What Is a Data Breach?

A data breach is a data security incident where unauthorised parties access, steal, modify, or disclose sensitive information. This compromises one or more elements of the CIA triad: confidentiality (keeping data private), integrity (ensuring data accuracy), or availability (maintaining access for legitimate users). Cyber-attacks like ransomware and phishing, insider abuse, lost devices, or incorrectly configured systems can all cause breaches.

Most breaches occur online due to compromised passwords, malware, or software bugs. Malicious hackers also exploit cloud misconfigurations, such as open storage buckets and overly lenient access controls, to steal data that is already exposed. Physical breaches happen when laptops or USB drives containing sensitive data get stolen or lost. All paths lead to information falling into the wrong hands.

A data breach is not the same as other related events. Data leaks occur when databases are misconfigured, and information is unintentionally shared. No one has to be doing anything bad for this to happen. Insider misuse happens when employees who are authorised to use their access do so inappropriately. Data exposure is when information is left open but not necessarily accessed or stolen. These differences are important for responding to incidents and reporting compliance.

Credit card numbers, customer records, trade secrets, medical files, financial information, or personally identifiable information (PII) are all examples of data that could be stolen. Breaches happen all too often to businesses of all sizes and in all fields. Fines for not following the rules can be very high, and lawsuits, operational problems, and long-term damage to the brand are possible.

There is a set of predictable patterns for how data breaches typically unfold. Phishing, stolen credentials, or software flaws are some of the ways that attackers first breach access. They use lateral movement techniques to navigate the network and discover valuable data, and escalate their privileges to reach more sensitive systems. They then slowly exfiltrate information to avoid detection, or they use ransomware to encrypt everything at once.

Data is typically breached through common attack vectors, such as:

• Phishing and credential theft: Attackers use fake emails, fake login pages, or social engineering to get people’s login information. Phishing is now the most common way for hackers to get into a system. Once they get in, attackers can move around freely without setting off alarms by using real credentials.
• Malware and ransomware: Malicious software infects systems to steal data, watch what you do, or lock your files and demand money to unlock them. Ransomware is now present in 44% of all breaches, according to Verizon’s 2025 Data Breach Investigations Report (DBIR). Attackers often steal data before encrypting it to get more power.
• Exploiting vulnerabilities: Attackers gain access through unpatched software and misconfigured systems. Zero-day exploits take advantage of unknown security gaps that cannot be patched. As more people work from home, attacks on edge devices and VPNs have gone up by almost eight times.
• Insider threats: Employees who have permission to access data can misuse their privileges on purpose or by accident. It’s harder to find insider breaches because the actions seem normal. Compromised insiders have valid credentials, but attackers from outside the company are controlling them.
• SaaS/cloud misconfigurations: Advanced attacks aren’t required when data is vulnerable due to open storage buckets, shared overly permissive sharing settings, and weak access controls. Misconfigurations—not hackers—cause most cloud breaches.
• Compromised accounts: Threat actors leverage credentials leaked from previous breaches or purchased on dark web markets to access corporate systems. Password reuse across personal and business accounts lets attackers pivot from low-value breaches to high-value targets.
• Application vulnerabilities: Flaws in web apps and APIs provide direct access to backend databases and sensitive data. SQL injection, cross-site scripting, and broken authentication can all bypass security controls without using complicated methods.
• Physical theft and loss: Laptops, USB drives, and mobile devices with sensitive data can be stolen or lost. People don’t usually report these physical breaches until the data is in the wrong hands.

• A security incident is any activity that puts the privacy, integrity, or availability of data at risk.
• A compromise is when hackers get into systems or accounts without permission.
• A data breach is when attackers access, steal, or make public private information.

So while not every incident turns into a breach, every breach starts as an incident that escalated.

Third-party breaches now account for 30% of incidents, according to Verizon’s DBIR. To reach valuable data downstream, attackers compromise vendors, managed service providers (MSPs), and software suppliers. Supply chain attacks go after relationships that are trusted but don’t have as much security. When a vendor is hacked, your data may be at risk even if your own security is strong. It takes an average of 267 days to find and fix third-party breaches.

