Data Leak Meaning and Examples
A data leak happens when an internal party or source exposes sensitive data, usually unintentionally or by accident. The results of a data leak can range from loss of information to malicious exploitation. Often, data leaks lead to data breaches. But how do data leaks happen?
- Weak infrastructure: An improperly configured network infrastructure can allow data to be leaked, causing loss or even misuse. For example, cybersecurity company Cognyte left a massive database unsecured, with no authentication or authorization required for access. As a result, more than 5 million records were exposed online.
- Human error: Recent statistics reveal that human error is the primary cause of data leaks and breaches. Human error can cause leaks of various degrees, from an email sent to the wrong people to massive leaks caused by stolen credentials. An example is the massive data loss (almost 23 terabytes) suffered by the city of Dallas due to employee negligence in 2021.
- System error: System errors can leave networks vulnerable. In 2019, a Facebook vulnerability that has since been fixed allowed scammers to scrape the personal data of over 530 million Facebook users across 106 countries, including their email addresses, phone numbers, locations, and other details. In 2021, the data was posted on a hacking forum.
- Third-party vulnerabilities: Third-party applications and vendors may need access to your system or network, but they can pose a risk. An example was the Marriott data leak in 2020. Hackers took advantage of a third-party application to access over 5 million guest records.
- Malicious insiders: Leaks caused intentionally by malicious insiders are not as common as accidental leaks. In 2021, four lawyers at the Elliott Greenleaf law firm allegedly stole and deleted company files to help a competing law firm open a new office.
According to a recent report by the Identity Theft Resource Center (ITRC), in 2021, data compromises went up by almost 70%, which is almost 25% more than the previous all-time high record set in 2017.
The average yearly cost of data breaches is nearly $4.5 million in 2021, so it is no wonder that more organizations are now implementing data protection measures to prevent data leakage, including the consequences associated with it, such as regulatory fines, lawsuits, and loss of customer trust.
4 Types of Data Leaks and Their Consequences
1. Shadow IT
Employees contending with heavy workloads and very stringent deadlines may use workarounds and unapproved third-party applications and solutions to get things done. The resulting infrastructure is called “shadow IT.” Some unsanctioned third-party applications and technology employees are likely to use may include:
- Cloud technology and storage
- Software-as-a-Service (SaaS) applications
- Web applications
Although employees using their own systems and devices can help with productivity, the risk is that shadow IT can lead to unauthorized access to data in the cloud, which can result in information leakage, changes to the data by unapproved users, and data corruption. Additionally, shadow IT creates blind spots for IT teams who may not become aware of the data leak until it is too late.
2. Legacy Tools
Despite technological advances, numerous organizations and their employees are still using certain legacy tools, such as external USB drives, desktop email applications, and public printers. While there is nothing inherently wrong with these tools, they can cause a leak. Imagine an employee losing a USB drive containing sensitive data in a public place. Or imagine private company documents being printed at home or a public printing center.
3. Privileged or Business Users
In 2018, Twitter urged its 330 million users to change and update their passwords after a bug exposed them. This was the result of a problem with the hashing process, which Twitter uses to encrypt its users’ passwords. The social networking site claimed it found and fixed the bug, but this is a good example of potential vulnerability exploits.
Twitter also suffered a potential breach in May 2020, which could have affected businesses using its advertising and analytics platforms. An issue with its cache saw Twitter admit it was “possible” that some users’ email addresses, phone numbers, and the final four digits of their credit card numbers could have been accessed.
Phishing continues to be a popular way to attack businesses—because it works. Phishing tactics can expose and allow exploitation of sensitive company data if an employee:
- Clicks on a malicious link in an email
- Shares credentials with others
- Falls for social engineering scams
The consequences can range from unauthorized data access to the installation of malware and other malicious files.
Six Common Causes of Data Leak
Because data leaks typically stem from internal issues, much can be done to identify vulnerabilities and apply preventative strategies. Additionally, staff members can be trained on best practices to reduce the threat of human error.
