A data breach is an incident in which a victim’s sensitive information is accessed without permission.
That's according to Patrick Costello, co-founder of cyber insurance firm Evolve MGA, which specializes in helping businesses get coverage for all the costs associated with cyberattacks and data breaches, including loss of income, reputational harm and extortion costs.
While there are many different types of data breaches, Costello says ransomware claims are the most common.
Costello explained ransomware like this: A user gets a notice on a computer, smartphone or another device that says something like, "This is an FYI: You won't be able to access your computer system or data unless you pay us a select amount of cryptocurrency in 24 hours. And if you don't, we'll shut down your systems or expose all your information on the internet."
Evolve and other cybersecurity firms receive ransomware claims the most often because this type of attack is successful for bad actors in the sense that it creates panic among victims and therefore gives attackers access to data and money in a very short period of time.
Many of these attackers remain anonymous and are hard to trace because they operate from foreign countries, making them difficult for law enforcement to track down. Ransomware is also fairly easy for cybercriminals to get their hands --- or cursors --- on.
"You can literally download ransomware from the dark web and send it out to the masses," Costello told FOX Business.
He brought up one example of a broker his company discovered on the dark web "who was giving away ransomware software for free and then taking a commission" from the criminals who used it to make money.
"Ransomware attacks are reported every 40 seconds," he said, but "the majority of businesses never report it."
Why? Because they want to save their reputations as trustworthy companies, especially if they have lots of local customers or a few select vendors who trust the security of their services and said companies don't want their clients or vendors thinking they have not been diligent enough in terms of cybersecurity.
Some major companies that have fallen victim to ransomware attacks include Sony, the Coast Guard, Pitney Bowes and a number of major U.S. cities and hospitals, according to a Feb. 9 New York Times report. The FBI also issued a PSA in October warning of a rise in targetted ransomware and best practices for reporting and avoiding these attacks.
Another very common type of cyber claim is wire transfer fraud, Costello said. The FBI reported in September that emailed wire fraud scams between June 2016 and July 2019 led to a domestic and international net loss of $26 billion.
Businesses often fall victim to wire transfer fraud by clicking on things they shouldn't, like emails from attackers who pose as trusted sources asking for information.
When victims give up that information and hackers gain access to their systems, their private accounts are exposed and criminals can plan the perfect fraudulent wire request. Costello says he markets this type of breach as WTF, or "wire transfer fraud" because that is exactly what a business owner would be thinking if they transferred money to the wrong party.
He added that the three largest classes of information targeted by data-breach cybercriminals are personally identifiable information that can be linked back to an individual; debit or credit card payment card information and protected health care information.
This information can also be accessed via phishing emails, or emails that appear to be legitimate or coming from trustworthy sources but aren't, and malware, or viruses that can be installed on a device to collect data by simply convincing a victim to click on a malicious link or download a malicious file.
Lastly, data can also be breached as a result of common human error like negligence. Leaving a device open on a table somewhere, not putting a computer to sleep while nobody is using it, not setting a proper passcode and so on can lead to a data breach. Insider threats, or people within an office who have access to information and decide to use it for bad, is another popular data breach occurrence.
Costello said companies can protect themselves from the costs of data breaches by investing in cyber insurance, practicing good cyber hygiene, requiring employee training for safe cyber practices, employing two-factor authentication, creating strong passwords and making sure all systems are regularly tested and updated.