Insider threats are complicated to contend with because they involve people who have legitimate access to your systems and data. Stephanie Torto, Proofpoint’s Senior Product Marketing Manager, says, “Insider threats can be intentional or accidental. Either way, they can lead to serious security incidents that have significant implications.”

Understanding the difference helps businesses tailor their prevention and response strategies.

Unintentional Insider Threats

These happen when employees accidentally share data because they are careless or don’t know what they’re doing, not because they want to. Putting sensitive files in places that aren’t secure or not following security protocols are examples of negligent data handling.

Employees expose sensitive data when they email the wrong recipients or set overly permissive sharing links in collaboration tools like Teams or Google Drive. Credential compromise happens when employees fall for phishing attacks that trick them into giving their login information to attackers, who then act like them.

Intentional Insider Threats

Intentional insider threats are planned actions to steal, destroy, or make data public for personal gain or revenge. Employees who are upset or malicious use their authorised access to take trade secrets, customer data, or intellectual property before they leave the company or to disrupt operations.

Third-party insiders, like contractors and vendors who have temporary access, sometimes use their privileges to steal valuable information and sell it on the dark web or give it to competitors. They avoid getting caught by understanding how security controls work and moving data out through authorised channels.

Attackers go after the data they value, whether it’s for quick financial gain, long-term future attacks, or a competitive edge. Different motivations lead to different targets.

• Personally identifiable information (PII): Names, addresses, Social Security numbers, and birth dates are all PII that thieves can use to steal identities and commit fraud.
• Protected health information (PHI): This includes medical records, diagnoses, insurance information, and patient histories. This data is valuable because it combines identity data with private information that victims will pay to keep secret.
• Financial data: Credit card numbers, bank account information, and payment credentials are all types of financial data that can be used to extract funds directly or sold in bulk on dark web markets.
• Credentials and passwords: Login credentials give access to other systems and let attackers move around your environment while looking like they belong there.
• Intellectual property: This includes trade secrets, product roadmaps, source code, and proprietary research. This kind of IP gives competitors an edge and is the result of years of investment that can’t be easily replaced.
• Operational and OT data: Attackers can use information about manufacturing processes, supply chain logistics, and operational technology configurations to stop production or plan physical sabotage.
• Customer and partner data: Lists of clients, contract terms, and partner agreements show business relationships that competitors want and give them more chances to attack.
• Legal and contractual documents: M&A plans, litigation strategies, regulatory filings, and private agreements make sensitive business decisions public before they are made.

When you think of data breaches, you typically think of a hacker compromising a network and stealing data. However, data breaches can result from several different actions. Human error, for example, is one of the most significant factors in data breaches.

Among the different types of data breaches are:

• Credential compromise: Stolen login info provides attackers with access that bypasses security controls. Credentials are hacked through phishing, password reuse from previous breaches, or brute force attacks. Developers sometimes leave credentials in public code repositories where attackers easily find them.
• Data exposure: Even run-of-the-mill cyber-attacks can expose data by exploiting misconfigured databases, open cloud storage buckets, and overly permissive sharing settings. These exposures may go unnoticed for months until discovered by security researchers or exploited by attackers.
• Human error: Negligence or a disgruntled employee could purposely or accidentally disclose data by falling for phishing or social engineering. Employees send emails to the wrong people, share files with the wrong permissions, or lose devices that contain private information.
• Ransomware and extortion: These attacks freeze a company’s data and demand payment in exchange for keys to unlock it. Double extortion is a new type of attack that steals data before encrypting it and then threatens to publish it if the ransom isn’t paid. Triple extortion adds DDoS attacks or threats to customers and partners, which amplifies the pressure to pay.
• Recording keystrokes: Known as keyloggers, this type of malware can be designed to record a user’s keystrokes, allowing the attacker to capture sensitive information like passwords.
• Phishing: This form of social engineering involves deceiving users into revealing sensitive information, such as login credentials or credit card numbers, which can result in a data breach. Business email compromise combines phishing with financial fraud to trick employees into transferring money or sharing credentials.
• Hacking: Should an attacker gain access to user devices or compromise the internal infrastructure, they can install malware to steal data.
• Insider threats: Current or terminated employees could purposely send data to a third party or steal it for their financial gain. People who work for a company can misuse their access to steal trade secrets, customer lists, or intellectual property. Compromised insiders may have valid credentials, but attackers from the outside are controlling them.
• Physical theft: Organisations are vulnerable to data theft when local resources, user devices, work laptops, and other physical assets are stolen. Lost or stolen devices containing unencrypted data provide direct access to sensitive information.
• Supply chain breaches: These breaches happen when attackers get past the security controls of vendors, managed service providers, or software suppliers and work their way downstream to access customer data. Supply chain attacks are stealthy breaches that hit many businesses at once and are complicated to identify and stop.

