What is a Data Breach?
A data breach occurs when an unauthorized party gains access to sensitive information held by an organization. This can happen through hacking, insider threats, accidental exposure, or physical theft of devices containing data.
The consequences extend far beyond the initial incident. Breached data often ends up for sale on dark web marketplaces, where criminals use it for identity theft, financial fraud, credential stuffing attacks, and targeted phishing campaigns. For organizations, breaches bring regulatory fines, lawsuits, reputational damage, and loss of customer trust.
Key Statistic
The global average cost of a data breach reached $4.88 million in 2024, according to IBM's Cost of a Data Breach Report. Healthcare breaches averaged nearly $10 million.
How Data Breaches Happen
Most breaches fall into one of these categories:
Stolen Credentials
The most common cause. Attackers use phished, purchased, or brute-forced passwords to log into systems. Credential stuffing—testing leaked username/password pairs across many sites—is automated and widespread. See our phishing examples guide for how credentials get stolen.
Exploited Vulnerabilities
Unpatched software with known security flaws is one of the most exploitable entry points. Attackers scan for vulnerable systems and exploit them to gain access to databases and file servers containing sensitive data.
Ransomware and Malware
Modern ransomware gangs don't just encrypt files—they steal data first. This "double extortion" approach means even organizations with backups face data exposure. Learn more in our ransomware guide.
Insider Threats
Employees, contractors, or partners with legitimate access who misuse it—either maliciously or through negligence. Misconfigured cloud storage buckets fall into this category too.
Third-Party and Supply Chain
A vendor or service provider gets breached, exposing their customers' data. The MOVEit and SolarWinds incidents showed how a single compromised vendor can affect thousands of downstream organizations.
Types of Data Exposed in Breaches
Not all breaches are equal. The type of data exposed determines the severity and risk:
| Data Type | Risk Level | Potential Impact |
|---|---|---|
| Email + password | Medium | Account takeover via credential stuffing |
| SSN / Government ID | Critical | Identity theft, fraudulent tax returns, loan fraud |
| Credit card numbers | High | Financial fraud (though cards can be cancelled) |
| Medical records | Critical | Insurance fraud, blackmail, can't be changed |
| Session tokens / cookies | High | Immediate account access without passwords |
| Biometric data | Critical | Permanent compromise—you can't change fingerprints |
Notable Data Breaches
Yahoo (2013-2014)
3 billion accountsThe largest breach ever disclosed. All Yahoo accounts were compromised, exposing names, email addresses, phone numbers, dates of birth, and hashed passwords.
Equifax (2017)
147 million peopleSSNs, birth dates, addresses, and driver's license numbers stolen due to an unpatched Apache Struts vulnerability. Equifax paid $700 million in settlements.
MOVEit (2023)
2,600+ organizationsThe Cl0p ransomware gang exploited a zero-day in MOVEit Transfer, compromising thousands of organizations through a single supply chain vulnerability. Over 90 million individuals affected.
What to Do After a Data Breach
If your data was exposed in a breach, take these steps immediately:
Change compromised passwords immediately
Change the password for the breached service and any other account where you reused it. Use unique passwords going forward.
Enable two-factor authentication
Add 2FA to the breached account and all important accounts, especially email and banking.
Freeze your credit
Contact Equifax, Experian, and TransUnion to freeze your credit. This prevents anyone from opening new accounts in your name.
Monitor your accounts
Watch for unauthorized transactions, unfamiliar login alerts, and suspicious emails. Set up alerts on your financial accounts.
Accept credit monitoring offers
If the breached company offers free credit monitoring, sign up. It provides additional visibility into potential identity theft.
For broader protection strategies, see our online safety tips guide.
How Organizations Prevent Data Breaches
- Encrypt data at rest and in transit — Even if attackers access the database, encrypted data is far harder to exploit
- Implement least-privilege access — Employees should only access data they need for their role
- Patch promptly — Most breaches exploit known vulnerabilities with available patches
- Deploy MFA everywhere — Multi-factor authentication blocks credential-based attacks
- Monitor for anomalies — SIEM systems and anomaly detection can catch breaches early, reducing exposure
- Vet third-party vendors — Supply chain attacks are growing; assess vendor security posture regularly
Frequently Asked Questions
How do I know if my data was in a breach?
Check haveibeenpwned.com by entering your email address. It searches known breach databases and tells you which incidents exposed your data. Many breaches also trigger notification emails from the affected company.
Can I sue a company for a data breach?
In many cases, yes. Class action lawsuits are common after large breaches, and regulations like GDPR allow fines and individual claims. Whether you have standing depends on the jurisdiction, the data exposed, and whether you suffered actual harm.
How long do companies have to report a breach?
It varies by jurisdiction. GDPR requires notification within 72 hours. US state laws range from 30 to 90 days. SEC rules require disclosure within 4 business days for public companies. Many companies take far longer than legally required.
Should I accept free credit monitoring after a breach?
Yes, always accept it. It costs you nothing and provides an extra layer of monitoring. However, don't rely on it as your only protection. Freeze your credit with all three bureaus for stronger protection against identity theft.