Security Behaviour Database
/

Data Leak

A data leak is when data is accidentally or intentionally disclosed to unauthorised people.


Behaviours

SB014: Asks security professionals for help with security issues

SB014: Asks security professionals for help with security issues

Asking for help can help people learn. Security professionals can advise on how best to approach and resolve ...

SB015: Completes assigned security awareness training successfully

SB015: Completes assigned security awareness training successfully

Security Awareness training is an important part of organisational security. Completing awareness training ensures ...

SB045: Informs organisation about unnecessary access to data or systems

SB045: Informs organisation about unnecessary access to data or systems

Having access to more data or systems than is needed to carry out a role creates unnecessary risk. Notifying a ...

SB048: Uses a privacy screen when working with sensitive information in shared spaces

SB048: Uses a privacy screen when working with sensitive information in shared spaces

Privacy screens prevent opportunistic onlookers from viewing sensitive information. They should be used when ...

SB050: Does not allow sensitive work-related matters to be overheard in shared spaces

SB050: Does not allow sensitive work-related matters to be overheard in shared spaces

Sensitive topics should not be discussed in shared spaces. This includes public spaces and workspaces frequented ...

SB051: Updates a document's classification if its sensitivity changes

SB051: Updates a document's classification if its sensitivity changes

A document's classification may change overtime as information is removed or added. Updating its classification ...

SB055: Reads organisational security policy

SB055: Reads organisational security policy

Security policies help reduce risk by increasing the chance that people will understand what to do to keep their ...

SB056: Highlights security controls that prevent or disrupt ability to work sensibly

SB056: Highlights security controls that prevent or disrupt ability to work sensibly

Sometimes security controls can prevent or disrupt job activity. In these instances controls may be ignored to ...

SB060: Correctly categorises information

SB060: Correctly categorises information

Many organisations categorise information and documents according to their level of sensitivity. (i.e. Top Secret, ...

SB067: Securely disposes documents containing sensitive data once no longer needed

SB067: Securely disposes documents containing sensitive data once no longer needed

Documents containing sensitive data should be disposed of securely after use. Such as by shredding or using ...

SB068: Leaves vacant desks clear of sensitive information

SB068: Leaves vacant desks clear of sensitive information

Sensitive information left on a vacant desk presents a security risk. Documents should be securely stored or ...

SB091: Does not forward work information to personal email addresses

SB091: Does not forward work information to personal email addresses

Does not forward any work-related emails to their personal email addresses. This ensures that sentisive ...

SB094: Does not use personal devices for work unless authorised to do so

SB094: Does not use personal devices for work unless authorised to do so

Has separate work and personal devices. Only uses personal devices for work if authorised by the employer, using ...

SB095: Does not share film recordings or photos from work locations

SB095: Does not share film recordings or photos from work locations

Sharing photos, videos or posting descriptive information about your workplace through your personal online ...

SB096: Does not carry sensitive work information or unauthorised devices to countries with high security risks

SB096: Does not carry sensitive work information or unauthorised devices to countries with high security risks

Does not carry sensitive work information or unauthorised devices to countries with high secuirty risks. Carrying ...

SB100: Takes additional measures to prevent eavesdropping when working outside the office

SB100: Takes additional measures to prevent eavesdropping when working outside the office

Ensures smart devices are turned off or not in the vicinity when discussing sensitive workplace information.

SB151: Does not use weak passwords

SB151: Does not use weak passwords

Using a weak password puts an account at risk of data breaches, takeovers, and various cyberattacks. Some sites ...

SB156: Discloses credentials to a phishing site

SB156: Discloses credentials to a phishing site

Disclosing credentials to a phishing site places the individual and their organisation at risk of account ...

SB156a: Discloses credentials to a simulated phishing site

SB156a: Discloses credentials to a simulated phishing site

Disclosing credentials to a phishing site places the individual and their organisation at risk of account ...

SB159: Does not click a phishing link

SB159: Does not click a phishing link

Clicking on a phishing link could lead you to a fake website that asks for private credentials, or tricks you into ...

SB161: Reports a suspected phishing email

SB161: Reports a suspected phishing email

Reporting phishing emails notifies IT or security teams that employees are being targeted by cyber attackers. ...

SB161b: Reports a simulated phishing email

SB161b: Reports a simulated phishing email

Reporting phishing emails notifies IT or security teams that employees are being targeted by cyber attackers. ...

SB163a: Does not open a simulated phishing email

SB163a: Does not open a simulated phishing email

Opening a simulated phishing email informs the IT or security team that employees might be at risk of taking ...

SB164: Does not open an attachment in a phishing email

SB164: Does not open an attachment in a phishing email

Opening attachments on phishing emails could lead to malware infections and cyberattacks.

SB164a: Does not open an attachment in a simulated phishing email

SB164a: Does not open an attachment in a simulated phishing email

Opening an attachement in a simulated phishing email informs the IT or security team that employees might be at ...

