A security breach is any incident that results in unauthorized access to computer data, applications, networks or devices. It results in information being accessed without authorization. Typically, it occurs when an intruder is able to bypass security mechanisms.
Technically, there's a distinction between a security breach and a data breach. A security breach is effectively a break-in, whereas a data breach is defined as the cybercriminal getting away with information. Imagine a burglar; the security breach is when he climbs through the window, and the data breach is when he grabs your pocketbook or laptop and takes it away.
Confidential information has immense value. It's often sold on the dark web; for example, names and credit card numbers can be bought, and then used for the purposes of identity theft or fraud. It's not surprising that security breaches can cost companies huge amounts of money. On average, the bill is nearly $4m for major corporations.
It's also important to distinguish the security breach definition from the definition of a security incident. An incident might involve a malware infection, DDOS attack or an employee leaving a laptop in a taxi, but if they don't result in access to the network or loss of data, they would not count as a security breach.
Examples of a security breach
When a major organization has a security breach, it always hits the headlines. Security breach examples include the following:
Equifax - in 2017, a website application vulnerability caused the company to lose the personal details of 145 million Americans. This included their names, SSNs, and drivers' license numbers. The attacks were made over a three-month period from May to July, but the security breach wasn't announced until September.
Yahoo - 3 billion user accounts were compromised in 2013 after a phishing attempt gave hackers access to the network.
eBay saw a major breach in 2014. Though PayPal users' credit card information was not at risk, many customers' passwords were compromised. The company acted quickly to email its users and ask them to change their passwords in order to remain secure.
Dating site Ashley Madison, which marketed itself to married people wishing to have affairs, was hacked in 2015. The hackers went on to leak a huge number of customer details via the internet. Extortionists began to target customers whose names were leaked; unconfirmed reports have linked a number of suicides to exposure by the data breach.
Facebook saw internal software flaws lead to the loss of 29 million users' personal data in 2018. This was a particularly embarrassing security breach since the compromised accounts included that of company CEO Mark Zuckerberg.
Marriott Hotels announced a security and data breach affecting up to 500 million customers' records in 2018. However, its guest reservations system had been hacked in 2016 - the breach wasn't discovered until two years later.
Perhaps most embarrassing of all, being a cybersecurity firm doesn't make you immune - Czech company Avast disclosed a security breach in 2019 when a hacker managed to compromise an employee's VPN credentials. This breach didn't threaten customer details but was instead aimed at inserting malware into Avast's products.
A decade or so ago, many companies tried to keep news of security breaches secret in order not to destroy consumer confidence. However, this is becoming increasingly rare. In the EU, the GDPR (General Data Protection Regulations) require companies to notify the relevant authorities of a breach and any individuals whose personal data might be at risk. By January 2020, GDPR had been in effect for just 18 months, and already, over 160,000 separate data breach notifications had been made - over 250 a day.