20

How do companies know when there has been a data breach?

For example, do they monitor event logs for login audits or do they wait until a paste is made of their data in a pastebin type site?

Is it possible that many smaller companies never know that their data has been stolen?

DomBat
  • 607
  • 1
  • 7
  • 13
  • 2
    Do you mean to ask how a company _could_ know this, or how they currently _do_ know this? Because that last question is probably answered by "they don't" – Nanne Jan 22 '15 at 15:03
  • 1
    I begin to wonder at inserting a tiny amount of "danger" data into database and having normal usage filter these out. If a call is made that grabs the "danger" data, have the database raise a red flag. (Note that during dev this flag will be raised often, so a company-wide email is a bad idea). – Mooing Duck Jan 22 '15 at 18:53
  • Related: http://security.stackexchange.com/questions/32862 – MV. Jan 22 '15 at 20:04

3 Answers3

19

The number of security measures in place and the capabilities to discover breaches will vary widely from company to company and depends on the type of data that is stolen.

There are several ways a company will learn of a breach:

  • security sofware catches unusal behaviour and marks it for later review (or stops it on the fly after part of the data already left the network)
  • while routinely auditing logs (e.g. of a webserver) the company spots a potential attack vector and confirms it
  • the company receives a note by an insider (e.g. from a bank if payment data was involved and is now misused)
  • the attackers contact the company themself (e.g. to extort money)
  • the users/customers alert the company (e.g. complains about spam that was sent to related email adresses that were stolen)
  • news, reporters or other individuals get their hands on the stolen data and report it publicly or in private
  • ..

Since the number of attackers and their motives to steal data from companies as well as the way they use the data in the end differs from breach to breach it is totally possible that small (and even larger) companies never know that their data has been stolen.
If the attackers don't use or publish the stolen data it will be hard to recognize if you do not have the security routines and tools in place to catch such a breach.

There will also be cases where the origin of a breach cannot be tracked back easily. Especially if a small number of stolen data is merged with larger parts (e.g. some 50 customer email addresses used in a huge spam campaign with millions of other recipients)

Denis
  • 3,653
  • 2
  • 17
  • 16
11

One thing not mentioned yet: fake data that is otherwise never used. If you ever encounter that information, your data leaked.

In how far this is practically useful depends on the data. A login attempt for a specific user name is a good example, because that kind of leaked data is likely to surface.

  • 1
    Yes, watermarking and fingerprinting the data is one possible way to discover those data breaches. – MV. Jan 22 '15 at 20:02
  • Great idea. Created some accounts and added them to "haveibeenpwned.com" – DomBat Apr 09 '15 at 07:57
3

It is very possible that smaller companies never know that they've been compromised. After all, how much do they pay for their applications? The larger ones have the benefit of law enforcement getting in touch, but everyone else just has to live with misfortune.

munchkin
  • 393
  • 1
  • 5