data leaks or data breaches?Keeping up with the latest cybersecurity stories can be exhausting given the sheer number of hacks and leaks reported on a sometimes daily basis. This makes it easy and even acceptable to give into cybersecurity fatigue. However, despite this overwhelming state of affairs, the current cybersecurity environment can also provide a learning opportunity for consumers. One of the big takeaways from some of the significant incidents of this past year is that there’s a substantial difference between data breaches and data leaks. While discussing the distinction between terms might seem like we’re splitting hairs, it’s anything but. Continue reading to learn about the difference between breaches and leaks as well as why it matters.

Defining data leaks and data breaches

Since both data leaks and data breaches result in consumer data being publicly exposed in some fashion, knowing the differences between each might seem rather pointless, as their consequences are mostly the same – both usually result in lost data and, potentially, identity theft. What we’ve noticed, though, is that in the past 12 months (from July 2017 to July 2018) over one-third of the cybersecurity incidents we reported on were leaks. In 2018 alone, nearly 40 percent our data security stories were on leaks. This indicates that the breach/leak dichotomy is one significant enough to discuss.

To fully understand what a leak is, it’s useful to reflect on what data breaches are for comparison. To summarize, data breaches are intrusions into sensitive systems perpetuated by a hacker(s) or unauthorized user. Data leaks, however, are incidents where this information is simply exposed as the result of a company’s internal processes or by a mistake.

It’s worth noting that not everyone uses these terms this way. Some sources might classify leaks as data breaches, but they might clarify that there’s a distinction by using the term accidental data breach to describe some leaks. Sometimes leaks might also simply be referred to as data exposure. However, a number of major outlets, including our site, use the terms breaches and leaks in the manner that we’ve noted. For example, The New York Times, The Verge and other outlets reported the Cambridge Analytica incident as a leak. Similar language was used by other outlets to describe the Panera bread incident, as well.

Despite the varied use of language, the key takeaway is that there’s a difference between incidents involving active threats which compromise a system and incidents in which data was unintentionally made public as the result of an accident or misapplication of a service’s features. With regards to the latter, there’s no reason to suspect that unauthorized access necessarily occurred, but that’s of little reassurance to users who expect companies to maintain heightened security of their personal information at all times.

Why does this distinction matter?

Although we as consumers can’t prevent breaches or leaks, understanding the difference teaches us the following lessons.

Data leaks are sometimes the result of how services are designed

Some leaks we’ve covered, like the Exactis leak or the Panera bread leak, are the result of a widespread issue that results in misconfigured databases that are sometimes easily searchable on Google or through other extremely accessible tools. In other cases, though, the leaks are directly the result of how a service is intended to function. This appears to be the case with the two separate, but related Facebook leaks we covered, as well as the Polar Fitness leak we recently wrote about. Regarding the Facebook leaks, it appears that inconsistencies in Facebook’s developer policies allowed for dubious companies like Cambridge Analytica to slip through the cracks. As we’ve said before, it’s possible that both Cambridge Analytica and the Nametest scandals are just the tip of the iceberg. In other words, these are just the abuses that we know about. If Facebook’s platform was as open in the past as we’ve been lead to believe, then there are likely dozens of other applications that by design accessed more data than they needed to function.

Data leaks might not always be disclosed or acknowledged

In all states, by law companies must disclose data breaches; however, when it comes to leaks, these laws can be hard to enforce. For one, disclosure requires acknowledgment and awareness of an issue, but in many cases, knowledge of leaks comes from third-party security professionals and sometimes whistleblowers (as was the case with Cambridge Analytica). Furthermore, in a small number of cases, like with the Polar Fitness leak, security researchers will reveal the presence of exploitable vulnerabilities on a platform but since no loss of data can be proven, the company doesn’t treat the incident like a breach. Because of this, there are possibly dozens of leaks that have happened without anyone’s acknowledgment or awareness. This, of course, puts consumers in a position where they’re unable to receive compensation or even simply take measures to protect themselves from harm, which is why experts often suggest that we just assume our data has already been compromised even if we’ve never received a breach notification.

How should I react to data leaks?

You should react to disclosed leaks in the same manner as disclosed data breaches. Even if companies make reassurances that exposed data wasn’t compromised, you should still treat the incident like a standard data breach. In many instances, the flaw or vulnerability causing the leak is present for an indeterminate amount of time and tools like Shodan (which we’ve talked about several times before) make it extremely easy to search for exposed networks. Since such tools exist, it’s difficult to believe that leaky systems haven’t already been compromised long before developers learn about the issue.

As for undisclosed leaks, while we can’t react to them, we can reduce our risk of being hacked by being selective about the services that we use. Be thoughtful about any websites you join, especially social networks that use your real name or real-time location data. From Fitbit to Facebook, services like these have an incentive to gobble up all the data they can on you and, thus, might be unknowingly or unintentionally increasing your risk for a breach or leak.

Finally, the uncertainty surrounding data leaks highlights the need for proactivity. One of the ways you can be proactive is by investing in identity theft protection, which monitors the web (including black market sites) for the use of your personal information. Other means of protecting your identity include credit report monitoring, which exclusively monitors your credit, and credit freezes, which can help stop the financial damage that hackers and thieves can do with your personal information.

While you can’t prevent leaks, data breaches or identity theft, knowledge about cybersecurity incidents can help you properly react to the threats of today’s world. Keep reading our data breach blog to keep up with the stories that matter.