What Is a Data Leak?

A data leak unintentionally exposes sensitive, protected, or confidential information outside its intended environment. This happens for various reasons, such as internal human errors, software vulnerabilities, or poor data security measures. Data leaks can compromise personal details, financial records, trade secrets, or other proprietary data. Leaked information can be used to quickly cause future data breaches and have severe consequences for individuals and organisations alike, leading to reputational damage, financial losses, and legal implications.

The terms “data leak” and “data breach” are often used interchangeably, but a data leak does not require exploiting a vulnerability. A data leak can simply be the disclosure of data to a third party from poor security policies or storage misconfigurations. In most scenarios, a data leak is accidental, while a data breach is malicious and intentional.

It might seem insignificant, but it’s important to understand the difference between a data leak and a data breach. Both can be costly and have critical consequences, but a data leak involves much more negligence than a data breach. Human error is a significant risk for organisations, and a data leak is typically the result of insider threats, often unintentional but just as damaging as a data breach.

Unforeseen risks or unknown software, hardware, or security infrastructure vulnerabilities cause data breaches. To succeed, an attacker finds and exploits the vulnerability, so administrators must continually update outdated software and install security patches or updates immediately.

A data leak results in a data breach but does not require exploiting an unknown vulnerability. Typically, human error is behind a data leak. An excellent example of a data leak is a misconfigured Amazon Web Services (AWS) S3 bucket. S3 buckets are cloud storage spaces used to upload files and data. They can be configured for public access or locked down so only authorised users can access data. It’s common for administrators to misconfigure access, thereby disclosing data to any third party. Misconfigured S3 buckets are so common that some sites scan for misconfigured S3 buckets and post them for anyone to review.

Data leaks can arise from a combination of technical misconfigurations, human errors, and weaknesses in organisational security policies. The causes of data leaks often overlap with those of data breaches, but they primarily revolve around the unintentional exposure of sensitive information. Some of the key factors contributing to data leaks include:

• Infrastructure misconfigurations: One of the most common causes of data leaks. Whether it’s a misconfigured cloud service like AWS S3 or an internal server, improper security settings can lead to unintended data exposure. This includes misconfigured firewalls that might inadvertently open ports and allow unauthorised access to data.
• Weak security policies: Data can be unknowingly disclosed without stringent security policies. Organisations need to have robust protocols that prevent unauthorised user access.
• Employee and vendor errors: Human error, whether unintentional or malicious, is a significant factor in data leaks. These errors range from mishandling sensitive data and not following established security procedures to vendors inadvertently exposing data they can access. Proper cybersecurity training for all personnel is crucial in mitigating this risk.
• System errors: Occasionally, unexpected system errors can lead to data leaks by defaulting to open access for unauthorised users. Once exposed, search engines can even index sensitive information, making it easily discoverable.
• Open-Source files and repositories: Developers sometimes inadvertently include sensitive data in public repositories, such as hard-coded credentials or access keys. Malicious actors can exploit these to gain unauthorised access to data.
• Unpatched infrastructure: If not timely addressed with security patches, vulnerabilities in software and systems can become gateways for unauthorised data access.

By addressing these vulnerabilities and instilling a culture of cybersecurity awareness, organisations can significantly reduce the risk of data leaks.

Cybercriminals are constantly on the prowl for vulnerabilities and opportunities, with leaked data as a valuable asset for their malicious endeavours. But what exactly do they seek in leaked data, and once they have it, what do they do with it?

• Personal Identification Information (PII): This includes names, addresses, social security numbers, and more. Criminals can use the data for identity theft, impersonating individuals to commit fraud, obtain credit, or gain other financial benefits.
• Financial information: Credit card details, bank account numbers, and other financial data are used to make unauthorised transactions, siphon funds, or even be sold on the dark web.
• Login credentials: Usernames and passwords for various accounts can be exploited to gain unauthorised access. Cybercriminals use techniques like credential stuffing to access multiple sites, banking on the fact that many individuals reuse passwords across platforms.
• Health records: Medical information is highly valuable and can be used for insurance fraud, prescription fraud, or sold to interested parties.
• Trade secrets and intellectual property: For corporations, leaked data might contain proprietary information. Cybercriminals can sell this to competitors or use it for corporate espionage.
• Emails and personal communications: These can be used for blackmail or to stage further targeted attacks, such as spear-phishing campaigns.
• Operational data: Information about an organisation’s operations, network configurations, or security practices can be used to facilitate more sophisticated cyber-attacks.

Depending on the type of data, threat actors can use leaked information for a myriad of malicious intentions. Here are some of the things that cybercriminals do with leaked data:

• Direct financial gain: By selling the data on the dark web or using it for fraudulent transactions.
• Carry out phishing attacks: Cybercriminals can use leaked data to craft convincing phishing emails that appear to be from legitimate sources but are intended to deceive people into giving away their personal information or downloading malware.
• Conduct ransomware attacks: Threat actors can use leaked data to launch ransomware attacks, where they encrypt the victim’s data and demand payment in exchange for the decryption key.
• Commit identity theft: Cybercriminals can steal people’s identities with leaked data, which they use to open bank accounts, apply for loans, or make fraudulent purchases.
• Facilitate other crimes: With stolen identities, criminals can commit a range of offline crimes, from fraud to false credit applications.
• Reputation damage: For high-profile entities or celebrities, leaked data can be used to tarnish their reputation.

As the digital landscape evolves, the motives and methods of today’s cybercriminals continuously change. As they develop new ways to exploit leaked data, individuals and organisations must remain vigilant and proactive in their cybersecurity measures.

