Data Breach v. Data Hack – What is the difference?
We often conflate the terms ‘data breach’ and ‘data hack’ to describe risks associated with computer security. In reality, each encompasses its own space in the cyber security world and delineate distinct protective measures.
What is a Data Breach?
A data breach speaks to an inadvertent release of sensitive data from a secure space to an untrusted environment. This often occurs when data is unintentionally left unsecured allowing unauthorized individuals to access it. This form of breach does not occur as a result of malicious intent, but instead due to negligence, incompetence, or human error. An example of this is the Cambridge Analytica scandal, where Facebook released confidential user data to a third party. While some classified this is as a hack, it is technically considered a breach given that Cambridge Analytica did not attempt to break through Facebook’s security screens; it took advantage of a pre-existing privacy oversight.
What is a Data Hack?
A hack on the other hand, is a calculated alteration to a computer’s hardware or software for a purpose other than that originally intended by the developer. Unlike a data breach, a data hack is intentional. It is usually conducted by cyber criminals with malicious intent for adverse purposes such as data theft or fraud. An example of a cyber hack was evidenced in 2018 when Marriot International revealed that cyber criminals had hacked their system to steal confidential data of 500 million customers.
Understanding the Difference:
It is important to understand the distinction between intentional versus inadvertent cyber threats, so we can take measures to protect against all security breaches. The Office of the Privacy Commissioner of Canada has compiled a guide on preventing and responding to both privacy breaches and hacks. This guide is summarized below:
Understand the Threats:
- Know what personal information you have, where it is, and what you are doing with it.
- Know your vulnerabilities by conducting risk and vulnerability assessments and/or penetration tests to ensure that threats to privacy are identified.
- Be aware of breaches in your industry. Attackers will often re-use the same attacks against multiple organizations.
Thinking Beyond the Hacker:
- Encrypt laptops, USB keys and other portable media.
- Limit the personal information you collect, as well as what you retain.
- Protect personal information throughout its lifecycle.
- Train your employees.
- Limit, and monitor, access to personal information.
- Maintain up-to-date software and safeguards.
- Implement and monitor, intrusion prevention and detection systems.
Containing Breaches
- Take immediate steps to limit the breach:
- Designate an appropriate individual to lead the initial investigation.
- Determine the need to assemble a team which could include representatives from appropriate parts of the business.
- Determine who needs to be made aware of the incident internally, and potentially externally, at this preliminary stage.
- Do not compromise the ability to investigate the breach.
- Prevent future breaches:
- Conduct a security audit of both physical and technical security.
- Review policies and procedures.
- Review employee training practices.
- Review service delivery partners (e.g., dealers, retailers, etc.).
The complete guideline summarized above can be found here: