An example of a data leak is a software misconfiguration facilitating unauthorized access to sensitive resources - such as the major Microsoft Power Apps data leak in 2021.
An example of a data breach is a cybercriminal overcoming network security controls to gain access to sensitive resources. These cyber events are more common, and there are plenty of examples supporting this claim.
The outcome of data leaks and data breaches is the same - sensitive data is compromised. The primary differentiator between the two events is the impetus leading to this objective.
Data breaches require an external trigger to initiate a process leading to data compromise. This trigger is usually an action performed by a cybercriminal, such as a phishing attack.
Data leakage, on the other hand, results from an internal trigger. Internal security teams could overlook a software vulnerability exposing confidential data, or insider threats could purposely establish attack vectors for hackers to access sensitive data.
Data loss is another term commonly associated with data leaks and data breaches. Data loss occurs when sensitive data is irrevocably lost, either through theft or deletion. Data loss prevention (DLP) strategies aim to confine sensitive data within a set boundary to prevent its transfer into hostile environments.
What is Considered a Data Leak?
Any internal event exposing confidential information to an insecure environment that isn't a cyberattack is considered a data leak.
These events can be both digital and physical. Physical data leaks, such as insider threats, are more difficult to intercept because you're usually contending with a strategizing adversary rather than a static digital exposure.
Besides insider threats, a physical data leak could include insecure physical devices storing sensitive information, such as passwordless external hard drives. The inclusion of physical events widens the scope of data leaks and further differentiates them from data breaches, since breaches only occur in the digital realm.
Security policies and data security strategies must consider the diversity of data leak types to maximize the potential of mitigation efforts.
The types of data commonly exposed in a data leakage include:
- Personal Identifiable Information (PII)
- Social security numbers
- Trade secrets
- Credit card numbers
- Financial information
- Intellectual property
- Personal data
- Medical or Personal Health Information (PHI)
Examples of Events that Cause Data Leaks
Some examples of security incidents that cause data leakage include:
- Misconfigured software settings
- Cloud storage misconfigurations (such as insecure Amazon S3 buckets)
- Firewall misconfigurations
- Software vulnerabilities
- Weak passwords (because they can be easily discovered with brute force methods)
- Physical theft of sensitive devices
Though an external factor causes these events, social engineering could also be considered a data leak vector. This is because the information exposed in a successful social engineering attack isn't always sensitive enough to be considered a breach. The bounty from these attacks provides just enough ammunition to access a private network and initiate a data breach campaign.
What is Considered a Data Breach?
Any event that exposes sensitive data due to cybercriminal activity is considered a data breach.
Data breaches and their associated damage costs are currently climbing a steep trend. The average cost of a data breach in 2021 was $US 4.24 million, a record high.
Data breaches have been around longer than data leaks. The recent explosion of digital transformation placed data leaks in the cybersecurity spotlight due to the resulting rapid expansion of the attack surface.
Because of this, data protection and security measures specific to data security are now becoming standard components of cybersecurity programs.
Examples of Events that Cause Data Breaches
Some examples of security incidents that lead to data breaches include:
- Malware infections
- Ransomware attacks
- Insecure endpoints
- System vulnerabilities
- Exfiltrated data posted in dark web forums
- Insecure passwords
- Third-party breaches
How to Prevent Data Breaches and Data Leaks in 2022
The motivation to prevent these cyber events should be more than just to avoid identity theft. Incident response policies must address these events because most security regulations, such as HIPAA and the GDPR, enforce this level of due diligence.
The price for non-compliance is high, especially for highly regulated industries like healthcare and finance.
The following best cybersecurity practices could help prevent data leaks, data breaches, and the considerable costs of these events:
- Monitor your internal and external attack surface for security exposures
- Implement a data leak detection solution
- Teach staff how to recognize and block social engineer attempts through educational webinars
- Use multi-factor authentication
- Use a Single-Sign-On solution to mitigate weak passwords and password recycling.
- Monitor all network access
- Encrypt data in rest and transit
- Secure all privileged access accounts