A data leak is the unauthorized exposure of sensitive information, which violates privacy laws and regulations. It can lead to financial loss, identity theft, and reputational damage. Data leaks are sometimes referred to as data breaches, but there is a difference between the two. Data breaches involve malicious hacking, whereas data leaks are accidental and often result from negligence or oversight.
Human error is the leading cause of data leaks and breaches, ranging from the simple’reply all’ mistake to massive hacking scandals. Data breaches can also occur when systems fail to protect data at rest or while in transit between storage locations.
Depending on the type of data involved, it can include anything from personal identifiable information (PII) like names, email addresses, phone numbers, and physical address to passwords and security questions/answers, social media profiles, and trade secrets or intellectual property. Cybercriminals exploit PII to carry out various attacks, including social engineering, scams, and fraud.
In the past, companies have suffered from major data leaks when they were hacked by criminals, but increasingly these incidents are caused by internal issues. Insufficient training, misconfigurations, or a lack of updates can leave critical data exposed to hackers. Employees could also misplace or lose a mobile device that contains sensitive information or access to company systems. In addition, the proliferation of cloud computing can increase risk as companies use third-party services to store and manage data.
When companies are in transition, they can be particularly vulnerable to data leaks. For example, the migration from a desktop software model to a SaaS platform left Adobe vulnerable to hackers and ended up with millions of customers’ personal information publicly accessible online for an extended period of time in 2019. In 2021, Facebook revealed that its employees had been able to scrape 600 million user accounts for their own gain, including account IDs and passwords.