In today’s global data economy ecosystem, businesses gather and store an abundance of sensitive information about individuals inside their IT environments. Carelessness in protecting this sensitive data often exposes it to increased data breach risks, the costs of which have climbed to $4.24 million per breach, according to the most recent figures. A data breach is distinct from data exposure. A breach requires a malicious threat actor to access data, while data exposure means that the data hasn’t been adequately secured and it’s unprotected.
Aside from the high cost of a data breach, negative media scrutiny, reputational damage, operational downtime, and data loss are additional damaging consequences that occur in the aftermath of most breach incidents. Process failures that leave data exposed in the first place ultimately cause most data breaches. For this reason, sensitive data exposure features in the OWASP Top 10 web application for security risks (although it has been recategorized in the most recent version).
This article takes a deep dive into sensitive data exposure, including how it happens, why you should care about it, and the types of attacks that take advantage of it. You’ll also get some actionable tips for avoiding sensitive data exposure in your environment and preventing most breaches.
What is sensitive data?
Sensitive data is information that needs protecting against unauthorized access to minimize possible harm to individuals and businesses. When sensitive data gets into the wrong hands, people can have their privacy compromised, identities stolen, or fraud committed in their names. When trade secrets, intellectual property, or other sensitive company data gets into the wrong hands, businesses suffer from a loss of competitive edge.
While the consequences of sensitive company data exposure can be grave, these consequences are restricted to the business level. Individual data exposure affects people, making properly protecting this type of information a particularly pressing concern for any business.
An abundance of data privacy regulations aim to protect sensitive data belonging to individuals. A large part of the cost of a data breach stems from compliance penalties, litigation, and compensation payments to affected individuals. Each regulation may differ slightly in what it defines as sensitive personal data, but some commonalities include:
- Protected health information (PHI) that includes medical histories, test results, and insurance information about individuals
- Personally identifiable information (PII) that can identify or can be used to infer who an individual is (e.g., name, date of birth, Social Security Number, driver’s license number, bank account information, address)
- Biometric data, such as fingerprints and retina scans
Whether you’re running an eCommerce website or an enterprise, you are likely to collect and store a ton of sensitive data at various customer touchpoints, including website checkouts, quotation forms, or mobile applications. If this data gets exposed, you have a potentially serious problem to the tune of millions of dollars.
How sensitive data is exposed
So, how exactly does sensitive data exposure happen? Considering the complex IT environments transitioned to by most modern businesses, it’s perhaps not too surprising that things go amiss when trying to protect sensitive information. An absence of controls and employee errors are potential causes. It’s helpful to split up the methods of data exposure based on whether data is at rest or in transit.
Sensitive data at rest
When sensitive data is at rest, it’s stored on a system and not currently being accessed or used. This information may become exposed in some of the following ways:
- Encryption is not applied to the data, which means that anyone with access to the file or database on which it’s stored can easily view sensitive information.
- Misconfiguration errors, such as setting cloud storage buckets containing sensitive data as publicly available via the Internet (in 2021, 50,000 patients had their healthcare data publicly exposed in a database that was easily available online for anyone to download)
- Access control failures that provide excessive sensitive data access to users who don’t need it.
Sensitive data in transit
Data in transit traverses across your network between different systems or between your network and the Internet. Examples include when data is sent over email when data moves from on-premise to the cloud, and data is shared between applications. Some causes of sensitive data exposure while in transit include:
- A lack of encryption for data in transit exposes it to anyone able to intercept that data as it travels.
- Poor policy controls and a lack of data visibility enables users to download and/or share data to unapproved or unvetted devices.
- Employees using insecure connections to send emails containing sensitive data, which threat actors could intercept.
What attacks can expose sensitive data?
Threat actors directly use several different attacks to expose and access sensitive data, such as:
- SQL injection attacks that use malicious SQL statements that can provide unauthorized access to sensitive data stores
- Man in the middle attacks, such as session hijacking, in which hackers steal user sessions on websites or web apps and potentially access sensitive information
- Social engineering attacks that use psychological manipulation to persuade employees or business partners to reveal sensitive information