Data protection strategies should always include employee education and training, but administrators can take additional steps to stop data leaks.

Here are a few ways you can prevent a data leak incident:

• Audit and classify data: It’s common for fast-growing businesses to lose track of data and its storage locations. It’s challenging to cover all your bases without knowing where data is located and discovering after the fact that applications and users have moved data. Classifying data also reveals employee permission misuse and potential data leaks from unnecessary access.
• Be proactive: A risk assessment and management help identify risks and provide administrators with mitigation strategies that typically require additional security measures, policies, and employee training.
• Evaluate third-party risk: Evaluate the security practices of third-party vendors and partners accessing your data. Make sure they use robust security measures to prevent data leaks.
• Implement access control: Limit and review access as appropriate for your organisation. Consider using role-based access control to ensure that only authorised personnel can access sensitive data.
• Use encryption: Data encryption translates data into another code or form, and only those with access to a decryption key or password can read it. Data encryption can prevent cybercriminals from reading sensitive data in the event of data leakage.
• Implement data loss prevention (DLP) software: DLP software continuously monitors and analyses your data to identify potential violations of security policies. Beyond identifying policy violations, the proper DLP solution can effectively stop them.
• Protect data based on value and sensitivity: Data leaks on unimportant data are not ideal but are far less damaging than sensitive data disclosure. After an audit and data discovery, focus on the most valuable data first. Data discovery software can help because it provides dependable and automated content analysis and tracks information across your network.
• Offer cybersecurity training: Education reduces the chance of human error from phishing or social engineering. It also helps employees know how to properly manage data and protect data.
• Monitoring: Deploying the right monitoring tools helps administrators identify anomalies faster and makes them more proactive in containing and eradicating a threat. Some tools also identify misconfigurations and potential data leak issues.
• Have a disaster recovery plan: Disaster recovery with backups will restore destroyed data. A recovery plan includes the people involved in data recovery and the many steps to communicate with affected customers and any news outlets.

To better design security infrastructure around sensitive data, it helps to know common scenarios where data leaks occur. You may not even identify scenarios until they happen to your organisation. Here are a few ways an organisation could be victim to a data leak:

• Employee brings files home from work: There’s a reason why larger corporations lock down USB drive access. Employees might think it’s harmless to take their work home and store data on their devices, but it can lead to a data leak should the device get lost or insecurely stored.
• Unencrypted data storage: Users and attackers could obtain unencrypted data from a permission error or accidental transfer to publicly accessible cloud storage. Data sent in instant messages or emails are also vulnerable if unencrypted.
• Password misuse: Employees who write down passwords or insecurely store them could disclose them accidentally to a third party. Strong passwords are key to preventing breaches and data loss, which is why it’s so important to educate your people on password awareness and best practices.
• Outdated software: Developers patch software with known vulnerabilities, but administrators must take the initiative to install them. Security patches should be installed immediately, or attackers could exploit vulnerable data storage systems.
• Software misconfigurations: When software is not configured properly to store files or data, it could openly disclose data without administrators being aware.
• Development server compromise: Development environments are often loosely protected, but developers replicate production data to the development server for access. That might seem harmless, but developers could potentially configure the server or the environment in a way that discloses data.

Awareness of general scenarios helps with data governance and risk management, but even large corporations fall victim to threats. Here are a few real-world examples of data leaks that impacted large organisations or government entities:

• The Texas Department of Insurance experienced an ongoing data leak not identified until 2022. The potentially accessible information included names, addresses, dates of birth, phone numbers, parts or all of social security numbers, and information about injuries and workers’ compensation claims.
• A misconfigured database at Pegasus Airlines exposed 23 million files containing personal data online. The database contained flight charts, navigation materials, and information about the flight crew. The incident resulted in a significant loss of customer trust and a fine from regulators.
• The Veterans Administration lost 26.5 million records with sensitive data, including social security numbers and date-of-birth, after an employee took data home.
• Idaho Power Company in Boise was victim to a data leak after they sold used hard drives containing sensitive files and confidential information on eBay.
• Loyola University computers disposed of hard drives containing sensitive student information without wiping them. The result was the disclosure of social security numbers and financial aid records.
• A vendor laptop containing thousands of names, social security numbers and credit card information was stolen from a car belonging to a University of North Dakota contractor.
• An error in Texas University’s software allowed unauthorised users to access names, courses, and grades for 12,000 students.

Identifying misconfigurations and gaps in data loss prevention (DLP) requires staff that can monitor and scan for these issues. Many organisations lack the personnel to properly plan for disasters and build infrastructure to secure data from unintentional data leaks. Proofpoint can take you from start to finish to design a data loss prevention plan and implement it. Our information protection experts help you classify data, automate data procedures, comply with regulatory requirements, and build infrastructure that supports effective data governance.

Proofpoint also offers comprehensive DLP solutions to prevent sensitive information from leaking outside your organisation. Our DLP products enable you to identify and analyse sensitive data unique to your organisation, detect data exfiltration transmissions, and automate regulatory compliance.

• Enterprise DLP is a people-centric solution that brings context across content, behaviour, and threats together for a complete view of risk.
• Email DLP detects sensitive data and confidential information and keeps it from leaking outside your organisation through email.
• Endpoint DLP provides integrated content awareness along with behavioural and threat awareness, giving you granular visibility into your users’ interactions with sensitive data.

These solutions help organisations simplify discovery and quickly evaluate data to respond to any issue. For more information, contact Proofpoint.