Data breach

from Wikipedia, the free encyclopedia
The article leak and data breach thematically overlap. Help me to better differentiate or merge the articles (→  instructions ) . To do this, take part in the relevant redundancy discussion . Please remove this module only after the redundancy has been completely processed and do not forget to include the relevant entry on the redundancy discussion page{{ Done | 1 = ~~~~}}to mark. Nico T ( discussion ) 21:37, Nov. 5, 2014 (CET)


A data breach or leak is an incident in which unauthorized persons gain access to a data collection . If the term is interpreted broadly, it also includes the undesired deletion of data ( data loss ).

Definitions

Data breaches are violations of data security and data protection in which state secrets, trade secrets or personal data have presumably or proven to have become known to unauthorized persons. It doesn't matter whether the data is in analog or electronic form. These include:

  • conscious or unconscious unauthorized processing of data (e.g. data leakage),
  • unauthorized activities to circumvent security measures during data processing,
  • Attacks on a company's IT infrastructure.

The data can get lost in the original (e.g. if data carriers or files are lost, stolen or incorrectly disposed of ) or in the form of a copy (e.g. by penetrating a server, distributing accidentally published data or the work of informants ) .

The US Federal Information Security Management Act defines data breaches as follows:

The term “data breach” means the loss, theft, or other unauthorized access, other than those incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data.
(A data breach refers to the loss, theft or unauthorized access, unless it relates to an employment relationship, of / to data that contains sensitive personal information in electronic or printed form, insofar as this endangers the confidentiality or integrity of the data.)

In the Federal Data Protection Act , data breaches are indirectly defined by the information obligation. Accordingly, there is only a data breach if

1. special types of personal data ( Section 3 (9  ) BDSG),
2. personal data that is subject to professional secrecy,
3. personal data relating to criminal acts or administrative offenses or the suspicion of criminal acts or administrative offenses, or
4. personal data on bank or credit card accounts
unlawfully transmitted or otherwise unlawfully gained knowledge of third parties [...]

Legal meaning

In some countries there is an obligation to inform in the event of a breach of personal data. In these cases, those affected, the supervisory authorities or the public must be notified. On the other hand, companies usually do not publish them if trade secrets are involved in order to prevent damage to their image .

Situation in the European Union

By the telecoms package are telecommunications service providers an obligation on the national regulators to learn about data breaches. In severe cases, the persons concerned must be notified directly.

Since May 25, 2018, there has been an obligation to report data breaches in accordance with Article 33 of the General Data Protection Regulation (GDPR) in all member states.

Situation in Germany

Since 2009, the Federal Data Protection Act provides for an obligation to inform private companies and competing companies under public law if personal data is affected. Companies that do not comply with this information obligation act improperly. This can result in a fine of up to EUR 300,000. In special cases, a higher fine or even a prison sentence can be imposed. Authorities have so far been exempt from the information obligation.

The introduction of the duty to provide information has made companies more willing to prevent data breaches through appropriate IT security measures.

Since the implementation of the GDPR, there has also been a much more comprehensive reporting obligation in the event of data breaches. Articles 33 and 34 regulate the handling and reporting of data breaches. Now every data breach that is likely to lead to a risk for the person concerned must be reported promptly (usually within 72 hours) to the responsible supervisory authority.

Situation in Austria

The Austrian Data Protection Act 2000 also provides for an obligation to provide information if data from a data application has "been used systematically and seriously unlawfully and threatens harm to those affected". Violation can result in a fine of up to 10,000 euros.

Situation in other countries

In the United States , in all states except Alabama , Kentucky , New Mexico, and South Dakota , data subjects must be notified of a data breach if personal information is involved.

