How Much Do Data Breaches Cost Businesses?
Data breaches cost businesses millions in fines, lawsuits, and lost customers. Learn the true financial impact and how to reduce your risk.
Read more about How Much Do Data Breaches Cost Businesses?
How Do Hackers Gain Access to Computer Systems?
Partner
For many, the concept of system hacking is foggy, and few know how hackers gain access to computer systems. Cyber attacks have been evolving for decades. Once regarded as exploratory curiosity, hackers would access systems without permission only to see if they could. Hacking has converted over time into aggressive intrusions into computer systems for ill-begotten profit. Now hackers target vulnerable systems and mine for useful data that can be used to make or steal money, or used to commit fraud.
How Do Hackers Gain Access to Computer Systems?
Hackers gain access using a multitude of techniques in order to breach vulnerable computer systems, according to an article in Scientific American. Multiple vector attacks are becoming more and more common, meaning that hackers use multiple platforms in order to gain unauthorized access to computer systems. Hackers will use the internet, email, malicious files, and forged cookies to compromise data systems for the purpose of gathering useful and lucrative information and data. Cyber criminals often employ advanced, persistent attacks to compromise systems and then mine the system for valuable data, such as personal identifying information, credit card payment information, and usernames and passwords.
Successful cyber attacks are well-planned, methodical and can take a very long time to fully implement. Hackers who are patient and work slowly to gain access to a system are less likely to be detected. Usually when a hack is detected, it is discovered that the hacker has had access to the system for a long time prior to the discovery of the system intrusion. It is not uncommon for a hacker to have secretly been accessing a computer system for months, or even years, before being found out.
Hackers usually start by identifying a system that has vulnerabilities in it that they can exploit. Next, hackers gain access to the system and test out their access repeatedly to make sure that they can come and go in the system without detection. Once the hacker has consistently accessed the system, the hacker identifies useful information in the system and collects it, thereby breaching the system. Hackers usually employ some sort of malware to automate the data collection process.
Do Everything You Can to Protect Yourself and Your System
Cyber security measures can go a long way towards protecting your computer systems from being attacked and exploited. Consistent use of firewalls, anti-virus software and software updates can help remove vulnerabilities in your system. Similarly, educating those who have authorized access to your computer system about the cyber threats that exist and how to identify them is essential. We’ve written previously on the use of security best practices here.
Common Hacking Techniques and the Legal Exposure They Create
Understanding how hackers gain access to computer systems is only half the picture. The other half is understanding what legal obligations arise when an unauthorized intrusion succeeds. The method of attack directly affects both the liability analysis and the applicable legal requirements.
Phishing and Social Engineering
Phishing attacks remain the most common initial access vector in corporate data breaches. In a phishing attack, the hacker sends a fraudulent email designed to trick a recipient into clicking a malicious link or opening a malware-laden attachment. Spear phishing — targeted phishing directed at specific individuals within an organization — is increasingly common in attacks against businesses. According to the Verizon Data Breach Investigations Report, phishing is involved in a substantial majority of breaches that use social engineering as the entry point.
From a legal perspective, a business whose employee falls victim to a phishing attack is not automatically absolved of liability for the resulting breach. Courts and regulators analyze whether the business provided adequate security awareness training, whether it maintained email filtering and anti-phishing controls, and whether its overall security posture was reasonable given the known prevalence of phishing attacks. A business that never trained its employees to recognize phishing emails faces significant legal exposure when a phishing-caused breach occurs.
Credential Stuffing and Brute Force Attacks
Credential stuffing attacks use large datasets of previously stolen username-and-password combinations — available for purchase on dark web marketplaces — to attempt login at other services. Because many users reuse passwords across multiple accounts, credential stuffing is highly effective. A business that does not implement multi-factor authentication, monitor for anomalous login attempts, or enforce account lockout policies after repeated failed logins may be found to have implemented insufficient security for the sensitivity of the data it holds.
