Data Breach How-to: How it’s Stolen, What’s Taken and where it goes

No business is immune to a data breach, and some of the biggest companies in the world with supposedly state-of-the-art systems and access to the most experienced privacy specialists have fallen victim.  Recent high profile cases have included Facebook, British Airways, Ticketmaster and Marriot Hotels.  But how is data stolen, what’s taken and where does it go? Read this article to find out.

With GDPR in the mindsets of consumers, new data breaches are announced regularly in the press – with the ICO publishing press releases confirming they are investigating the most severe cases.

A data breach is defined as the accidental or unlawful loss, alteration, destruction or disclosure of personal data – any information on an identifiable living person.  No organisation is immune from being targeted, whether it be by competitors, professional hackers, or disgruntled employees.

If the data breach occurs online, such as a hack, this is known as cybercrime.  This is usually carried out remotely by bypassing network security, but internal threats are also common with employees capable of stealing data.

Cyber criminals will look for weaknesses in an organisations’ online activity and take advantage of this. Once they have access to servers, whatever data is held there can be compromised. Often, the data has been breached even before the hack has been discovered.

In this article, we will answer the three main questions most people have about data breaches - how data is stolen, what’s taken and where it goes once it’s in the hands of (or on the RAID of) the cybercriminals who stole it.

How it’s stolen

“High risk” data such as passwords and bank account numbers are in high demand from fraudsters, so cybercriminals will target these first.

Organisations can implement high-end online security frameworks, such as ISO27001, but if a hacker is determined, they will find a way into your database or network.

According to research from Trend Micro, most data breaches are a result of hacking or malware (25%) and the second most common cause of data breach is portable device loss (24%). Up third it’s unintended disclosure at 17.4%, up fourth it’s insider leaks at 12%, and up fifth it’s physical data loss at 11.6%.

In the case of cyberattacks, these are coordinated and follow a structure. What follows is the structure a data breach takes, using the example of an external hacker.

Phishing Emails

Phishing is an email fraud method in which the perpetrator sends out a legitimate looking email to gather personal data from recipients. They trick you into divulging information such as bank details, usernames and passwords. If a phishing email is opened, this could prompt your email server to send an identical email to your Outlook contacts, thus helping it to spread.

Spear-phishing is when a specific individual is targeted in an attempt to steal sensitive information from that person – it is not a random attack.



The cybercriminal will research the organisation he is targeting. He needs to know the network structure and design. Only with this information can he exploit the network and truly understand its security weakness. Any security weakness can be exploited, maybe even silently which can be a very scary prospect.


The attack happens within a set window of time. You can think of the attack as the sound when someone pulls the trigger on an AK-47 - the crack of the bullets firing until the clip is emptied is reminiscent of the efficiency of coordinated cyberattacks. There’s a huge range of attacks, such as SQL injection, Malware and Denial-of-service (DoS). The most relevant to a specific case depends on where the data is located.

In the case of internal data theft, the rogue employee will likely have insider knowledge and access to the data they intend to steal. This means stealing data for them can be as simple as copying files to a USB stick and walking right out the door.

Morrisons Supermarket fell victim to this in 2014, when a member of staff stole the personal details of nearly 100,000 fellow members of staff and posted them online.  The individual in question was sentenced to eight years prison for theft and the incident cost Morrisons £2m to rectify.

The GDPR allows individuals affected by data breaches to take out class action lawsuits against organisations if they have failed to adequately protect their data. In the case of Morrisons, questions were raised as to why their systems allowed an individual to download a vast amount of data without approval from another member of staff.


Once the hacker or cybercriminal has access to a computer, server, database or network, they can tunnel their way to the data they need and extract it. Depending on the size of the data, this can take hours, but many organisations remain unaware of a data breach until after it has happened.

What’s taken

This depends on the breach because different sources yield different information.

Personally identifiable information is by far of the most value to cybercriminals, together with payment card records. If this information is unencrypted, this can leave victims open to fraud, identity theft and even blackmail.

Compromised data can come in many forms, but in the case of business breaches it is usually the personal information of customers like names, addresses, and email addresses.

The login details for online retail accounts are also popular as they are likely to contain purchase history, delivery and billing addresses, saved financial information and passwords.  Aside from the loss of data, this also creates a PR nightmare for the retailer.

In the case of healthcare and medical, compromised data is almost always patient information, including dates of birth, names and sometimes National Insurance Numbers in the case of private healthcare.

Whatever the source, however, the vast majority of cyberattacks are aimed at an organisation, company or institution, and not the end user. The aim with most data breaches is to steal data in bulk, not one person’s data. An exception might be someone in a position of power in local government or the military - such as the hack of social media accounts and “cloud” servers of German politicians, celebrities and journalists.


Where it goes

Tracing the movement of stolen data is difficult because it usually exchanges hands ‘behind closed doors’ with no record of transaction. It is illegal after all.

Because the vast majority of cybercriminals steal data in bulk, the data will usually find its way onto the dark web and is sold anonymously. Criminals buy up this information for purposes including telephone fraud, identity theft and blackmail.

Sometimes, a cybercriminal will hack into a network and steal data ‘blind’ which means they do not know what they are going to get. This ‘smash and grab’ approach can lead to the hacker stealing data that’s encrypted and useless. In this case, the data will usually be stored away for such a time that it becomes valuable.

The grey market is also a target, with data being sold to legitimate organisations without the appropriate due diligence being conducted on the purchase.

Ever received an email from an unscrupulous address asking if you’d like to buy a spreadsheet of data?  This is likely to have come from illegal activity. If the seller cannot give you assurances or guarantees as to how the data has been collected and visibility of the consent gained, then it is best avoided – and would be illegal for you to use anyway.