When sensitive information becomes available to outside sources, you have a data leak on your hands. Data leaks are real threats that are easy to ignore. But across all the places your company stores and moves data, it’s only a matter of time until an accidental exposure of information will put your business at risk.
Data leaks might seem trivial, but treating them as minor would be a big mistake. Think of your business like a ship: a data leak might start as a bit of water seeping in. Over time, several small leaks can begin flooding the deck — or maybe one small leak grows to sink the whole ship. This out-of-control leak is now a full-on data breach. Even if you manage to avoid a breach, multiple leaks can still lead to logistical headaches, financial burdens, and a damaged reputation.
The question isn’t if your data will leak (if it hasn’t already) but when — and how quickly the leak will get out of control. Thanks to the increasing number of regulatory requirements around reporting leaks, including the SEC’s recent updates, you can’t simply patch up a leak and move on.
But with the right tools in place, your organization can prevent a data leak from turning into a breach. By spotting and immediately addressing a leak, you can stop it from overflowing. And with a proactive security culture across people, process, and technology, you’ll be in good shape to keep your ship sailing despite any rough seas you might encounter.
Read on to learn more about what data leaks are, where they come from, and what you can do about them.
What is a data leak?
A data leak occurs when sensitive internal data accidentally becomes accessible to external parties. Data leaks can be physical as well as digital, and data leakage can come from a variety of sources, such as misconfigured servers, compromised devices, and weak security culture.
Although they might seem minor, data leaks can do a lot of damage and pose a real threat to your company. Reputational damage can lead to customer churn and lost sales. Regulatory fines and lawsuits can hurt your company’s bottom line, and you might lose your employees’ trust, leading to workforce volatility.
Data leak vs. data breach
Most data leaks pose a small but manageable risk to a company’s finances, brand reputation, and employee trust, while a data breach is a data leak that has spiraled out of control. A data breach’s effects on the company create significant costs that threaten the company’s very survival.
Because no two companies are exactly alike, a data leak for one company might be a breach for another, based on company size, finances, and resources. A large, established company might be able to weather large fines, lost customer confidence, and lawsuits, but a small startup might go under from just a couple minor data leaks. But for both enterprise and smaller players, catching and repairing a leak should be a top priority, because the consequences of a leak-turned-breach can be severe.
Both data leaks and breaches can come from within an organization, often resulting from an accidental employee mistake. Not all data leaks result from employee negligence, though. For example, an insider might maliciously share data with a third party. To be clear, 80% of incidents are not malicious, but regardless of intent, leaks have the potential to balloon and take your business down.
Leaks don’t get the same airtime and attention as breaches. We often hear about big data breaches that make headlines and cost companies millions. But data leaks, while smaller, can still cause serious pain, especially for those working in the security space. With the recent December 2023 SEC regulation updates, you may need to report even small leaks if they significantly alter the overall security reputation of your company.
Causes of data leakage
Now that we know what data leaks are and how they’re different from data breaches, let’s look at how and why data leaks happen. Most data leaks stem from one of a few key sources.
1. Misconfigured infrastructure
Correctly configuring infrastructure is crucial to protecting your data. Incorrect configurations can leak credentials, source code, and more. It’s easy to sprout a leak with outdated software, improper permissions, or without the right authentication for your servers, apps, and firewalls.
A frequent source of misconfiguration crops up in Amazon Web Services (AWS): for example, weak permissions around Simple Storage Service (s3) buckets are a frequent way outsiders can gain access to internal data and infiltrate other internal systems.
As a result, robust cloud application security is a must for your organization. Investing in the right training, processes, and policies is crucial when protecting your company’s servers, APIs, and tools from leaks.
2. Social engineering
Social engineering is a regular tactic of cyber criminals, who trick insiders into sharing credentials or other sensitive information. A common type of social engineering is phishing, where an outsider will pretend to be a trusted source who needs the insider to provide information like usernames and passwords.
Because the threat originates from outside the organization, social engineering might seem like an external threat, but social engineering only works when an insider like an employee falls for the scheme. For instance, a criminal might pose as a company’s CEO and email members of the finance department, asking for login credentials to the company’s accounting software. If someone provides the credentials, the criminal gets instant access to the company’s financial data — and may even be able to access other systems, tipping the leak into a breach.
3. The human element
Even without external bad actors trying to gain access to your data, insiders can unintentionally leak data all on their own. Everyday matters like password hygiene or using external contractors can increase your risk. Here are a few things to keep an eye on:
- Bad, weak, or shared passwords: When employees don’t follow password best practices, they unintentionally make a cyber criminal’s job that much easier. But password hygiene is an easy fix: have employees use a password manager or multi-factor authentication.
- Potential for employee laziness or negligence: When security controls become inconvenient, employees might try to work around them. Imagine an employee getting tired of having to log into a secure file transfer protocol directory to upload files: they may decide to email them insecurely instead.
- Third-party contractors: Contractors may not work for your company, but they often have insider access to internal systems. For instance, an engineering contractor might have access to your company’s source code, or an accounting consultant might be looking at your company’s sensitive financial information.
