A security breach also "data breach", "security in

A security breach (also “data breach”, “security incident”, or “security compromise”) is an incident that results in unauthorized access to data, applications, services, networks, or devices. This type of incident can compromise the confidentiality, integrity, or availability of sensitive information, resulting in exposure of personal data, financial losses, reputation damage, and possible violations of regulatory compliance such as GDPR, CCPA, and other data protection regulations, being fundamental to implement prevention, detection, and incident response strategies to minimize the impact of these incidents.

What is a Security Breach?

A security breach is any incident that compromises the confidentiality, integrity, or availability of information or systems. A security incident occurs when an entity attempts to gain unauthorized access to an organization’s data infrastructure or security policy, putting confidential information at risk. Attackers, whether internal or external, constitute the primary source of unauthorized access attempts. Attackers represent a constant threat to organizations because they can exploit any vulnerability in the infrastructure using various techniques at any time.

The most common security incidents include distributed denial of service (DDoS) attacks, malware, ransomware, phishing, and insider threats. Each of these types of incidents can result in a security breach depending on their success and the level of compromise achieved.

Types of Breaches

By Access Method

  • Stolen credentials: Use of compromised credentials
  • Vulnerabilities: Vulnerability exploitation
  • Malware: Malware infection
  • Social engineering: User manipulation

By Data Type

  • PII: Personally identifiable information
  • PHI: Protected health information
  • PCI: Payment card information
  • Intellectual: Intellectual property

By Scope

  • Internal: Internal breaches
  • External: External breaches
  • Hybrid: Combination of both
  • Systemic: Affects multiple systems

Breach Phases

Detection

  • Monitoring: Monitoring systems
  • Alerts: Automatic alerts
  • Analysis: Event analysis
  • Confirmation: Incident confirmation

Containment

  • Isolation: System isolation
  • Blocking: Access blocking
  • Preservation: Evidence preservation
  • Communication: Internal communication

Investigation

  • Forensics: Forensic analysis
  • Timeline: Event reconstruction
  • Scope: Scope determination
  • Impact: Impact assessment

Recovery

  • Cleaning: Threat removal
  • Restoration: System restoration
  • Validation: Security validation
  • Monitoring: Continuous monitoring

Compromise Levels and Criticality

The severity of a security breach depends not only on the type of attack or the volume of compromised data, but fundamentally on the criticality of the affected system or asset and the scope of impact on the organization’s operations. Evaluating the compromise level requires considering multiple factors that determine the real severity of the incident.

System Criticality Factors

Criticality of the Affected Asset

A system’s criticality is determined by its function, importance to the business, and the impact of its compromise:

  • Critical Production Systems: Production servers that support essential business operations, such as DNS servers, customer databases, payment systems, or authentication infrastructure. A breach in these systems has immediate and severe impact.

  • Support Systems: Systems that are not critical but affect a significant number of users or operational processes. The impact is moderate but requires priority attention.

  • Non-Critical Systems: Development, testing, or internal systems with limited access. The impact is low but can serve as an attack vector toward more critical systems.

  • Abandoned or Discontinued Systems: Dead application servers, legacy systems without maintenance, or obsolete infrastructure. Although apparently of low criticality, they can represent a significant risk if they contain residual data or serve as an entry point for lateral movements.

Compromise Level Scale

Level 1 - Critical

Characteristics:

  • Compromise of critical production systems (DNS, main databases, authentication systems)
  • Unauthorized access to sensitive data (PII, PHI, PCI) in active systems
  • Immediate impact on business operations
  • Potential for propagation to other critical systems

Examples:

  • Compromise of a production DNS server that affects name resolution for the entire organization
  • Unauthorized access to a production customer database with payment card information
  • Breach in an authentication system that compromises credentials of multiple users

Required Response:

  • Immediate activation of the incident response team
  • Notification to executives and stakeholders within less than 1 hour
  • Immediate containment and isolation of affected systems
  • Regulatory notification as applicable (GDPR, CCPA, etc.)

