Service providers that permit your employees to establish a user name and/or password in order to log-into an online portal often monitor employee accounts for indications that an unauthorized person has obtained an employee’s username and/or password and attempted to log-in. If an unauthorized person does log into an employee’s account, it is sometimes referred to as “unauthorized authentication.”

Unauthorized authentication does not always mean that a “data breach” has occurred. In most cases what the bad actor was able to see, or download, once they logged into an employee’s account determines whether the incident meets the definition of a data breach under the data breach notification statutes. For example, if an attacker obtained an employee’s username and password (e.g., guessed the user name and password, or obtained it from an unrelated breach) and used it to log into an account that contained the employee’s salary, or that contained data elements that the attacker already possessed (e.g., the username and password that the attacker used in the first place), the incident would not be considered a data breach.

Depending upon the circumstances, unauthorized authentication may also not be a cause for alarm regarding your service provider’s security practices. Unauthorized authentication occurs in almost every situation in which users are permitted to access an account online – i.e., eCommerce websites, online email platforms, financial accounts, etc. While there are steps that companies can take to make unauthorized authentication more difficult (e.g., two-factor authentication) no online login system is perfect. Employers should focus on whether their service providers take steps to monitor for unauthorized authentication and report unauthorized authentications when they do happen to the organization. 

[View source.]