Under the FTC’s Section 5 authority over unfair trade practices, the FTC has brought enforcement actions against companies that failed to implement reasonable safeguards against credential-based attacks where those failures led to consumer harm. Multi-factor authentication has become essentially a baseline requirement — regulators and courts treat the absence of MFA as a significant security deficiency in systems holding sensitive personal data.
SQL Injection and Web Application Attacks
SQL injection attacks exploit vulnerabilities in web application code to gain unauthorized access to backend databases. When an attacker successfully executes a SQL injection attack, they can extract the entire contents of a database — including customer records, passwords, and financial information — with a single query. The Open Web Application Security Project (OWASP) has listed injection attacks among the top web application security risks for over a decade.
A business whose web application is vulnerable to SQL injection has almost certainly failed to implement reasonable security practices. Vulnerability scanning tools can detect most SQL injection vulnerabilities before attackers exploit them. A company that never performed security testing on its customer-facing web applications faces heightened legal exposure when a SQL injection breach occurs, because the failure to scan for such a well-known and readily detectable vulnerability is difficult to characterize as reasonable care.
Third-Party Vendor Compromise
Many of the most significant corporate breaches occurred not through a direct attack on the target company, but through a compromised third-party vendor with authorized access to the target’s systems. The Target breach in 2013 — which exposed the payment card data of approximately 40 million customers — began with the compromise of a HVAC vendor’s credentials that provided access to Target’s network. The SolarWinds breach in 2020 compromised a software update mechanism to inject malicious code into systems at thousands of organizations simultaneously.
These third-party attack vectors create complex liability questions. The directly breached company — the vendor — faces its own liability for failing to maintain adequate security. But the target company whose systems were accessed through the vendor’s compromised credentials also faces scrutiny for failing to adequately vet and monitor its vendors’ security practices, and for failing to limit vendor access to only what was necessary for the vendor’s functions.
Legal Obligations Triggered When Hackers Succeed
When a hacker successfully gains access to a company’s systems and accesses personal data, a cascade of legal obligations is triggered. These obligations exist regardless of the sophistication of the attack or the good faith of the victimized company.
- State data breach notification. All 50 states have enacted data breach notification statutes requiring notification of affected individuals within specified timeframes, ranging from as short as 30 days (Colorado, Florida) to “without unreasonable delay” (New York, California). The applicable statutes are those of the states where affected individuals reside.
- Federal sector-specific notification. Healthcare entities must comply with the HIPAA Breach Notification Rule, 45 C.F.R. §§ 164.400–414. Financial institutions must comply with the GLBA Safeguards Rule, 16 C.F.R. Part 314. Banking regulators require notification within 36 hours of certain cybersecurity incidents under interagency guidance.
- Regulatory investigations. A major breach often triggers investigations by multiple regulators: state attorneys general, the FTC, OCR (in healthcare), banking regulators, or the SEC (for public companies). Each investigation must be managed carefully with legal counsel involved.
- Civil litigation. Affected consumers and businesses may bring class action and individual claims alleging negligence, breach of contract, and consumer protection violations based on the company’s failure to maintain adequate security.
Contact a Cybersecurity Lawyer
Cyber threats and the security measures developed to mitigate them are constantly evolving. Revision Legal is on the cutting edge of cyber security law and can help you deal with the aftermath of a security breach. Contact the experienced data breach attorneys at Revision Legal using the form on this page or call us at 855-473-8474.
Extra, Extra!
Related Posts
Top Data Breaches of 2020: Ransomware on the Rise
Ransomware dominated 2020’s biggest data breaches. A look at the most damaging incidents and the cybersecurity lessons every business should learn.
Read more about Top Data Breaches of 2020: Ransomware on the Rise
Repurposing Pandemic Data: Legal Risks Businesses Face
Data collected during the COVID pandemic for one purpose cannot simply be repurposed. Here’s what businesses need to know about the legal risks.
Read more about Repurposing Pandemic Data: Legal Risks Businesses Face