A data breach is an incident that exposes confidential or protected information. A data breach might involve the loss or theft of your Social Security number, bank account or credit card numbers, personal health information, passwords or email.

A data breach can be intentional or accidental. A cybercriminal may hack the database of a company where you’ve shared your personal information. Or an employee at that company may accidentally expose your information on the Internet. Either way, criminals may access your key personal details and profit from them at your expense.

Retailers, hospitals, corporations, government offices and colleges have all been targets of data breaches. But how does it happen?

In this article, you’ll learn about:

• Recent data breaches.
• How data breaches happen.
• What you can do to help stay safe.

The biggest data breaches of the decade

While hundreds of data breaches have affected consumers around the world, some of the most notable have occurred in just the last few years and involve the exposure of sensitive information, despite cybersecurity efforts aimed at data protection.

In July 2019, Capital One reported an unauthorized user broke through its security measures and accessed 140,000 U.S. Social Security numbers, 80,000 linked bank account numbers, and approximately 1 million Canadian Social Insurance Numbers. The breach affected 106 million credit card customers in the U.S. and Canada.

In November 2018, hotel chain Marriott International said it had been hacked through the Starwood guest reservation database. The personally identifiable information of about 383 million guests may have been compromised, including names, phone numbers, email addresses, birth dates, and passport numbers.

The Equifax data breach, which impacted more than 145 million American consumers, was disclosed in September 2017. Names, Social Security numbers, birthdates, driver’s license numbers, and approximately 200,000 credit card numbers — details that could be used to commit fraud — were exposed in the breach.

And in 2015, external hackers gained unauthorized access to health care company Anthem and stole a trove of sensitive information impacting roughly 80 million customers.

On a global level, Yahoo disclosed two data breaches in 2016, showing how a mountain of personal information can land in the hands of cyberthieves. Combined, the breaches at the online portal affected 1.5 billion user accounts.

The pace of data breaches remains brisk, with dozens of high-profile cybercrimes reported in the past year. The Identity Theft Resource Center ranked 2019 as a record year for data breaches. The San Diego-based nonprofit recorded 1,473 U.S. incidents, a 17% increase over the previous year. Nearly 164 million sensitive records were exposed in those data breaches, a 65 percent increase over 2018 numbers.

Here’s a quick look at those breaches by industry sector:

• Business: 644 incidents (43.7%)
• Health care/medical: 525 (35.6%)
• Education: 113 (7.7%)
• Banking/credit/financial: 108 (7.3%)
• Government/military: 83 (5.6%)

How does a data breach happen?

It might feel like cybercriminals keep coming up with new ways to steal data. But do they? The 2019 Verizon Data Breach Investigations Report identifies nine “patterns” that criminals use. They mostly remain consistent year after year and accounted for 88 percent of breaches. How does it happen? Based on the report, here’s how.

1. Insider and privilege misuse: Company insiders know the value of information and sometimes they steal it. Maybe they sell it or use it to start a new company.
2. Physical theft and loss: A laptop left in a hotel lobby be used to breach protected information. However, breaches could also still involve paper documents. The loss of physical assets can be deliberate or accidental.
3. Denial of service: These attacks target networks and systems. Distributed denial of service attacks often target large organizations by flooding and overloading systems to disrupt service.
4. Crimeware: This includes various types of malware — short for malicious software — or social engineering attacks. Specifically, criminals might use:
   • Ransomware: This kind of malware holds computer files hostage until the victim pays to unlock them — though they might not get unlocked.
   • SQL injection: In this type of attack, a hacker inserts arbitrary code into an online user web form. If the form isn’t handled properly when passed through the backend database, it can corrupt the website.
   • Phishing attempts: Phishing is a type of social engineering attack in which the cyberthief poses as a trusted source and contacts the victim through email, phone call, direct chat, or text message. The goal is to trick the victim into installing malware or sharing personal information, such as bank account info or passwords.
5. Web application attacks: When you sign up for a web application, you often share personal details. Attackers steal data such as names, addresses and other information and use them elsewhere.
   
