or brand impact, or organisational downtime. Often a company will avoid the public declaration of data theft to protect their brand and associated revenue losses. However, brand impact can be higher if a third party be the one to declare the business has been subject to theft.
Cyber defence strategy: PREVENTION is the best defence against data theft, as mitigation comes too late in a cyber kill chain. Prevention involves monitoring egress data and blocking any compromised data from exiting a device before it can become a breach.
Theft example – LastPass
The most recent, high-profile data theft was of a LastPass password vault data. In a highly targeted attack, a vulnerability in a third-party application gave attackers access to a developer’s device whilst working from home. The theft has been linked to a crypto heist with almost $35 million having been stolen from victims.
Conclusion
Any business that strives to have a robust data protection strategy must understand the different data loss nomenclatures.
The takeaway from reading this should be that data leak and data left are different exposures risks of different types of data. Therefore, a holistic approach is needed for protection, with different tools to protect each type of data. Neglecting one type of data over the other could be the mistake that turns into a breach.
Learn more about how a robust outbound data strategy can enhance your cyber defence posture.
Start your outgoing data security journey TODAY,
with 5 FREE Licences
hackers, insider threats, botnets, ransomware, stealers, trojans
cloud data upload and sync threats,
malicious application updates