October 12, 2022
What is data leakage, and how do you prevent it?
Your IT security can become an easy target for attackers because of a data leak, so you must know what it is and how to reduce it from happening to your organisation’s data.
What is data leakage?
A data leak occurs when private information doesn’t stay private. Or put more technically: when confidential information is disclosed to unintended recipients. This could be individuals or organisations that were not intended to receive it, such as hackers, third parties or the general public.
Data leaks can occur through cyber-attacks (malicious hacks to cause disruption, or gain access to confidential information), or via human error. If by human error, typical causes can be categorised into security misconfigurations or accidental disclosure.
A few examples are:
- Misconfigured cloud storage (e.g., Amazon AWS EC2 buckets)
- Unprotected databases
- Unprotected APIs (the backend plumbing of an application)
- Devices and/or removable storage that was misplaced (e.g., left on a train)
What can be leaked?
Once data has been leaked, it is often sold and traded on the dark web forums many times. Whitehat hackers (the good hackers!) may purchase it from the dark web forums to publicise to you that your data is leaked. For many organisations, this might be the first time they know their data has been leaked – and yet it has already been sold and traded many times.
Perhaps the most dangerous data to leak is passwords. Collections of password lists and databases are often sold on the dark web so that other attackers may gain access to your account. This is why multi-factor authentication (MFA) is so important – because if your password is leaked to an attacker – then the attacker can also log in as you and impersonate you unless there’s another factor they have to prove. The second factor could be asking the user to present a physical USB key or employee ID card, fingerprint or facial biometrics. See our blog on the subject for more.
Whitehat hackers will publish password lists they find on websites and other services so that you know if your passwords have been leaked. An example can be found here. If you see your password has been leaked on that website, change your passwords as soon as possible.
The real impact of a leak
Whether, passwords or real data, it is extremely difficult to know who has access to it once it has been leaked, and what they might use it for. The impact of a leak is likely not the immediate loss of a copy of the confidential data. But rather what the attacker gains by knowledge of the secrets.
Depending on the type of data leaked, and the motivation of the attackers, it could be used for:
- Marketing products for advertising purposes
- Lures for launching future cyber attacks
- Doxxing (a form of cyber bullying where you deliberately publicly leak personal information)
- Spying/ intelligence gathering
Any personal data leaked to the general public by your business will have to be reported to the regulatory authorities if your business operates in a regulated industry. This is the case regardless of whether the data was used for illegal activities.
Because of this, you should take data leaks very seriously to avoid suffering any reputational or financial damage on top of the direct harm they incur.
How can you prevent disclosure?
Since knowing who has your data and what their intentions are, is almost impossible after a leak has occurred, most strategies for data leakage prevention start with reducing the risk of the leak happening in the first place. To do this a good place to start is a cyber assessment. This will typically be to discover what data assets you have (both those that you know about now as well as those that you didn’t know about before), and categorise them in terms of data leak sensitivity.
The results of those assessments are used to define policies and procedures, and then implement tighter security controls to reduce the likelihood that a leak will occur.
Don’t collect what you don’t want to leak
Prevention is always better than containment. If you can avoid collecting and storing sensitive data in the first place, do that. If you don’t store it, you can’t leak it.
Know what you have
Making a policy not to collect particularly sensitive information is one thing. Knowing that you don’t is another. Sensitive Data Discovery cannot be a one-time action. You need to do it continuously to know if you are inadvertently collecting valuable information, you didn’t know about.
If you must store it, then restrict access to it. And evaluate all the ways that people and machines can access it. Limiting the number of ways and the number of things (users and machines) that have access to your sensitive data will likely lower the chance that it will be compromised. We recommend doing this by adopting a Zero Trust approach to your data access.
Where you do grant access, grant the least possible trust you can. This might be avoiding showing all the sensitive data to a user who has been granted access. This might be showing only the last 3 digits of a card number, or rate limiting the number of card numbers that can be seen per minute.
It is always a good idea to encrypt your sensitive information before storing or sending it over the internet. It is especially important to keep this in mind when it comes to storing sensitive information in the cloud.
Users frequently store confidential information on their portable electronic devices. You are going to require a solution that, in addition to device management policies, monitors and controls not only the devices but also the individuals who are using the devices.
Our expert team of cyber security consultants develops industry standards, frameworks and best practices by actively contributing to the National Institute for Standards in Technology (NIST), the Cloud Security Alliance (CSA) and Zero Trust working groups.
We can provide you with:
- Cutting edge zero trust strategy, and policy refresh
- Help you uncover where your gaps are
- Give you insight into the latest disruptive cyber technologies and provide the best solutions that integrate and improve your security posture.
For more information about data leakage and how our data leak protection strategies can help you, get in touch with us today.