A data leak is an overlooked exposure of sensitive data usually occurring through a software vulnerability.
Data leaks can also be physical, like login credentials written on a post-it note. Any vector that facilitates unmitigated access to sensitive resources is considered a data leak.
The most critical category of data leaks is customer Personal Identifiable Information (PII) because their compromise could expose customers to further cyberattacks and data breaches.
Data leaks, if left unaddressed, could develop into data breaches if they’re discovered by cybercriminals. This is why the timely detection and remediation of data leaks should be a primary component of data breach prevention strategies.
Data Leak Examples
Data leaks most commonly occur through software vulnerabilities and misconfigurations. Other examples of data leaks include:
- Zero-day exploits
- Unsecured databases
- Poor access management.
- Unsecured endpoints.
- Software errors.
- Careless employee practices.
- System Errors.
Each of these events create perforations in cybersecurity programs, giving cybercriminals seamless access to sensitive resources.
One of the most famous examples of a data leak was the Microsoft Power App exposure. By default OData (Open Data Protocol) APIs were disabled, allowing public access sensitive Power Apps databases.
UpGuard researchers discovered the data leak exposing up to 38 million records and notified Microsoft, preventing a potentially catastrophic data breach
What’s the Difference Between a Data Leak and a Data Breach?
The primary difference between a data leak and a data breach is whether or not the data exposure was initiated by cybercriminals.
A data breach is the intended outcome of a planned cyber attack, but a data leak is an unintentional pathway to sensitive resources through a security loophole. Unlike data breaches, data leaks usually stem from internal negligence.