- Devices: Lost, stolen, or compromised devices like phones, laptops, and hardware can all lead to data leakage if they fall into the wrong hands.
4. Zero-day vulnerability
A zero-day vulnerability means that the company isn’t even aware that they’re at risk of a leak. That is, they’ve had zero days to address the problem. Zero-day vulnerabilities are worrying, because they may only become obvious once the leak has grown into a breach.
Zero-day vulnerabilities can crop up when companies don’t update dependencies as soon as new releases become available. Additionally, zero-day vulnerabilities can be gaps that the company has not discovered yet, like an input field that can accept text containing malicious scripts.
Your company doesn’t know what it doesn’t know, and you might be at risk if you’re operating with out-of-date software or publishing code that your engineers haven’t tested for vulnerabilities. Bad actors can easily exploit a zero-day vulnerability and use it as the starting point for a cyber attack.
What types of data are most commonly at risk of being leaked?
The term “data leak” can seem pretty broad. What specific kinds of information might be part of a data leak? Most data involved in leaks has the potential to compromise your organization’s customers, employees, and proprietary internal knowledge:
- Customer data: Phone numbers, addresses, emails, credit card numbers, social security numbers, and other personally identifiable information
- Internal employee data: Addresses and emails as well as human resource information like background checks, passport scans, and compensation data
- Intellectual property: Research, trade secrets, internal documentation, and source code
- Security credentials: Passwords or phone numbers for multi-factor authentication (MFA)
Data leakage examples
Many companies have experienced leaks like those described above. A few key examples from industry leaders highlight just how much harm data leakage can cause.
Boeing
Global aerospace company Boeing experienced a leak when in 2017 one of its employees emailed a spreadsheet to his wife, a non-employee. He hoped that she could help him with some formatting issues, but he didn’t realize that the spreadsheet included personal data of 36,000 Boeing employees within hidden columns.
By emailing the spreadsheet to an unsecured device and non-employee email account, he went around security protocols and compromised the employee IDs, place of birth, and social security information of his coworkers.
Boeing said it was confident that the data stayed limited to the employee’s device and his wife’s, but it did offer all affected employees two years’ worth of free credit monitoring — an estimated cost of $7 million.
Microsoft
Software giant Microsoft experienced firsthand what can happen from careless mistakes.
In August 2022, cyber security firm spiderSilk noticed leaked login credentials in Microsoft’s Github environment. If cyber criminals had found the credentials, they could have been the entry point to access Microsoft’s Azure servers and possibly other internal systems.
The effects of exposed Microsoft data and source code could have been catastrophic for the organization, its customers, and its employees. Although Microsoft didn’t disclose the specific systems the credentials gave entry to, if outsiders had gained access to European Union customer information, Microsoft could have received a fine of up to €20 million for violating GDPR regulations.
Upon further investigation, Microsoft confirmed that no one accessed the data and is implementing new safeguards to prevent another leak.
Amazon
Many companies rely on AWS products, including Amazon S3, but incorrect configurations of S3 buckets have led to leaks. For example, in 2019, researchers at firm vpnMentor found a publicly available s3 bucket full of data from the human resources departments of multiple UK consulting firms. These files included sensitive personnel information like passports, tax documents, background checks, dates of birth, and phone numbers.
How to prevent data leaks
Data leaks pose a threat to all companies — even well-known and seemingly secure organizations aren’t immune. Preventing and containing data leakage often comes down to taking proper precautions so that you can catch a data leak before it swells into a breach. Here are a few ways to do so:
- Get visibility into your company’s data: Monitoring all data across your company’s digital spaces will help you quickly detect any unusual movement. Be aware of where all your data is, including both structured and unstructured data. Additional surveillance on important data and flagging critical assets will help catch any anomalous movement of your most sensitive information.
- Respond based on the severity of the incident: Once you have strong monitoring in place, tailor your response to each movement based on its risk profile and severity. Too many controls on data movement can actually slow employees down, so use automation to customize responses to specific actions so your employees can keep working efficiently. With automation, your security team can put in place safeguards that catch data leaks in real time while keeping your teams effective.
- Educate your employees: Because so many leaks are the result of human error, creating awareness will help prevent leaks from springing. Consider implementing regular security training and a security program to help foster a culture of awareness.
Stop data leaks with Code42’s Incydr™
It’s clear that data leaks are a pervasive problem that can negatively impact your company’s data, reputation, and finances. With the many different ways data leaks can occur, addressing them might seem overwhelming. And even with strong security programs and education, data leaks can and will still happen.
To help your business anticipate, prevent, and respond to data leaks, you must use the right tools. Code42 Incydr provides full visibility across your cloud and endpoints to detect data leakage throughout your org. Monitor data movement across browsers, USB devices, cloud apps, Salesforce, emails, Git, and more.
Company-wide monitoring paired with contextual prioritization creates a solid foundation to protect your organization’s intellectual property. From day 1 of deployment, detect risky movements like files moving outside your trusted environment to personal accounts and unmanaged devices.
