What Is a Data Breach?

What Is a Data Breach? article image.

Through December 31, 2023, Experian, TransUnion and Equifax will offer all U.S. consumers free weekly credit reports through AnnualCreditReport.com to help you protect your financial health during the sudden and unprecedented hardship caused by COVID-19.

A data breach is when information is accessed, taken, or used by a person without authorization. Data breaches can impact businesses and consumers negatively in many ways—costing them money, reputational damage, and time.

According to the Identity Theft Resource Center (ITRC), three data breaches happen every day and over 4 million records have been lost in breaches already this year, as of March 20.


Fraudsters attempt to hack into the databases of companies across all industries, not just ones that rely heavily on the use of credit cards. All companies and industries are susceptible, as well as organizations big and small.

The data is valuable to a competitor or thieves who buy and sell personal information on the dark web, also sometimes referred to as the darknet. (You can run a free dark web scan on Experian to see if your email is on the dark web.)

How Can a Data Breach Happen?

A data breach can happen because of various reasons such as criminal activity, accidents, employee negligence, or computer/ system failures.

The large number of data breaches over the past few years can sometimes numb companies and employees against taking the proactive steps necessary to help prevent and plan for a data breach—a phenomenon known as "breach fatigue."

And even though breaches can be extremely costly to companies and their customers, less than half (48%) of all organizations said they feel confident that their executives are prepared to deal with a breach, according to "The Fifth Annual Study: Is Your Company Ready for a Big Data Breach?," sponsored by Experian Data Breach Resolution and the Ponemon Institute.

Proper employee training and engagement in data breach prevention can make companies less susceptible to data breaches. Many organizations and businesses have security gaps in their privileged account passwords and access.

These gaps include managers or employees at companies who have never changed their default passwords on privileged accounts, allow the sharing of accounts and passwords, use the same security for privileged accounts as standard accounts, don't seek approval for creating new privileged accounts, and don't auditing privileged account activity.

The risk becomes more pronounced when employees download apps infected with malware, click on links in phishing emails, or use WiFi which has been compromised. In turn, the employees use their infected smartphone or tablet on the corporate network and to access sensitive information.

Another line is blurred when employees work from home and are using both their personal and work devices in both locations, which means hackers can gain access to a company's systems or software.

Why Data Breaches Occur

Hackers continue to seek more personally identifiable information (also known as PII) to steal money, compromise identities or sell that information over the dark web.

Online scams are always plentiful, and scammers may tailor messages around holidays or other events such as tax deadlines. Too many people continue to fall prey to emailed requests to participate in polls, surveys and contests.

Unsolicited requests to sign up and provide information may be attempts to steal your personal information. All of those are instances of hackers using malicious emails—often with fake domains—trying to portray themselves as coming from legitimate sources.

Links or attachments in an email can be used as bait and these phishing emails can easily hijack an online session to point you to other sites that download malware or ransomware to your computer.

Ransomware attacks are increasing in popularity right now with cybercriminals and are likely to become even more widespread in the next few years: ransomware against consumers went up more than 93% in 2016 while ransomware against businesses increased 90%, Malwarebytes reported in their 2017 State of Malware Report.

These ransomware attacks occur when hackers steal data and hold it ransom until the company or owner agrees to pay a set amount of money for the private keys to regain access.

Ransomware has even affected hospitals and cities, including Atlanta which had to shut down online systems during the ordeal to prevent more data from being stolen. Many victims are asking to be paid their "ransom" in Bitcoin because the owner of the cryptocurrency can be anonymous.

Another growing risk is that activists or criminals who are not motivated by money will use it as a destructive tool—to disrupt an active investigation, shut down a government agency, or put a company out of business. Some of these criminals have a different intent than money and that is to solely destroy files and otherwise disrupt an organization's activity.

One of the best defenses against ransomware is a strong backup of the data as well as measures to avoid malware such as software updates and phishing awareness.

What Companies are Doing About Data Breaches

Companies have guidelines in place from the SEC related to what they must do to protect data and report if they have a data breach or security incident.

There are also state-by-state laws related to data-breach reporting. Additionally, according to the General Data Protection Regulation (GDPR), any organization storing data belonging to EU (European Union) citizens is subject to additional compliance beginning May 25.

Furthermore, many companies are tightening security measures and reassessing procedures to better protect the data they house. However, there is room for improvement: While 88% of companies Experian surveyed said they have a data breach preparedness plan, 66% have scheduled no time to review or update them.

What You Can Do About Data Breaches

Companies are ultimately responsible for the information they keep in their databases and systems. However, as a consumer, you should also adopt a security strategy where unknown senders of emails are questioned constantly and cybersecurity protections are up to date.

It's also important to be selective about what you share. For instance, if a company asks you to provide a Social Security number and you don't see the purpose for them to have it, ask before handing that information over.

Also, you can choose who you share your information with by doing business with companies that value security, and outline on their website what they do to keep your information secure.

Phishing schemes from emails are always plentiful and now smishing is the latest way to defraud people. Smishing works in a similar fashion, but occurs in texts and uses social engineering to con people.

Installing the latest software on your home computer is not sufficient. People need to also update their mobile devices and tablets and make sure any connected devices in your home are up to date as well.

What To Do After a Data Breach

You can take steps after you're involved in a data breach, but the specific actions recommended may depend on the type of breach and the personal information compromised. For instance, if your Social Security number is stolen, it's a bit more complicated to resolve than a data breach involving your credit card number.

Read here for more information on specific steps to take after a data breach, such as putting a fraud alert on your credit report and closely monitoring all your accounts. You may need to file an identity theft report with the FTC if your identity is stolen after a data breach or consider filing a police report.

How To Limit the Impact of a Data Breach

It's not just immediately after a data breach that you should be on guard. Because identity thieves know consumers get less concerned as time goes on, they may hold onto personal information for a while before attempting to use it. Information sells for fairly low amounts on the dark web, so it can pop back up and cause you harm long after the breach occurs.

That's why it's also a good idea to check your credit report on a regular basis to see if a thief has attempted to open a new credit card or another account in your name. Consumers can obtain their credit report for free every 12 months via AnnualCreditReport.com from Experian, Equifax, and Transunion. You can also get a free copy of your Experian credit report and dispute anything inaccurate on your Experian credit report here on Experian.com.

The purpose of this question submission tool is to provide general education on credit reporting. The Ask Experian team cannot respond to each question individually. However, if your question is of interest to a wide audience of consumers, the Experian team may include it in a future post and may also share responses in its social media outreach. If you have a question, others likely have the same question, too. By sharing your questions and our answers, we can help others as well.

Personal credit report disputes cannot be submitted through Ask Experian. To dispute information in your personal credit report, simply follow the instructions provided with it. Your personal credit report includes appropriate contact information including a website address, toll-free telephone number and mailing address.

To submit a dispute online visit Experian's Dispute Center. If you have a current copy of your personal credit report, simply enter the report number where indicated, and follow the instructions provided. If you do not have a current personal report, Experian will provide a free copy when you submit the information requested. Additionally, you may obtain a free copy of your report once a week through December 31, 2022 at AnnualCreditReport.