Security Behaviour Database
/

Data Leak

A data leak is when data is accidentally or intentionally disclosed to unauthorised people.


Behaviours

Asking for help

Asking for help

Asking for help can help people learn. Security professionals can advise on how best to approach and resolve ...

Completing security awareness training

Completing security awareness training

Security Awareness training is an important part of organisational security. Completing awareness training ensures ...

Reporting unnecessary access

Reporting unnecessary access

Having access to more data or systems than is needed to carry out a role creates unnecessary risk. Notifying a ...

Using privacy screens

Using privacy screens

Privacy screens prevent opportunistic onlookers from viewing sensitive information. They should be used when ...

Refraining from discussing sensitive work topics in public

Refraining from discussing sensitive work topics in public

Sensitive topics should not be discussed in shared spaces. This includes public spaces and workspaces frequented ...

Updating a document's classification if necessary

Updating a document's classification if necessary

A document's classification may change overtime as information is removed or added. Updating its classification ...

Reads security policies

Reads security policies

Security policies help reduce risk by increasing the chance that people will understand what to do to keep their ...

Challenging security policies

Challenging security policies

Sometimes security controls can prevent or disrupt job activity. In these instances controls may be ignored to ...

Categorising sensitive documents

Categorising sensitive documents

Correctly categorising information helps others understand its importance. As well preventing unauthorised access, ...

Securely disposing of confidential documents

Securely disposing of confidential documents

Documents containing sensitive data should be disposed of securely after use. Such as by shredding or using ...

Keeping desks clear

Keeping desks clear

Sensitive information left on a vacant desk presents a security risk. Documents should be securely stored or ...

Case study

UK Software Company, 2020

In 2020, a UK-based software company exposed information belonging to 193 individual law firms. The company hosted the information in an unsecured online database.

When the owner of the database could not be identified, whistle-blowers alerted the National Cyber Security Centre (NCSC). It was later discovered the database – which revealed hashed passwords, legal documents and passport numbers – could be accessed by anybody with a browser and internet connection. Worse still, over 10,000 of the database’s files had been available online for years.

The software company involved claimed the files were a part of public records. Since the owner of the database could not be traced, much of the information is still available online.

To prevent such breaches, the NCSC recommends organisations complete cyber security awareness training, monitor information access and report security incidents immediately.

BlueLeaks

In June 2020, amidst the outrage surrounding George Floyd’s death and increased concerns about police misconduct and brutality, thousands of sensitive files from police departments across the United States were leaked online.

The collection of leaked files, dubbed “BlueLeaks” were made searchable online. Criminals gained access to these files by breaching a Texas web design and hosting company that maintained state law enforcement data-sharing portals.

The 270 gigabytes worth of files contained data from 200 police departments, fusion centers, and other law enforcement training and support resources. The files ranged from FBI reports to police bulletins. The dates of these files spanned nearly 24 years.

The hacker collective Anonymous claimed responsibility for the breach, and the information was made public by activist group Distributed Denial of Secrets. U.S authorities are attempting to shut down the servers which continue to host the leaked information.

Marriott, 2018

In 2018, hotel chain Marriott discovered its reservation system had been breached, leaking the data of millions of customers.

The breach was discovered when an internal security tool was found trying to access the guest reservation database. A forensics team later discovered the tool had been compromised in 2014!

While it is still unclear how the tool was breached, security analysis revealed that a Trojan malware was present in the system, most commonly downloaded from phishing emails.

Expenses related to the breach and its aftermath cost Marriott $28 million. Further, in 2019, the UK’s Information Commissioner's Office fined Marriot £99 million for violating privacy rights. Marriott is also obligated to cover any fraud-related expenses which the victims of the leak may experience.

Speaking about the incident, the UK’s National Cyber Security Centre said that many lessons can be learned from Marriott’s errors. These include encrypting data, checking emails for signs of deception, and verifying messages from unknown contacts.

SebDB is brought to you byCybSafe| © 2020 CybSafe Ltd