Detect data breaches

Data breaches can either be detected within an organization or brought to it from outside. This is done from within, for example, through employee interviews , reviews of processes in which sensitive data is processed, evaluation of server logs , observation of irregularities or warning mechanisms in the event of unauthorized access. The information can be provided from outside by third parties, through media reports or by reporting to the responsible supervisory authority . There should be a defined reporting channel so that reports from third parties can be processed quickly and reliably. To reduce the risk of data breaches, it is advisable to choose complex passwords, install security updates regularly and activate two-factor authentication, if available.

consequences

Average cost of a data breach in Germany (according to the Ponemon study)

Data breaches usually have negative consequences. For the perpetrators and, if it concerns personal data, also for those affected, these can be economic disadvantages or damage to their image. In a few cases, data breaches can also have positive consequences, for example if, similar to whistleblowing, important information is revealed that was withheld from the public.

According to the Ponemon study, the average costs per data breach have increased every year in Germany since 2008. In 2010 they were 3.4 million euros. Of this, 1.5 million euros was attributable to the immediate loss of business, 0.9 million euros to lost customers and missing new customers due to the damage to the image, 0.7 million euros to the detection of the data breach and 0.2 million euros to the notification of those affected. With the introduction of the information obligation in 2009, the costs increase significantly if the response to a data breach is too slow or inadequate.

If personal data is affected by a data breach, there is a risk of identity theft . The data may be enriched by criminals through phishing . Those affected can then suffer great financial and personal damage.

Major incidents

Data leak at the Buchbinder car rental company was discovered shortly before Christmas 2019 and is considered "one of the largest data leaks in the history of the Federal Republic of Germany". Personal data and documents of around three million customers from a total of 18 years were freely accessible on the Internet.

Yahoo Accounts (2013/2017) - Due to weaknesses in the architecture of the email provider Yahoo , around three billion account data could be queried. WikiLeaks Depeschen (September 2011) - Due to a lack of communication between a Guardian journalist and the WikiLeaks founder, Julian Assange , the password to an encrypted file available on the Internet is published. This contains the previously edited version of the embassy dispatches and thus, among other things, the names of informants. ( see data breach at WikiLeaks )

Customs tracking server (July 2011) - Cracker had access to a server of the German Federal Customs Administration . On this, movement profiles and access data to eavesdropping devices of suspects were stored, which were published.

Sony customer data (April 2011) - Several times personal data were Sony -Kunden copied from different servers of the company. Over 100 million people were affected by the incident. The perpetrators also gained knowledge of the credit card details of many of the victims. ( see hacker attacks on Sony )

Schlecker customer data (August 2010) - Unknown persons had access to a customer database of the Schlecker drugstore chain . You got 150,000 address data records, 7 million e-mail addresses and the customer profiles of the people concerned. The IT service provider Artegic, which provided a service for the company, was affected. Comment: "As reported by the media, customer data from the online portal www.schlecker.com was publicly available. This is not correct. ... The incident was also not a security gap in the systems or software of artegic." ( see story by Schlecker )

Social network SchülerVZ (October 2009) - Unknown people use several security gaps, among other things, to read data set as "private" from the social network schülerVZ and to save it in easily searchable databases. More than 1.5 million students were affected. In contrast to a similar case at studiVZ, these cases became very explosive, as personal data of minors were affected. ( see privacy in the SchülerVZ )

LBB credit card data (December 2008) - Microfiches with billing data from Amazon and ADAC credit cards were sent to the wrong recipient during transport from the IT service provider AtosWorldline to Landesbank Berlin (LBB). Allegedly, employees of a courier service should have opened and emptied a Christmas stollen package, which was addressed to the editor-in-chief of the Frankfurter Rundschau . They are said to have exchanged the emptied parcel for one of six parcels addressed to LBB in order to cover up their act. This data breach was therefore also known under the catchphrase data tunnel . ( see alleged data theft at LBB )

Telekom customer data (October 2008) - In 2006, Deutsche Telekom had stolen 17 million customer data. According to Telekom, these were no longer in circulation when they reappeared in 2008 via address dealers. The data presumably flowed through a call center . ( see Obermann era at Deutsche Telekom )

German population registers (June 2008) - By tracing address trading, it became apparent that several German residents' registration offices were using software with online access, the password of which had not been changed after installation. With knowledge of the software manufacturer's standard password available on the Internet, criminals gained access to around 400,000 reporting data sets.

UK child benefit database (November 2007) - CDs containing the data of 25 million child benefit recipients were lost in the mail between two British authorities .

