Data breach
As a data breach or data leakage is referred to an incident, get access to a collection of data in which unauthorized personnel. When the term is interpreted broadly, it also includes the undesired deletion of data ( data loss).
Definitions
Data breaches are breaches of data security and privacy, in which state secrets, commercial secrets or personal information to unauthorized are believed or proven to become known. It does not matter whether the data is available in analog or electronic form. These include:
- Conscious or unconscious unauthorized processing of data (eg, data flow),
- Unauthorized activities to circumvent security measures for data processing,
- Attacks on an organization's IT infrastructure.
The data can get lost in the original ( by disk or files lost, stolen or disposed of incorrectly, for example ) or in the form of a copy ( for example, by entering into a server, dissemination accidentally published data or the work of informants ).
The U.S. Federal Information Security Management Act defines a data breach as follows:
In the Federal Data Protection Act data breach are defined indirectly by the information obligation. Thus, a data breach occurs only if
Legal Significance
In some countries there is a duty to provide information in a data breach of personal data. In these cases, the persons concerned, the supervisory authorities or the public should be notified. The publication should not in business, however, usually when trade secrets are concerned, to prevent damage to the image.
Situation in the European Union
By the Telecoms Package telecommunications service providers are required by national regulatory authorities to inform about data breaches. In severe cases, the persons concerned must be notified directly.
Situation in Germany
The Federal Data Protection Act provides since 2009 before a duty to inform data breach for private companies and public competition undertakings, where personal data are concerned. Companies that do not comply with this information requirement act improperly. This can draw up to 300,000 euros by a fine. In special cases, a higher fine or even a custodial sentence be imposed. Authorities have been exempted from the obligation to provide information.
The introduction of information requirement has led to a greater willingness among companies to prevent data leaks through appropriate IT security measures.
Situation in Austria
The Austrian Data Protection Act 2000 provides for an obligation to provide information when reading data from a data application " were systematically and seriously used unlawfully and stakeholders threatened harm." Violators may be followed by up to 10,000 euros a fine.
Situation in other countries
In the United States, those involved must in all states except Alabama, Kentucky, New Mexico and South Dakota, to be informed about a data breach, if it is personal data.
Detect data breaches
Data breaches can be worn on this approach, either within an organization or recognized from the outside. From the inside, this is done for example through staff meetings, audits of processes, in which sensitive data is processed, analysis of server logs, observation of irregularities or warning mechanisms at unauthorized access. From the outside the information by third parties, through media reports or by a display with the appropriate regulatory authority can take place. Thus, messages are processed quickly and reliably by third parties, there should be a defined reporting channels.
Follow
Data breaches have negative consequences in the rule. For the cause and if it is personal data, even for those affected may be the economic disadvantages or reputational damage. In a few cases, a data breach can have positive consequences, for example, if this similar to the whistleblowing important information is revealed, which were withheld from the public.
The average cost per data breach rising, according to the Ponemon study, in Germany since 2008 in each year. 2010, it stood at 3.4 million euros. Of this total, 1.5 million euros to the immediate loss of business, 0.9 million euros to lost customers and missing new customers through the resulting image damage, EUR 0.7 million on the detection of the data breach and 0.2 million euros to the notification of the person concerned. By introducing the information requirement in 2009, the costs increase significantly when responding too slowly or inadequately to a data breach.
If personal data are affected by a data breach, there is the risk of identity theft. The data are for optionally enriched by criminals through phishing. Those affected can then create major financial and personal damage.
Significant incidents
Tracking server of the duty ( July 2011) - Cracker had access to a server of the German Federal Customs Administration. On this motion profiles and access to eavesdropping devices of suspects were recorded, which were published.
Sony service data (April 2011) - Several times personal data from Sony customers were copied from different servers of the company. Of the incident, more than 100 million people were affected. The perpetrators also gained knowledge about the credit card data of many patients. (see hacker attacks on Sony)
Schlecker customer data (August 2010) - Unknown had access to a customer database of drugstore chain Schlecker. They came so to 150,000 address records, 7 million e- mail addresses and customer profiles of the persons concerned. This affected the IT service artegic, which has provided a service for the company. Opinion: " As the media reports, customer data, the online portal were www.schlecker.com publicly available, this is not correct .... also it was in the incident is not a vulnerability in the systems or software artegic. . " (see History of Schlecker)
Social network SchülerVZ (October 2009) - Unknown use several vulnerabilities to "private" set including as data read out from the social network schülerVZ and save it in easy to search database. Of these, more than 1.5 million students were affected. These cases acquired in contrast to a similar case in StudiVZ great explosiveness, since personal data of minors were affected. (see privacy in SchülerVZ )
Credit card data LBB (December 2008) - microfiche with accounting data from Amazon and ADAC credit fell during transport from the IT service AtosWorldline for Landesbank Berlin ( LBB) to the wrong recipient. Supposedly employee of a courier company have opened and emptied a Christian Great package, which was addressed to the editor of the Frankfurter Rundschau. They should have replaced the then -empty packet to one of six addressed to LBB packages, in order to cover up their act. These data breach was therefore also known under the term data tunnel. (see alleged data theft at LBB )
Telecom customer data ( October 2008) - Back in 2006 by Deutsche Telekom 17 million customer data had been stolen. According to Telekom these were no longer in circulation, as they appeared 2008 on address dealers again. The data are believed to be drained through a call center. (see era Obermann of Deutsche Telekom )
German population register (June 2008) - By tracing of address trading noticed that several German registration offices a software with online access used, their password had not been changed after installation. With regard to the available on the internet Default Password from the software manufacturer to criminals procured access to approximately 400,000 financial data sets.
British child benefit database (November 2007) - In the mail came between two British authorities CDs with the data of 25 million child benefit recipients lost.
Credit card information from TJX (March 2007) - When American retail group TJX Companies 45.7 million credit and debit card information were stolen.
AOL Research Database (August 2006) - For research purposes, the Internet provider AOL had all the surfing behavior of its users logged anonymously. The 0.5 million records, which were incurred from March to May 2006, published by mistake on the Group's website. The profiles were sometimes easy to deanonymisieren based on search queries.
Credit card information from MasterCard and Visa (June 2005) - Through a theft in the U.S. billing service provider Card Systems Solutions 40 million credit card information came into circulation. Were affected, among other customers of MasterCard and Visa.