Leak vs. Hack: Same or Different?
Leak vs. hack: both wreak havoc, sometimes epic, but are they the same? Nope. What’s the difference and why does it matter?
The Difference
A data leak is an accident and there isn’t a “bad actor” causing the issue. It happens when:
there’s a mistake by a tech provider or by a tech customer (could be either one – and worst, could be both in a perfect storm) and
the mistake causes data to be released on the dark web or another place it shouldn’t be disclosed.
Here’s a few data leak examples:
A provider overlooks its normal process of “freezing” its software code in anticipation of updating to a new version. A “freeze” is exactly as it sounds: the existing code is kept in place until the new version is installed so there isn’t an errant minor code tweak or update that monkeys with the new version. When a code freeze is overlooked, a tweak can come in sideways and cause unintended consequences, the door opens and data leaks out.
Unbeknownst to those involved, an aspect of the customer’s environment isn’t documented, is incorrectly configured, processes are not standardized, or there’s not appropriate attention to good cyber hygiene. When a software product is added or updated or some integrated system is tweaked, it doesn’t play well with the “thing they didn’t know”, unintended consequences follow and data leaks out.
On the other hand, a hack (aka a cyberattack) is not an accident and involves a “bad actor” with criminal intentions. It happens when:
a cybercriminal breaks through security practices of a business and access company data, customer data or some other valuable data and
alters, steals, exposes, or take some similar action with the data it finds.
Here’s a few hack examples:
A bad actor uses real login information to access a system, so it appears to the business that the real Josie or Tom is accessing the system. However, in an average of about an hour, the bad actor starts moving laterally across and maneuvers through the digital environments as deep and broad as possible, to capture data. This can be difficult to detect because it involves a deeper level of monitoring to note “typical” behavior of users and figure out when a user is acting oddly.
A bad actor uses artificial intelligence to develop fake images and audio or video that tricks a user into thinking she is dealing with a real person who has authority at the company to authorize actions to be taken, e.g., transferring money or allowing access to systems.
A bad actor infiltrates the system of a service provider so that when the service provider appropriately accesses or interacts with its customer’s systems, the bad actor travels down the highway over into the customer’s system and continues its hack there.
Why It Matters
Although ransom demands can occur after either a data leak or hack, there are a few risk and liability distinctions between the two:
One risk associated with a data leak, different than a hack, is that it’s hard to figure out if the data was accessed or not after being leaked because the data is now in a place that cannot be monitored (vs. being solely contained in its “normal”, hopefully monitored environment). This means a business likely doesn’t know the data was leaked until cybercriminals pick up the leaked data, and use it for fraud, black market sales or other extortive goal. It can be a frustrating “last to know” scenario. However, this risk could be mitigated with data leak detection and attack surface management tools that aim to prevent and/or detect data leaks.
An important liability distinction between a data leak and a hack is that technology contracts may include a higher amount of liability of the service provider for a hack. Customers tend to have arrow vision on fallout from a hack. However, a data leak or a “mistake” by the service provider is usually not covered in the higher liability amount, which means that consequences of the mistake likely fall into a limited liability of perhaps twelve months’ fees or something similar. There are several legal negotiation answers to this dilemma and a good technology transaction lawyer can assist you.
P.S.
This is a much deeper subject so only a note here that when a data leak or hack includes personal data, laws about remediation and notification to consumers or individuals may get triggered. When the data leak or hack includes proprietary trade secret information, business vulnerability to a myriad of risks can increase exponentially. Just to hear about it makes one feel queasy. Costs escalate and reputational harm can be a real threat either way.
Thanks for joining me in the riveting cyber weeds. Practically every point in this article can be a separate subject unto itself and the aim here is to provide high level information for those who don't deal with cybersecurity regularly. Not every scenario and rabbit hole are covered, and this article is informational only, not a substitute for legal advice.