Here are some of the most common causes of data leaks:
1. Bad Infrastructure
Bad or weak infrastructures are made up of systems that are not configured properly or not maintained regularly. The wrong settings and permissions during initial configuration can lead to unauthorized access or insufficient security. Delays in maintenance, such as patching software or repairing and replacing bad components, can also lead to data exposure.
2. Social Engineering Scams
While social engineering scams may seem like an external attack, they are only successful if the target falls for them. Using emails and social media, criminals may seek to exploit unsuspecting employees to gain access to their organization’s network, system, or finances.
3. Poor Password Policies
Poor password policies, such as using the same credentials for multiple accounts and logins or not creating passwords that are complex enough, can lead to data leaks. Because malicious parties know that many people tend to reuse passwords for various accounts, once they successfully steal a user's password or convince them to reveal it, they will attempt to access as much data as possible.
4. Lost Devices
Lost or stolen laptops, USB storage devices, mobile phones, and other devices can result in major data leaks. Especially because more workers are now remotely accessing systems from various locations, these devices can become a doorway into an organization's network.
5. Software Vulnerabilities
Outdated software or software that has not been recently patched can put sensitive data at risk. Criminals may also create a vulnerability in open-source applications by writing it into the code.
6. Old Data
Most companies grow, expand, and evolve. Employees come and go, infrastructures are upgraded, and systems change, which may leave old data unprotected or exposed.
Four Ways Criminals Exploit Data Leaks
1. Social Engineering
In social engineering scams, the perpetrator first attempts to gain and then exploit the user's trust. They usually send an email enticing the recipient to click on a link that installs malware or another malicious program on their computer. Or they may use phishing attacks to get them to reveal credentials, financial or personal information, or convince them to make an unauthorized transaction.
Doxxing is a form of bullying or harassment and entails acquiring and then publishing the information of a person or company without their permission. Once sensitive or personal information becomes public, it can be used to gain access to online accounts, bank accounts, or credit card accounts.
3. Surveillance and Intelligence
Data from a leak can be used to blackmail certain entities, shape public opinion, manipulate outcomes, and gain favor. It can be very damaging but effective, particularly in politics and business espionage.
People who exploit data leaks may misuse information to disrupt the operations of target organizations, such as businesses or government bodies.
Three Steps To Fix a Data Leak
Prevention is better than cure, so whether you are trying to contain a data leak or preventing it from happening in the first place, here are some steps to take:
1. Validate Cloud Storage Configurations
Cloud storage can easily become the source of a leak, so make sure it is secure when you first set it up and then periodically as your organization expands and evolves. Establish that the system is working as intended.
2. Automate Process Controls
As your organization grows, it can be difficult to ensure consistency and security. Automation can help because computers can handle the workload better than humans. Documenting and standardizing process controls ensure security policies that safeguard cloud storage are enforced.
3. Monitor Third-party Risk
Allowing third parties to access your systems is often a necessary risk, but data leaks can be minimized through vigilant monitoring. This is particularly important because your company is responsible for data security compliance, even if a leak is caused by a third party.
How Fortinet Can Help
Preventing data leaks can be challenging, and the challenge grows as your organization grows. Security teams need visibility and control to identify and mitigate any potential leaks. FortiCNP by Fortinet provides organizations with cloud-native protection services, including risk and threat management, data protection, and data security compliance.
What is a data leak?
A data leak refers to an event in which an internal party or source exposes sensitive data, usually unintentionally or by accident. The results of a data leak can range from loss of information to malicious exploitation. Often, data leaks lead to data breaches.
How does a data leak happen?
A data leak happens when someone from within the organization inadvertently exposes confidential data. It is often the result of outdated systems, poor password policies, stolen or lost devices, and software vulnerabilities.
How to fix a data leak?
Prevention is better than cure, so whether your security team has identified a data leak that needs to be contained or they are preventing leaks from even happening, they must ensure cloud storage configurations are correct, automate process controls, and monitor third-party risk.