Data leak - am I affected? And how do I protect myself?

Data leak at Facebook, data breach at LinkedIn, data breach at Buchbinder - and new scare stories all the time! But what exactly is a data leak? And what can I do if I think I've been affected? We take a look at how companies can avoid data breaches and how those affected can limit the damage if sensitive data has fallen into the wrong hands as a result of a leak.

Data leakage - detect, fix, prevent!

In June 2021, hackers had offered to buy the data of almost all Linkedin users in a forum. In the following month, 3.8 billion phone numbers were sold on the darknet. In addition, lists of passwords keep surfacing on the Internet that can be used by criminals for credential stuffing, for example.

Almost weekly, Golem.de, the IT news portal, reports on new data breaches. Some of them are explosive and make big media waves, others are only worth a side note to the news portals. But the fact is: The "leaking" of data is a problem that has not been solved by the entry into force of the GDPR 2018.

Data leak - what is it?

Regardless of whether the data leak is the result of a hacker attack or, as in the case of Buchbinder, was caused by an unsecured server: The consequences can be catastrophic in both cases. In addition to fines for DSGVO violations, they can also result in claims for damages by those affected.

In the past, sensitive customer data was often affected, which was accessed via unsecured databases or cloud services, for example.

Data leakage at online markets - ARD reportage

As reported by ARD and Tagesschau, there was a massive data leak at major online retailers such as Otto, Kaufland and Idealo in recent years. As a result, the data of around 700,000 customers from a period since 2018 was openly accessible online, including email and postal addresses, telephone numbers, information on orders, and in some cases even bank details.

The background to the leak was a security vulnerability in a merchant interface. Via such a connection, online marketplaces offer not only their own products but also the goods of external merchants. The problem? A service provider who operated this connection for various companies stored the data of all companies and customers together and unencrypted in a single database.

The problem became known in the summer of 2021: When an external programmer discovered the security vulnerability, he first alerted the operator to the problem. Since the error was still not fixed, he then turns to the public. The current report from German television shows the long-term consequences that such a data leak can have: Most of the data can still be found online and many of those affected were never informed about the leak.

Experts also see a lack of responsibility on the part of the marketplaces here: Online retailers oblige providers on their platform to protect customer data by contract, but do not closely monitor compliance with data protection or the implementation of interfaces. The corresponding IT service providers and the online marketplace itself usually have no business relationship.

Which leaks are particularly dangerous?

Data breaches are always a massive problem. In addition to reputational damage for the affected company, leaked data can also mean serious material and/or immaterial damage for the affected customers. Criminals on the lookout for data leaks target the following data in particular:

• Email addresses can be used for spam and/or extortion emails.

• Personal data such as birthday and address can help criminals commit identity theft. It would not be the first time that business transactions were concluded on the Internet under a false name and the unsuspecting victim of fraud received a hefty bill a short time later.

• Leaked health data, as in the case of the mid-June 2021 data breach of two PCR testing centers, often provide the basis for extortion attempts.

• Usernames and passwords are used by cybercriminals for credential stuffing. In other words, they use the data to force access to other web services with the same or similar login credentials.

How do data leaks occur?

Most of us associate data leaks with hackers sitting in front of their PCs in black hoodies, grinning maliciously as they code their way through the firewall. But the surprising truth is that data breaches are rarely the result of targeted attacks.

Most data breaches occur due to human error, as can happen in any organization as a result of work pressure, carelessness, and/or lack of cybersecurity awareness. The following three errors are particularly common for leaking sensitive data:

1. Wrong e-mail recipient

A small data leak can occur if you send an e-mail containing personal data to the wrong person. And anyone who has several Annas, Michaels or Christophs in the phone book knows how quickly the wrong name ends up in the address field.

Once the misfortune has happened, you have to limit the damage: Call and ask the wrong recipient to delete the e-mail. However, he or she is not obligated to do so - and the responsibility for the consequences lies with you.

2. Mailings on the way

Sending documents by mail is still perfectly normal in many places. And sometimes it even seems safer to send digital files by mail. It's hard to imagine what would happen if the files were lost on their way through the Internet! But what happens if someone labels the physical envelope incorrectly? Or the envelopes get mixed up and content A moves into envelope B and vice versa?

Here, too, we are talking about a data mishap. And here, too, the fate of the "leaker" is in the hands of the recipient: hopefully he will come forward and hopefully he will not fib when he claims to destroy the confidential documents by return of post!

3. Loss of a non-encrypted cell phone

When private people lose their cell phones, it's annoying. When a business cell phone with a complete address book, e-mails, attachments and other personal data is lost, it's a data leak.

Protecting the cell phone with a password is not enough to protect information from unauthorized access. The worst consequences of lost cell phones can be avoided by relying on modern models in which all information is automatically encrypted and only then stored.

Am I affected by a data leak?
"Data leak at Facebook! Linkedin user data leaked!" Headlines like these cause unrest among the population because there is hardly anyone left today who is not logged into at least one social media platform. If a major data leak becomes known, the first thing you should do is check whether you or your data is affected.

There are a number of providers who can help you with this by collecting the leaked data records from various Internet forums and integrating them into a central database. Concerned users can query this database to find out if they have been affected by the data breach:

Was my e-mail address leaked?

On Have I Been Pwned you enter your e-mail address and the service shows you whether (and how often) the provider with which your e-mail data is stored has been affected by data breaches, and whether your e-mail address has appeared in corresponding forums from which hackers make use. However, the service is only available in English. A German service with the same functionality can be found at E-Mail Leak Check from EXPERTE.de.

Has my personal data been leaked?
For many people, a leak of personal data such as address, date of birth or telephone number is much more worrying than an e-mail address that has appeared on the Internet. The HPI Identity Leak Checker and the Leak Checker of the University of Bonn check by means of a data comparison whether one of your e-mail addresses has been disclosed on the net in connection with your personal data. The tools display a table listing which information was affected by data leaks at which services.

Affected by data leak - what to do?

If one of the above-mentioned services issues you a warning, you should react immediately and change the password at the provider in question. If you still use the same password with other services, you should also change it there as a precaution (keyword credential stuffing). Basically, you can reduce the risk of becoming a victim of a data breach-related hacker attack by

• use a different password for each of your online services.

• never store their passwords locally, but e.g. in a password manager.

• Use two-factor authentication.

Fix data leak - what to do after a data breach?

Data leaks are like the child and the well: Once the child has fallen in, it's all about damage control. In many cases, companies and authorities can find out the cause of the data breach and fix it (as in the case of Buchbinder, the unsecured port in the backup server), but they cannot "fix" the data leak itself. Once the data circulates on the Word Wide Web, it is already too late.

Prevent data mishaps with access management

Organizations that have full control over who can access what information in their organization and when are less likely to experience data leaks than organizations that assign access permissions "on demand."

To ensure that only authorized employees have access to sensitive data, companies should set up their authorization structure according to the least privilege principle. This means that at no time should employees have more access rights than they actually need for their work. Insider threats, which can become the source of a data leak, often arise through opportunity.

A forgotten VPN access, a fileshare from a former project collaborator, or a folder discovered by chance while browsing that is not hidden by ACE: All opportunities for data misuse that do not even require malicious intent, but can still have serious consequences. Even more security is provided by Zero Trust architecture, where all data accesses are continuously checked.