“What is a hack, exactly? And what’s the difference between a hack and a data breach?”
Given the frequency with which hacks and data breaches occur, we get asked these questions a lot.
You’ll see many mainstream media outlets using these words interchangeably. Though the two sometimes overlap, there are some key differences between them that you should know.
When it comes to the safety and privacy of your information, it’s imperative that you are vigilant and informed.
What Is a Hack?
A hack is an intentional attack perpetrated by a malicious actor who gains unauthorized access to a protected system (e.g. computer, server) in order to steal private information or hold the system ransom.
A hack can be carried out by a single hacker or by an organized group of hackers. The way in which hackers attack a system can vary—some use sophisticated hacking techniques that require immense skill to penetrate systems and disable defense mechanisms while others (referred to as script kiddies) rely on software programs to do the hacking for them.
It’s important to note that not all hackers are criminals.
In fact, every top security firm (including Dashlane!) employs hackers, called white hat hackers (as opposed to malicious black hat hackers), to constantly test their systems and identify vulnerabilities. Those firms can then patch up identified vulnerabilities and secure their defenses.
Make no mistake, though—if a company or service gets hacked, that’s bad news. It just doesn’t necessarily mean it’s bad news for you. A hack doesn’t automatically mean that your personal information has been compromised.
Examples of a hack
A hack can be as simple as the takeover of a social media account. For example, Vevo’s YouTube account was recently hacked, and the hackers deleted the most-viewed YouTube upload of all time: Luis Fonsi’s “Despacito,” which had garnered over 5 billion views on Vevo’s channel (it has since been re-uploaded, below).
While tragic for “Despacito” lovers across the globe, no YouTube or Vevo customer data was compromised in the hack.
On the opposite side of the spectrum, some hacks are extraordinarily damaging.
Take, for example, the Equifax hack. Not only was Equifax’s reputation irreparably damaged as a result, but highly sensitive information of over 143 million Americans was also put at risk.
Many hacks are financially motivated, like the Mt Gox exchange hack that saw 740 thousand Bitcoins disappear into thin air during the attack. The company, which handled over 70% of all Bitcoin transactions worldwide at the time, went bankrupt later that year.
What Is a Data Breach?
A data breach occurs when data that is unintentionally left vulnerable in an unsecured environment is viewed by someone who shouldn’t have access to that data.
While hacks are the result of malicious behavior, breaches happen as a result of negligence, human error, or other non-malicious behavior that creates a security vulnerability.
The word “breach” is often used to cover a number of different cybersecurity compromises, including hacks.
Wait…so, what’s the difference between a hack and a data breach?
In the above case of Vevo’s YouTube account, the hack didn’t result in a data breach. Hackers simply penetrated a system maliciously and deleted some content online. They didn’t expose any company or customer data. Thus, there was no data breach.
In the case of Equifax, however, the hack did result in a data breach. The personally identifiable information (PII) of over 143 million Americans became available to the attackers, who shouldn’t have had access to that data. The data was unintentionally at risk because of negligence—Equifax neglected a vulnerability in their software that should have been eliminated.
A less destructive example of a hack that led to a data breach because of a vulnerability is the Under Armour MyFitnessPal data breach. In that case, over 150 million users had their usernames, email addresses, and scrambled passwords exposed because of a hack.
There are also cases where your data can be part of a data breach because it is exposed online, without it being the result of a hack.
A relevant example of this is the Facebook and Cambridge Analytica data breach. While 87 million users had their information exposed to Cambridge Analytica through Facebook, Cambridge Analytica didn’t collect that information maliciously through an attack. Rather, they were able to collect that data through a loophole in Facebook’s API (not via hacking).
As you can see, not all hacks result in data breaches, and not all data breaches are the result of a hack. There are key differences between the two.
The more you understand those differences, and ultimately, how these cybersecurity lapses occur, the better chance you have of reacting appropriately to such situations and protecting yourself and your sensitive personal or financial data from malicious attackers—or simple negligence!