The aftermath of data breaches can be long-lasting. As businesses deal with costs, compliance issues, and AI risks, the effects get worse over time.

Financial Impact

The costs for breaches have never been higher. Based on IBM’s 2025 Cost of a Data Breach report, the average financial impact of a breach costs $4.4 million. The most expensive breaches are those that affect multiple environments, which average $5.05 million. These costs include responding to incidents, forensic investigations, legal fees, regulatory fines, notifying customers, and monitoring credit. Most of the costs add up over the course of the year after a breach, when the full picture becomes clear.

Operational Downtime

Breaches are a plague that disrupts businesses from operating smoothly. Ransomware, which is responsible for 44% of all breaches (according to DBIR), locks teams out of important systems until it is resolved. Forensic investigations require temporarily shutting down compromised infrastructure, and employees spend hours that could be better allocated to more productive tasks on recovery efforts.

Legal Risk

Class action lawsuits are a common occurrence when customer data is compromised. Plaintiffs say that the company was careless in protecting their personal information, and the discovery process indicates that there were security gaps and mistakes made. Costs for settling cases can be in the millions before anything goes to trial. Shareholder derivative suits target executives and board members for losses caused by breaches, making recovery efforts even more complicated legally.

Regulatory Penalties and Notification

Laws require strict timelines for notifying breaches. GDPR says you have to notify affected individuals within 72 hours of detecting a breach. HIPAA requires detailed reporting to both affected people and regulators. State laws like CCPA require notifications to be sent with specific information. If you overlook the nuances, you’ll have to pay more fines on top of what you already owe for inadequate security measures or reporting. IBM’s data showed that more than half of data breaches (53%) involve stolen PII, meaning businesses have a responsibility to notify affected accounts.

AI Exposure

AI introduces new breach vectors that traditional controls struggle to address. Shadow AI incidents (where employees use unauthorised AI tools) bump up the cost of a breach by an additional $670,000, according to IBM. Organisations struggle with visibility into autonomous AI agents handling confidential information, while employees routinely paste trade secrets and customer data into public LLMs like ChatGPT. As a result, CISOs now cite GenAI-driven data loss as the top concern, according to Proofpoint’s 2025 Voice of the CISO Report.

Customer Churn

Trust evaporates after a data breach. People switch to competitors that they believe are safer. During the evaluation process, prospects choose other options. As existing customers raise scepticism about the security of their personal information, renewal rates plummet. The effect on revenue lasts for years as the cost of acquiring new customers goes up and the value of a customer over their lifetime goes down.

Executive and Board Scrutiny

Breaches elevate cybersecurity from an IT concern to a boardroom priority overnight. According to Proofpoint, 76% anticipate a cyber-attack in the next 12 months, yet 58% admit they’re unprepared to respond. Leadership teams face intense scrutiny of company investments and oversight, while board committees demand regular briefings on the threat landscape and control effectiveness.

Partner Risk

Business partners reassess relationships after breaches. Vendor security questionnaires are getting stricter. Contract renewals come with better liability clauses. Some partners end relationships completely to protect themselves. Third-party involvement now accounts for 30% of breaches per DBIR, making vendors a less-obvious bilateral risk.

