• Sensitive Data Exposure

     

    What is sensitive data?

    Sensitive data is information that needs protecting against unauthorized access to minimize possible harm to individuals and businesses. When sensitive data gets into the wrong hands, people can have their privacy compromised, identities stolen, or fraud committed in their names. When trade secrets, intellectual property, or other sensitive company data gets into the wrong hands, businesses suffer from a loss of competitive edge. 

    While the consequences of sensitive company data exposure can be grave, these consequences are restricted to the business level. Individual data exposure affects people, making properly protecting this type of information a particularly pressing concern for any business. 

    An abundance of data privacy regulations aims to protect sensitive data belonging to individuals. A large part of the cost of a data breach stems from compliance penalties, litigation, and compensation payments to affected individuals. Each regulation may differ slightly in what it defines as sensitive personal data, but some commonalities include:

    • Protected health information (PHI) that includes medical histories, test results, and insurance information about individuals
    • Personally identifiable information (PII) that can identify or can be used to infer who an individual is (e.g., name, date of birth, Social Security Number/ID Number, driver’s license number, bank account information, address)
    • Biometric data, such as fingerprints and retina scans

    Whether you’re running an eCommerce website or an enterprise, you are likely to collect and store a ton of sensitive data at various customer touchpoints, including website checkouts, quotation forms, or mobile applications. If this data gets exposed, you have a potentially serious problem to the tune of millions of dollars.

    How sensitive data is exposed 

    So, how exactly does sensitive data exposure happen? Considering the complex IT environments transitioned to by most modern businesses, it’s perhaps not too surprising that things go amiss when trying to protect sensitive information. An absence of controls and employee errors are potential causes. It’s helpful to split up the methods of data exposure based on whether data is at rest or in transit. 

    Sensitive data at rest

    When sensitive data is at rest, it’s stored on a system and not currently being accessed or used. This information may become exposed in some of the following ways:

    • Encryption is not applied to the data, which means that anyone with access to the file or database on which it’s stored can easily view sensitive information.
    • Misconfiguration errors, such as setting cloud storage buckets containing sensitive data as publicly available via the Internet (in 2021, 50,000 patients had their healthcare data publicly exposed in a database that was easily available online for anyone to download)
    • Access control failures that provide excessive sensitive data access to users who don’t need it. 

    Sensitive data in transit

    Data in transit traverses across your network between different systems or between your network and the Internet. Examples include when data is sent over email when data moves from on-premise to the cloud, and data is shared between applications. Some causes of sensitive data exposure while in transit include:

    • A lack of encryption for data in transit exposes it to anyone able to intercept that data as it travels.
    • Poor policy controls and a lack of data visibility enables users to download and/or share data with unapproved or unvetted devices. 
    • Employees using insecure connections to send emails containing sensitive data, which threat actors could intercept. 

    What attacks can expose sensitive data? 

    Threat actors directly use several different attacks to expose and access sensitive data, such as:

    • SQL injection attacks that use malicious SQL statements that can provide unauthorized access to sensitive data stores
    • Man-in-the-middle attacks, such as session hijacking, in which hackers steal user sessions on websites or web apps and potentially access sensitive information
    • Social engineering attacks that use psychological manipulation to persuade employees or business partners to reveal sensitive information