Level 2 - High

Characteristics:

  • Compromise of support systems or non-critical systems with access to sensitive data
  • Impact on a significant number of users (tens to hundreds)
  • Moderate impact on operations but with potential for escalation
  • Evidence of lateral movement attempts or privilege escalation

Examples:

  • Compromise of a non-critical application server that contains internal user data
  • Breach in a development system that has hardcoded credentials toward production systems
  • Unauthorized access to a shared file server with confidential information

Required Response:

  • Activation of the response team within less than 2 hours
  • Notification to security management and CISO
  • Planned containment and forensic analysis
  • Impact assessment and escalation potential

Level 3 - Medium

Characteristics:

  • Compromise of non-critical systems with non-sensitive or limited data
  • Impact on a small number of users (a few to tens)
  • Limited impact on operations
  • No evidence of propagation or escalation attempts

Examples:

  • Compromise of an individual workstation with limited access
  • Breach in a test server without real data
  • Unauthorized access to an internal documentation system without sensitive information

Required Response:

  • Planned response within 4-8 hours
  • Notification to operational security team
  • Standard investigation and remediation
  • Incident documentation

Level 4 - Low

Characteristics:

  • Compromise of abandoned, discontinued, or very low criticality systems
  • No access to sensitive data or active systems
  • Minimal or no impact on operations
  • Isolated system without propagation capability

Examples:

  • Compromise of an abandoned server from a dead application without residual data
  • Breach in a legacy system disconnected from the main network
  • Unauthorized access to an isolated development server without active credentials

Required Response:

  • Routine response within 24-48 hours
  • Residual risk assessment
  • Disconnection or decommissioning of the system if appropriate
  • Documentation for future reference

Important Note: Although an abandoned system may seem of low criticality, it must be carefully evaluated because it may:

  • Contain residual data not properly deleted
  • Serve as an entry point for lateral movements toward more critical systems
  • Maintain credentials or configurations that compromise other systems
  • Represent a compliance risk if it contains regulated information

Criticality Assessment Matrix

The compromise level evaluation must consider:

  1. System Criticality: How critical is the affected system for operations?
  2. Data Type: What type of information is compromised? (PII, PHI, PCI, intellectual, etc.)
  3. Affected Scope: How many users, systems, or processes are affected?
  4. Propagation Capability: Is there evidence of lateral movement or escalation attempts?
  5. Operational Impact: How does this affect business operations?
  6. Regulatory Requirements: Does it require regulatory notification according to GDPR, CCPA, HIPAA, etc.?

Impacts

Financial

  • Fines: Regulatory penalties
  • Lawsuits: Legal costs
  • Revenue loss: Business interruption
  • Remediation costs: Recovery expenses

Reputational

  • Trust: Loss of trust
  • Reputation: Reputation damage
  • Customers: Customer loss
  • Partners: Impact on relationships

Operational

  • Interruption: Service interruption
  • Productivity: Productivity loss
  • Resources: Resource usage
  • Time: Recovery time

Prevention

Technical Controls

  • Encryption: Data encryption
  • Access: Access control
  • Monitoring: Continuous monitoring
  • Patches: Patch management

Administrative Controls

  • Policies: Security policies
  • Procedures: Security procedures
  • Training: Staff training
  • Audits: Regular audits

Physical Controls

  • Access: Physical access control
  • Devices: Device security
  • Media: Media protection
  • Facilities: Facility security

Breach Response

Response Plan

  • Team: Response team
  • Roles: Role definition
  • Procedures: Response procedures
  • Communication: Communication plan

Notification

  • Internal: Internal notification
  • Regulators: Notification to regulators
  • Customers: Notification to customers
  • Media: Communication with media

Recovery

  • Cleaning: System cleaning
  • Restoration: Service restoration
  • Validation: Security validation
  • Improvements: Improvement implementation
  • Incident Response - Process for responding to security breaches
  • Attack Vectors - Methods that cause security breaches
  • Patient 0 - First system compromised in a breach
  • IOC - Indicators of compromise in breaches
  • APT - Persistent threats that cause breaches
  • SIEM - System that detects security breaches
  • SOAR - Automation of response to breaches
  • EDR - Tool that detects breaches
  • Firewall - Device that prevents breaches
  • Antivirus - Tool that prevents breaches
  • Hardening - Hardening that prevents breaches
  • CISO - Role that manages security breaches
  • Ransomware - Type of malware that causes security breaches
  • DRP - Recovery plan for security breaches

References