SB177: Does not lose device through theft or negligence

SB177: Does not lose device through theft or negligence

Losing devices containing sensitive information through theft or negligence increases the likelihood of cyber ...

SB177a: Does not lose mobile device through theft or negligence

SB177a: Does not lose mobile device through theft or negligence

Losing a mobile phone or tablet containing sensitive information through theft or negligence increases the ...

SB177b: Does not lose laptop/desktop through theft or negligence

SB177b: Does not lose laptop/desktop through theft or negligence

Losing laptops/desktops containing sensitive information through theft or negligence increases the likelihood of ...

SB182: Does not send sensitive information out of the business (email or otherwise)

SB182: Does not send sensitive information out of the business (email or otherwise)

Sending sensitive information out of business increases the risk that it might fall into the hands of people not ...

SB183: Does not send emails to unintended recipient(s)

SB183: Does not send emails to unintended recipient(s)

Sending emails to the incorrect recipient increases the chance of sensitive company or personal information being ...

SB184: Does not share a file containing confidential information

SB184: Does not share a file containing confidential information

Sharing files containing confidential information might increase the risk that unauthorised individuals see or ...

SB185: Does not post confidential information in a public messaging channel

SB185: Does not post confidential information in a public messaging channel

Posting confidential information in a public messaging channel can be viewed by anyone and could be leaked ...

SB186: Does not post PII in a public channel

SB186: Does not post PII in a public channel

Posting Personally identifiable information (PII) in a public channel allows anyone to view the information and ...

SB187: Does not share a file containing PII

SB187: Does not share a file containing PII

Sharing files containing Personally identifiable information (PII) could expose PII to someone other than the ...

SB188: Does not share sensitive information with unauthorised recipients

SB188: Does not share sensitive information with unauthorised recipients

Sharing sensitive information with unauthorised recipients is harmful for the company and places the integrity of ...

SB195: Completes policy attestation

SB195: Completes policy attestation

Most organizations today have multiple compliance requirements and contractual obligations that require all ...

SB198: Does not use unapproved device for work purposes

SB198: Does not use unapproved device for work purposes

Using unapproved devices for work purposes increases security risks. This could be for a variety of reasons ...

SB198a: Does not use unapproved mobile device for work purposes

SB198a: Does not use unapproved mobile device for work purposes

Using unapproved mobile devices for work purposes increases security risks. This could be for a variety of reasons ...

SB202: Stores documents appropriately for their level of sensitivity

SB202: Stores documents appropriately for their level of sensitivity

Documents should be stored in a manner that is appropriate for their level of sensitivity. Organisations are ...

Case study

UK Software Company, 2020

In 2020, a UK-based software company exposed information belonging to 193 individual law firms. The company hosted the information in an unsecured online database.

When the owner of the database could not be identified, whistle-blowers alerted the National Cyber Security Centre (NCSC). It was later discovered the database – which revealed hashed passwords, legal documents and passport numbers – could be accessed by anybody with a browser and internet connection. Worse still, over 10,000 of the database’s files had been available online for years.

The software company involved claimed the files were a part of public records. Since the owner of the database could not be traced, much of the information is still available online.

To prevent such breaches, the NCSC recommends organisations complete cyber security awareness training, monitor information access and report security incidents immediately.

BlueLeaks

In June 2020, amidst the outrage surrounding George Floyd’s death and increased concerns about police misconduct and brutality, thousands of sensitive files from police departments across the United States were leaked online.

The collection of leaked files, dubbed “BlueLeaks” were made searchable online. Criminals gained access to these files by breaching a Texas web design and hosting company that maintained state law enforcement data-sharing portals.

The 270 gigabytes worth of files contained data from 200 police departments, fusion centers, and other law enforcement training and support resources. The files ranged from FBI reports to police bulletins. The dates of these files spanned nearly 24 years.

The hacker collective Anonymous claimed responsibility for the breach, and the information was made public by activist group Distributed Denial of Secrets. U.S authorities are attempting to shut down the servers which continue to host the leaked information.

Marriott, 2018

In 2018, hotel chain Marriott discovered its reservation system had been breached, leaking the data of millions of customers.

The breach was discovered when an internal security tool was found trying to access the guest reservation database. A forensics team later discovered the tool had been compromised in 2014!

While it is still unclear how the tool was breached, security analysis revealed that a Trojan malware was present in the system, most commonly downloaded from phishing emails.

Expenses related to the breach and its aftermath cost Marriott $28 million. Further, in 2019, the UK’s Information Commissioner's Office fined Marriot £99 million for violating privacy rights. Marriott is also obligated to cover any fraud-related expenses which the victims of the leak may experience.

Speaking about the incident, the UK’s National Cyber Security Centre said that many lessons can be learned from Marriott’s errors. These include encrypting data, checking emails for signs of deception, and verifying messages from unknown contacts.

SebDB is brought to you byCybSafe| © 2023 CybSafe Ltd