Security Breach

The term usually comes up when it is already too late: customer data is up for sale, an extortion letter sits in the inbox, or a supervisory authority is asking questions. A security breach is the moment when an abstract risk turns into concrete damage. For IT decision-makers, a precise understanding of the term is worthwhile, because reporting obligations and liability questions hang on it. Anyone who only clarifies in an emergency what counts as a breach and who then has to do what loses exactly the hours that the law measures out sparingly.

What is a security breach?

A security breach is the demonstrable break of protective measures with consequences for the protection goals of information security: unauthorized parties gain access to systems or data (confidentiality), alter them (integrity) or paralyze them (availability). What is decisive is the effect that has occurred. A repelled attack attempt is not a breach, whereas a successful access to a single mailbox is.

The GDPR uses the term personal data breach for this. It covers more than the classic hack: an unencrypted lost laptop, the misaddressed mass mailing or accidentally deleted customer data also fall under it. Whether an event is reportable depends on the risk to the individuals affected. The obligation to document and justify this assessment lies with the company.

How does a security breach typically unfold?

Behind most serious breaches stands a multi-stage sequence:

  • Gaining access: At the start stand stolen credentials, phishing or an exploited vulnerability in a system reachable from outside. Compromised service providers are also a frequent entry point.
  • Settling in: The attacker sets up permanently, for example via additionally created accounts or installed remote access tools. This way they survive password changes and system restarts.
  • Spreading: From the entry point, they move laterally through the network and collect higher permissions along the way. In flat networks, this step proceeds largely unhindered.
  • Collecting and exfiltrating: Interesting data is gathered and copied out inconspicuously, often spread over longer periods and disguised as normal traffic.
  • Monetizing: At the end stand encryption with a ransom demand, the sale of the data or fraud with the captured information. Often the breach is only discovered at all in this phase.

Why handling security breaches matters

  • The reporting deadline is 72 hours: if a risk to personal data exists, the report to the supervisory authority must be made within 72 hours of becoming known. Without prepared assessment and reporting processes, this is barely achievable.
  • Those affected must be informed: in the case of high risk, the affected individuals must additionally be notified. This makes the breach public, and the quality of the communication decides the extent of the damage to trust.
  • Costs arise long after the incident: forensics, rebuilding, legal advice and customer attrition add up over months. The follow-up damage regularly exceeds the immediate damage.
  • Fines and liability loom: violations of reporting and due-diligence obligations can trigger severe sanctions. For management, the question of personal responsibility also arises.
  • Undetected breaches harm twice: anyone who does not even notice compromises for lack of visibility can neither report nor react. This later worsens the damage as well as the legal assessment.

Typical scenarios

Ransomware with data exfiltration is the rule today. Attackers copy data before encryption and threaten to publish it. The availability problem thereby simultaneously becomes a reportable breach of confidentiality, with all the attendant obligations.

A second scenario is the compromised cloud account. With stolen credentials, the attacker logs in normally to email or collaboration services, reads along for weeks and uses the knowledge for payment fraud or further attacks on business partners.

The third classic is the error without an attacker: the misconfigured cloud share, the openly reachable database server, the sending to the wrong distribution list. Legally, that also counts as a breach, even though no one attacked.

Security incident and security breach: the difference

In everyday use, both terms are used synonymously, but organizationally a clear line separates them. A security incident is any event that threatens information security, such as the detected attack attempt or the suspicious login. A security breach only occurs when protection was actually broken through and unauthorized parties gained access or data was compromised. Every breach is therefore an incident, but by no means every incident becomes a breach. The distinction has practical consequences: incidents are handled and documented internally, breaches can trigger reporting obligations. The assessment of when one becomes the other therefore belongs firmly in the incident response process and in the hands of clearly named owners.

Protection against security breaches at KAEMI

Preventing every single error is unrealistic. What can be prevented, however, is that it turns into a large-scale breach. With microsegmentation , KAEMI limits the spread of an attacker in the network: a compromised system stays confined to its segment, and the visibility over all connections makes it easier, in an emergency, to assess which data was actually affected. Application Security protects applications reachable from outside, one of the most frequent entry points, among other things with a web application firewall and protection against automated attacks. If you want to assess your exposure realistically, talk to us via our contact form .

Frequently asked questions about Security Breach

When does an event count as a reportable breach under GDPR?

A personal data breach is reportable as soon as a risk to the rights and freedoms of natural persons exists. The report to the supervisory authority must be made within 72 hours of becoming known. Only if a risk is demonstrably unlikely does the obligation lapse. The company must be able to document and justify this assessment.

Does a lost laptop count as a security breach?

Yes, if personal or confidential data is on it and access by third parties is possible. Strong device encryption can lower the risk so far that no report becomes necessary. Precisely for this reason, encryption as a standard is worthwhile: it turns a reportable data loss into a mere hardware loss.

How do companies even notice that they are affected?

Often through external parties: investigative authorities, security researchers or customers report conspicuous data or misuse. Internally, monitoring, endpoint detection and anomalies in network traffic provide the earliest indications, such as unusual data volumes toward unknown destinations. The better the visibility over internal communication relationships, the earlier a compromise is noticed and the smaller the damage stays.

What are the most common ways into a company network?

Stolen or guessed credentials are at the very top, followed by phishing and the exploitation of unpatched vulnerabilities in systems reachable from outside, such as VPN gateways or web applications. Added to this are compromised service providers with far-reaching access. It is striking that the initial access rarely concerns the actual target. It becomes dangerous through the subsequent movement in the network.

What should a company do immediately after detection?

First document the incident and start the prepared incident response procedure: isolate affected systems, secure evidence, involve the responsible parties and the data protection officer. In parallel, the risk assessment for the 72-hour report begins. It is important to isolate systems in a controlled way instead of shutting them down, because switching off loses volatile traces that are needed for the investigation.

Want to put this into practice in your own network? Talk to KAEMI, aligned to your requirements and with operations from a single source.