Harm to Brand and Reputation

Media coverage makes the breach worse. Social media quickly spreads negative sentiments. Industry analysts have lower security ratings. Competitors use breach stories to make sales. To rebuild your reputation, you need to consistently perform well over the years and be transparent about how you’re improving.

Data breach notification laws differ by industry and location, but most share a common intention: to quickly inform those affected, allow them to take protective action, and hold businesses accountable. Knowing which rules apply to your data will help you respond within the required time frames when something goes wrong.

• GDPR (European Union): If an organisation learns of a breach that threatens people’s rights and freedoms, it must notify the appropriate supervisory authority within 72 hours. For high-risk breaches, they must also directly notify the people affected.
• CCCPA/CPRA (California): California law says that businesses must notify affected residents without unreasonable delay if they find a breach involving unencrypted personal information. The notifications must include specific information about the types of data that were compromised.
• HIPAA (Healthcare): If a covered entity discovers a breach of unsecured protected health information, it must notify the affected individuals within 60 days. If the breach affects more than 500 people, HHS must be notified right away, and the media must be notified.
• Financial Services (GLBA, SEC): The Gramm-Leach-Bliley Act requires banks and other financial institutions to notify customers of breaches involving sensitive financial information. The SEC’s 2023 rule says that public companies must report major cybersecurity incidents on Form 8-K within four business days.
• Energy Sector (TSA, NERC): Operators of critical infrastructure must report cybersecurity incidents to sector-specific agencies, such as TSA for pipelines or NERC for electric utilities. This is usually done within 24 hours for incidents that affect operations.
• Government Contractors (DFARS, FedRAMP): Under DFARS, defence contractors must report cyber incidents that affect covered defence information within 72 hours. Federal cloud service providers, on the other hand, must follow FedRAMP incident reporting rules.

Most jurisdictions now require breach disclosure, rather than letting entities choose whether to do so. In the past, businesses could choose whether or not to report minor incidents, but today’s rules leave little room for silence. The trend is toward openness, and regulators are imposing harsh penalties not only for the breach itself but also for late or insufficient notification that prevents people from protecting themselves.

Cloud environments have changed the way breaches happen in significant ways. Data is at risk when storage buckets are misconfigured and sharing settings are too open, even without sophisticated attacks. In fact, open S3 buckets and default security settings in rushed SaaS deployments cause more breaches than hacking attempts.

Email, Slack, Teams, and other collaboration tools put data at risk all the time. Employees share private documents with people outside the company, send files to the wrong people, and give too many people access to files. Shadow IT makes this problem worse because teams use apps that IT can’t see without permission. Marketing puts customer information into unauthorised analytics tools. Sales uses their own Dropbox account for work files. Shadow data accumulates in areas that security teams can’t see or control.

Identity is now the new boundary. If someone steals your credentials, they can access SaaS apps from anywhere without having to go through network security. Multifactor authentication is a very important way to protect yourself, but it still leaves some holes. With third-party breaches now accounting for nearly a third of all incidents, cloud vendors are especially vulnerable in multi-tenant environments where isolation depends on their controls.

AI has two opposing roles in data breaches. It introduces new surfaces that can create data exposure vulnerabilities while also supporting cybersecurity teams in strengthening defences. As AI adoption speeds up, businesses must address both realities.

AI as Attack Surface

People put private information into ChatGPT, Claude, and other public LLMs without thinking about where that information goes. Customer records, source code, and private documents are added to training datasets or stored in vendor systems that you can’t access. A shocking 97% of AI-related breaches occur in environments with insufficient controls. Organisations can’t see autonomous AI agents that are handling private information in their environments.

Different AI platforms have very different rules about how long they keep data. Some service providers say they don’t use customer input for training, but their terms of service change frequently. Another risk is that LLMs can leak training data, leading them to sometimes reveal private information from their training sets. Prompt injection attacks manipulate AI systems into disclosing data or bypassing access controls.

