What is a data breach, and how does it happen?

What is a data breach?

A data breach is a security incident that happens when personal user information is accessed, disclosed, or stolen by someone who shouldn't have access to it. It could be personal details, like your email and login credentials, or corporate data like financial reports. A data breach is also known as a data leak, data spill, data theft, or information disclosure.

Cybercriminals make money off these breaches by selling stolen data, which includes anything from usernames and passwords to bank account numbers, protected health information, and biometric data. For businesses, it may be customer data or trade secrets. All of this leaves people or companies vulnerable to financial loss, identity theft, regulatory fines, and reputational damage.

People often confuse the term "data breach" with "cyberattack." But not all cyberattacks are data breaches. Only security breaches where someone accesses data without permission qualify.

For instance, a distributed denial of service (DDoS) attack that knocks a site offline is disruptive but not a data breach. A ransomware attack that locks down information and demands a ransom is a data breach. Someone stealing a laptop or USB drive loaded with unencrypted sensitive personal data is also a breach, even if no hacker is involved.

The cost of data breaches

According to IBM's Cost of a Data Breach Report 2024, the average cost of a data breach globally is $4.88 million. Breaches hit businesses of all sizes, and the price tag depends on how many data records are exposed and how fast the company responds.

Some regions get hit harder than others. A typical breach in the US costs $9.36 million, nearly four times the cost of a similar incident in India ($2.35 million). The more sensitive or regulated the data, the higher the stakes and the bigger the bill.

Healthcare data breaches continue to be the most expensive, with an average cost of $9.77 million per incident. Finance, insurance, and public sector organizations aren't far behind. In these fields, legal penalties and regulatory fines can easily double the damage.

Where does all that money go? A big chunk covers lawsuits, identity protection services, and customer support related to data loss. The rest is split between technical work like forensics and system repairs, plus the cost of notifying regulators and affected individuals.

Notable data breaches

These high-profile incidents exposed millions of people and put companies in the spotlight for all the wrong reasons:

• MOVEit (2023). Hackers exploited a vulnerability in this file-transfer software, used by governments and corporations worldwide. The Cl0p ransomware gang hit over 2,000 organizations and exposed data from more than 60 million individuals.
• Latitude Financial (2023). A breach of this Australian lender compromised 14 million records, including driver's licenses, passport numbers, and financial details.
• Optus (2022). One of Australia's largest telcos leaked personal data of 10 million customers, leading to new national data security reforms.
• T-Mobile (2023 and earlier). In just one of several incidents, 37 million customer accounts were exposed through API abuse. T-Mobile has suffered repeated breaches since 2018.
• Equifax (2017). One of the largest data breaches in history. Hackers accessed 143 million Americans' personal data, including Social Security, credit card, and driver's license numbers.

PRO TIP: If you’re curious about how these breaches occur and how criminals profit from stolen data, check out the NordVPN dark web case study. It reveals the prices of sensitive data sold on dark web marketplaces, including payment card information, mobile phone numbers, online account details, personal documents, and email addresses.

Why do data breaches happen?

The short answer is that data is valuable. Personal info, login credentials, financial records, trade secrets — all of it can be sold, leaked, or used for leverage. And anywhere something is worth stealing, someone's looking to take it.

Many of the reported data breaches don't involve high-tech attacks. Most of the time, they happen because of something far more ordinary: human error. Misconfigured servers, weak passwords, or clicking the wrong link — these are still the top reasons data ends up exposed.

How do data breaches happen?

First, let's quickly address a common question: What is a cyberattack? It's any deliberate attempt to break into a system, disrupt it, or steal from it. Data breaches are often the result of successful cyberattacks or, just as often, the result of human mistakes and weak security protocols. Some of the most common breach methods include:

Malware

• Ransomware. This type of malware locks a company's files and demands payment to unlock them. It can shut down entire businesses, with costs that go far beyond the ransom.
• Spyware and keyloggers. They secretly track your activity, log keystrokes, and steal login credentials without your knowledge.
• Trojans and worms. Disguised as legitimate software, they install backdoors or spread across networks to deliver payloads or open access for other attackers.
• Malicious downloads. Clicking a fake software update or a compromised link can install a malicious file instantly.

Phishing

• Deceptive messages. Cybercriminals pose as banks, coworkers, or services you use. Relying on social engineering techniques, they send emails, texts, or DMs designed to make you click first and think later.
• Fake websites and forms. These sites look exactly like the real thing, but they're built to capture your credentials the moment you log in.