6. Payment card skimmers: Criminals can place a skimming device on a credit card reader to steal personal and financial information. Two popular targets: ATMs and gas pump terminals.
   
7. Cyber-espionage: This is a malicious email linked to state-affiliated actors. The goal is to pierce a system and steal information over time.
   
8. Point-of-sale intrusions: Remote attacks target point-of-sale terminals and controllers. Restaurants and small businesses have seen increased assaults.
   
9. Miscellaneous errors: Security accidents can compromise data. This includes the inadvertent release or loss of anything containing sensitive data.
   
10. Everything else: This pattern has variety. Lately, it includes compromised email accounts, where a cyberthief posing as the company “CEO” might order an employee to wire transfer funds for a believable reason. When someone in company finance, say, follows the bogus directive and wires money to a criminal’s account, it can have unbelievable results.
    

What can criminals do with the data they steal?

Cybercriminals don't just hold on to the information they access — they may find ways to exploit it for personal gain. Here are some examples.

Use it to steal your money or use your benefits. Depending on the information they have, a cyberthief may be able to:

• Open and use new credit cards under your name.
• Withdraw money from your banking or investment accounts.
• File a tax return in your name and take the tax refund.
• Get medical treatment using your health insurance. 
• Apply for government benefits.
• Open utility or telecom accounts.
• Steal and use your credit card rewards, such as airline miles. 

Sell it on the dark web. Criminals who access a lot of stolen information often trade or sell it on the dark web. According to Experian, Social Security numbers might go for $1 each, a credit card number could sell for up to $110, and a U.S. passport might fetch up to $2,000.

Data breaches: How can you help protect your personal data?

It’s always smart to try to keep your data safe. Even so, you probably have provided personal information to a lot of places. That might include your bank, employer, doctor’s office, and favorite restaurant. They all have a responsibility to keep your personal information secure, but that doesn’t always happen. Things go wrong.

You can take steps to strengthen your personal defenses against the damage which could result from your data being breached. Here’s a partial checklist:

• Shred documents.
• Use secure websites.
• Give your Social Security number only when absolutely required.
• Create strong, secure passwords using uppercase and lowercase letters, non-sequential numbers, and special characters symbols. You can even find unusual approaches for boosting password strength.
• Use different passwords on every different account. This can help minimize the damage if one of your account passwords is exposed or compromised.
• Make sure your computers and mobile devices are running the latest versions of operating systems and applications.
• Frequently monitor your transactions online and your monthly financial account statements to make sure transactions are accurate.
• Regularly check your credit reports to confirm that identity thieves haven't opened credit card accounts or loans in your name.

How can you recover if your data is exposed in a data breach?

If you've been affected by a data breach, here are steps you should take right away.

• Find out what kind of data was stolen. U.S. companies are required to notify customers if their information was breached. If you get this type of notification, try to pinpoint which accounts might be compromised and consider accepting whatever help the company offers. This may include free credit monitoring. 
• Contact your financial institution. Whether it's your credit card issuer or your bank, discuss next steps such as changing your account numbers, disputing or canceling fraudulent charges, and setting up fraud alerts.
• Change and strengthen your passwords on all accounts. Even accounts that weren't breached might be compromised later, especially if you've been using the same passwords. A password manager can help you create strong passwords, keep them safe, and let you access them when needed.
• Check your free credit reports. Visit AnnualCreditReports.com to request your annual free credit report from each credit bureau. This can help you spot errors and fraud, such as new accounts you didn't authorize. Also consider freezing your credit files to stop anyone from opening new accounts in your name. Remember, you'll have to lift the freeze if you need to open new accounts later.
• Look for suspicious activity. Monitor your accounts and look for suspicious activity. This may include charges or withdrawals you didn't make or new accounts that appear on your credit report. 

The takeaway: It’s important to take steps to help protect your personal information. It’s also important to realize what happens when you share personal information: You likely have little control over how your information is secured or what could happen to it in the event of a data breach.