First things first, I just want to clarify some common misconceptions about security and privacy.

Firstly, Some people may lump security and privacy into the same bucket. While they are closely related, there are some distinct differences between the two. So one common misunderstanding is that they are more or less the same, however, they address different aspects of data protection.

Security is protecting against things like unauthorized access to data. It’s basically saying if you're not allowed to have access or if we don't want you to have access you shouldn't have access. Utilizing things like access controls and encryption, firewalls, things like that.
 

Privacy, on the other hand, is using the data that's there appropriately. That is, having proper consent, notifications, regulations, compliance, things like that.

Another misconception is that if you have very strong security, your privacy is guaranteed. That's not the case.

While strong security is essential to maintain data privacy. You also need the aforementioned aspects as well. So things like informing users about how their data is used.

Allowing them to effectively consent (hopefully). Having transparency with how the data is being managed. While a company may protect the data, with strong security measures, that doesn't guarantee the company won't misuse the information, or the data.

Apple is probably a good example of this. They tell people that they are a very privacy focused company, yet are they really much better than Google or anybody else? I mean, they want the data for the same purposes. They want to be able to sell more products, get more information about the user's demographics and preferences and everything like that.

While they may protect the data and keep it enclosed in their own ecosystem doesn't mean that they care about user privacy in every way that they claim.

Privacy is not just limited to personal information. You also should consider the context of how the data is being used and shared. So if a user consents to data being used in a particular way, the company can still undermine that user’s privacy by sharing it in a way that the user hasn't consented to. All this can still happen while the data is “secure”.

Another misconception is that pseudo-anonymizing or anonymizing data will fully protect the user's privacy. That's not necessarily the case. And sometimes it may not be possible to anonymize all data.

And if the data is not handled correctly, because you can link multiple pieces of data together to form personal information. So it's not just limited to a single data point. This leads into the next misconception.

That it's only sensitive data that needs to be protected. So this isn't true because you can combine multiple pieces of information together to form personal information. For example, under GDPR, it should be taken into consideration not just single pieces of personally identifiable information but also those that can be combined to become personally identifiable information.

One final misconception is that a small data breach is not a big deal, but it definitely can be. Even small breaches can erode the trust of users on the platform or whatever it is. Every piece of leaked data can potentially be used for further attacks.

Let's go into the relationship between security breaches and privacy leaks. People should (ideally) understand how their behavior online affects their risks of having their information leaked. So let's go over why it's important for individuals to be conscious of what they share online.

Hackers want personal information. Why do hackers want personal information? There can be many reasons why hackers want personal information. It can be to create word lists for potential brute force attacks on people's accounts. Could be for identity theft. Could be for blackmail. Could be for many reasons. Think about it in the sense that the more information you share online about yourself, the higher the risk that the information can be collected, accessed and misused. In the event of a data breach, which would expose more personal information about yourself, this creates an issue of cumulative risk. The more information that you provide, the more that you share online, each piece of this information adds to this cumulative risk, and it makes it easier for hackers to piece together identity. Then, if they have enough information, they can become you. They can then pivot to other people in your life, and they can engage in phishing attacks on other people that you know, using the information that they've gathered about you.

So it's very important that you manage what information you share online to reduce the potential impact, if there is a security breach. Things like being cautious on social media, limiting or obfuscating the sensitive information that you provide to websites. And also being very aware of the privacy settings that are available within websites and apps and so on. Understand how your data is used. And understand that your data is more often than not sold to third party advertisers and identity brokers. Realize each one of these third parties have their own data stores, security controls, policies, procedures, all of which likely have similar or the same information about you. All with varying levels of security posture.

To increase your security, always be mindful about, as mentioned, information that you share.

Creating strong and unique passwords for each account that you have. Always enable two-factor authentication. If SMS is a two-factor authentication option, it's probably better not to use that, to be honest. And just ensure that you have a strong password. Keep all of your software and everything up to date.

Chicken or the egg?

So while privacy and security are closely related, a security breach is more likely to lead to privacy leaks than the other way around. Why is this? Well, security is the first line of defense. So security is what is in place to protect personal information. Without security, you can't have privacy. So as mentioned before, things like firewalls, encryption, access controls, intrusion detection, all of these security controls are what help protect the privacy of and the security of information. And if these security controls are breached, then it becomes much easier for an attacker to access and extract the private information. Security breaches often result from external attacks, hacking, malware, that attack weaknesses in system security. So once they gain access, depending on how the data is stored, they have the potential to access a lot of data. Private and personal information, and sometimes these can be intentional leaks, or they can be unintentional. If a security breach is extensive, it can affect multiple layers, depending on how much defense in depth an organization uses. This means that, once a security breach happens, the potential for accessing and leaking private data is much, much higher. So you might have multiple data repositories that get compromised. This can lead to exponential data access. If there's not enough separation and defense in depth.

Privacy is oftentimes considered a subset of security, not the other way around. So the fundamentals of security are the cornerstone of protecting privacy. Without robust security controls, data privacy can't exist. So, when security fails, privacy is directly at risk. Depending on how things are configured, an organization might have a significant amount of personal information concentrated in one centralized database.

In summary, security breaches often lead to privacy leaks, because security is the primary safeguard against unauthorized data access. Once these defenses are bypassed, the likelihood of private data being accessed and leaked increases significantly.