Human error

• Misconfigurations. Someone forgets to password-protect a database or leaves a cloud folder wide open. It happens more often than you'd think, and it's one of the top causes of breaches.
• Accidental disclosures. They may involve sending sensitive data to the wrong person, uploading files to the wrong location, or using unsecured communication channels.
• Phishing click-throughs. Employees under pressure click suspicious links without thinking. It's not just carelessness — criminals design these messages to catch people off guard.

Weak passwords

• Reused or predictable credentials. Using the same password everywhere or something easy to guess, like "qwerty," makes it incredibly easy for attackers to break in.
• Unsecured storage. Keeping passwords in a notes app, spreadsheet, or saved in your browser without encryption leaves them exposed.

An inside job

• Malicious insiders. Employees or contractors abuse their access, misusing data for profit, revenge, or leverage. This threat is especially dangerous in sectors like healthcare, where access to electronic health records (EHRs) can be abused to sell sensitive medical information or commit fraud.
• Privilege misuse. Overprivileged users access data they shouldn't, either on purpose or by accident.

Technical faults

• Unpatched software. Failing to install security updates leaves known vulnerabilities open for exploitation.
• Weak infrastructure. Outdated firewalls, missing encryption, poorly configured APIs, or a lack of intrusion detection systems make systems easier to breach.

How to prevent data breaches

Let's be honest — you can't stop 100% of breaches. But you can make it a lot harder for someone to breach your data by following the tips below:

Shred documents

Get into the habit of destroying letters, bills, documents, or anything with pieces of your identity on it. Identity thieves don't need much to do serious damage.

Use secure websites

Before entering any personal info online, check the URL. It should start with "https" — the "s" means encrypted. If it's missing, walk away.

Create strong passwords

Skip the pet names and birthdays. Use a mix of uppercase and lowercase letters, numbers, and symbols. A good password manager will do the heavy lifting and keep things safe.

Use different passwords on every account

Using the same passwords on every account is a gift to attackers. If one account gets breached, they can unlock everything. To protect your accounts, use strong, unique passwords for each one, and ensure your passwords are stored securely with password encryption. Additionally, enable multi-factor authentication or two-factor authentication wherever possible to add an extra layer of security beyond just the password.

Update your computer and mobile devices

Patches fix vulnerabilities. Set updates to auto where you can, especially for operating systems, web browsers, and antivirus tools.

Avoid public USB charging stations

Did you know that a regular public USB charging port can carry malware? Now you do. Using public USB ports to spread malware and steal data is called juice jacking. To avoid it, steer clear of the public USB ports you see at airports or get a USB data blocker designed to link your device to the port and protect it from any malicious code.

Don't ignore your statements

Don't wait for fraud alerts. Check your statements regularly, even the small charges. Hackers often test stolen cards with tiny purchases before going big. Catching those $1 charges early could save you thousands.

Regularly check your credit reports

Your credit report will show if any accounts or loans have been opened in your name. Even if you see no suspicious activity now, check regularly. If you spot identity theft quickly, it will be easier to shut it down. 

Avoid data hoarding

The more data you have, the more data you can lose. Avoid accumulating large amounts of digital assets, regularly audit your data, and ensure it's stored securely. Data hoarding is not a practice you should follow to avoid data leaks.

What should I do if I experience a data breach?

Not all breaches can be prevented. If it happens to you, follow these steps to take back control:

Step 1. Confirm the breach

Don't click on emails from companies telling you that a breach has occurred — scammers may write them to steal your personal information. Instead, call the company directly or wait for it to post about the breach on the official website.

Speaking of notice emails, if you're a business, you're required to notify individuals affected and regulators under data privacy law. For example, under the EU's General Data Protection Regulation (GDPR), you must report personal data breaches within 72 hours of discovery. In the US, all 50 states have their own data breach notification laws, and failing to act fast can mean fines, lawsuits, and lasting damage.

Step 2. Determine the type of breach

If your sensitive information has been exposed, some quick fixes can help you regain control, depending on what information it was.

If your Social Security number was breached

Report it immediately to the IRS. Social Security numbers (SSNs) are harder to replace than credit cards or bank details. Your SSN can be used to assume your identity, file fake tax returns, rent or buy properties, and commit any number of crimes, all in your name.

If your password was exposed

Change and strengthen your password and security questions immediately. Choose something over seven characters, make it nonsensical, and use a password manager so you don't forget it.

If a company that you have an account with has been breached

Immediately change your username and password and double-check you haven't used the same credentials elsewhere. For critical services like banking, healthcare, or school records, use a separate email and unique passwords. One compromised login shouldn't expose everything you own.

Step 3. Accept the offered protection

If the company offers free credit monitoring or identity theft protection, take it. These services can catch suspicious activity before you do, and if your data was compromised on its watch, it should be footing the bill.