AI as Cyber Defense

The same technology that makes things risky also finds threats faster than people can. AI-powered systems can spot patterns in user behaviour that indicate either a breach or insider abuse. Anomaly detection flags unusual amounts of data access or activity outside normal hours that regular rules miss. Based on IBM’s report, companies that use AI and automation extensively save $1.9 million per breach compared to those without these tools.

AI speeds up incident response by automatically sorting alerts, adding context, and putting together attack timelines. AI handles repetitive investigative tasks while security teams focus on the most important threats.

Cyber incidents happen every day, but patterns show where defences break down. Recent breaches have affected many industries and used a range of attack methods, which can teach us how to stop them.

A credential-stuffing attack in June 2025 revealed a record-breaking 16 billion passwords stolen by malware and other breaches. The lesson is that using the same password on different platforms makes you more vulnerable. Multifactor authentication and monitoring credentials help minimise damage.

In the middle of 2025, third-party Salesforce misconfigurations hit Qantas (5.7 million records) and Allianz (2.8 million records). Attackers used social engineering and real administrative tasks to steal customer PII. The main takeaway is that SaaS security goes beyond your tenant to include vendor settings and access controls.

Supply chain attacks used BeyondTrust remote access tools to break into Red Hat GitLab (570GB across 28,000 repositories) and the U.S. Treasury. Both breaches exploited access granted to trusted vendors. Breaches like these underscore the need for organisations to monitor third-party privileges and segment vendor access from crown jewel systems.

Ransomware groups continue to target healthcare, affecting 57 million people in 2025 alone. Lessons learned stress being ready for incidents, making backups offline, and splitting up networks.

To prevent data breaches, you need multiple layers of protection for technology, processes, and people. No single control can stop every attack, but using these strategies together expands the breadth of security and significantly reduces the risk and damage when something does happen.

• Identity, MFA, and SSO: Multifactor authentication stops attackers from stealing passwords, and single sign-on makes it easier to log in to all apps at once.
• Zero-trust access: Verify every access request, regardless of source, and grant only the minimum permissions required.
• Data classification: Tagging data by sensitivity ensures appropriate controls are automatically applied to customer PII, intellectual property, and regulated information.
• DLP and exfiltration prevention: Real-time monitoring prevents sensitive information from leaving through unauthorised channels before the theft is complete.
• Employee training: Interactive programmes teach teams to spot phishing and handle data correctly. Simulated attacks test whether the lessons stick.
• SaaS configuration hygiene: Checking cloud storage permissions and sharing settings regularly prevents the wrong settings that lead to most cloud breaches.
• Vendor risk management: Check third-party security controls before granting them access, and monitor them continuously.
• Incident response playbooks: Detailed steps tested through tabletop exercises help clarify confusion and speed up containment when real breaches occur.
• Monitoring and behavioural analytics: Anomaly detection identifies abnormal patterns, such as mass downloads or access at odd hours, that signature-based tools miss.

Cyber insurance is intended to offset some of the costs of a breach, but it doesn’t cover all of them. Policies usually cover things like forensic investigations, legal fees, regulatory fines, notifying customers, monitoring credit, and responding to public relations issues. Claims processes require extensive paperwork about security controls, incident timelines, and efforts to fix things.

Different insurers and policy tiers offer different levels of coverage. Nation-state attacks, acts of war, and breaches caused by known unpatched vulnerabilities are often not covered. Some policies don’t cover payments for ransomware or losses from social engineering. Read the terms carefully before incidents occur.

After years of rising claims, the insurance market has become much tougher. After a breach, premiums go up, and underwriters require proof of MFA, EDR deployment, backup testing, and security awareness training. Companies with weak controls have to pay higher deductibles or can’t get insurance at all. You still have to tell the government and the people who were affected about a breach, even if you don’t file a claim or get it approved.

We help organisations prevent breaches by addressing data risk from every angle—technology, behaviour, and external threats. By identifying compromised or high-risk accounts early, protecting sensitive data wherever it moves, and reducing human-driven risk through awareness and intelligence-led detection, security teams can stop account compromise before it turns into a full breach. To learn how we can help strengthen your defences and reduce exposure across your organisation, contact Proofpoint.