TJX Credit Card Information (March 2007) - 45.7 million credit and debit card information was stolen from American retail group TJX Companies .

AOL research database (August 2006) - For research purposes, the Internet provider AOL logged the entire surfing behavior of its users anonymously. The 0.5 million data records that were generated from March to May 2006 were accidentally published on the Group's website. The profiles were partly easy to deanonymize based on the search queries .

MasterCard and Visa credit card details (June 2005) - 40 million credit card details were released through a theft at the US accounting service provider Card-Systems Solutions. Customers of Mastercard and Visa , among others, were affected .

See also

Web links

Wiktionary: data spill  - explanations of meanings, word origins, synonyms, translations

Individual evidence

  1. a b HRM.de: Guideline on the outflow of information to third parties. (No longer available online.) In: HRM-Newsletter Personalrecht. February 2010, archived from the original on October 11, 2011 ; Retrieved October 3, 2011 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / www.hrm.de
  2. US Code § 5727 (Title 38, Part IV, Chapter 57, Subchapter III). Cornell University, accessed October 4, 2011 .
  3. ^ Stefan Krempl: Brussels is putting together a telecom package. C't, 2009, accessed October 7, 2011 .
  4. a b § 42a BDSG
  5. § 43 paragraph 2 BDSG
  6. a b § 43 paragraph 3 BDSG
  7. Section 44 (1) BDSG
  8. a b c d 2010 Annual Study: German Cost of a Data Breach. (PDF; 2.6 MB) Ponemon Institute, 2019, accessed on October 12, 2011 .
  9. EU General Data Protection Regulation (GDPR). (PDF) Bavarian State Office for Data Protection Supervision, February 2011, accessed on June 11, 2019 (German).
  10. Thomas Steinle: GDPR obligation to report data breaches. (html) it-rechtsanwalt.com, 2019, accessed on June 11, 2019 (German).
  11. § 24 Paragraph 2a DSG
  12. Section 52 (2) DSG
  13. ^ State Security Breach Notification Laws. In: National Conference of State Legislatures. Retrieved October 9, 2011 .
  14. Oliver Schonschek: Avoiding data loss: data glitch - and now? In: Data protection PRACTICE. WEKA MEDIA, accessed on October 12, 2011 .
  15. Data leak at Buchbinder on January 22, 2020 online from c't magazin , accessed on February 17, 2019.
  16. Yahoo: Three billion accounts affected by data theft. Frankfurter Allgemeine (online), accessed on June 11, 2019 .
  17. Christian Stöcker: Data leak at WikiLeaks: Desaster of dispatches in six files. Spiegel-Online, accessed October 20, 2011 .
  18. Konrad Lischka: Cyber ​​attack: Hackers steal data from customs servers. Spiegel-Online, accessed October 20, 2011 .
  19. Sony series - Today: Sony's 100 million customers. datenleck.net, accessed October 20, 2011 .
  20. http://www.artegic.de/eCRM/Aktuelles/Stellungnahme_k1.html
  21. DPA: Security gap: Schlecker customer data freely accessible on the Internet. Zeit-Online, accessed October 20, 2011 .
  22. Markus Beckedahl: data leak at SchülerVZ. netzpolitik.org, accessed October 20, 2011 .
  23. Stolen credit card details: Great hunger for data. Süddeutsche Zeitung, accessed on October 20, 2011 .
  24. Telecommunications scandal: thieves stole 17 million T-Mobile customer records. Spiegel-Online, accessed October 20, 2011 .
  25. Open population registers: an invitation for identity theft. datenleck.net, accessed October 20, 2011 .
  26. Andreas Wilkens: British authorities are again losing millions of data. Heise Online, accessed October 20, 2011 .
  27. Andreas Wilkens: Massive theft of credit card numbers at the US retailer TJX. Heise Security, accessed October 20, 2011 .
  28. Ingo Pakalski: AOL reveals search queries from its users. Golem, accessed October 20, 2011 .
  29. Dieter Brors: 40 million credit card details stolen. Heise Online, accessed October 20, 2011 .