7 Most Common Types of Data Breaches

Learn the seven types of data breaches and how to defend against each one.

The Verizon 2025 DBIR found that stolen credentials were involved in 22% of breaches. Phishing caused 16%. Supply chain attacks cost $4.91 million on average.

Each breach type has a different entry point and a different defense. Treating them all the same is how companies get caught off guard.

This guide breaks down the seven most common types of data breaches, with real examples and the specific controls that stop each one.

What Are the Main Types of Data Breaches?

Not all breaches look the same. The method and the defense are different for each type.

IBM’s 2025 report found that the average breach costs $4.44 million. But that number varies dramatically by breach type. Insider breaches cost $4.92 million. Supply chain attacks cost $4.91 million. Credential theft costs $4.67 million. Knowing which types you’re most vulnerable to helps you invest in the right defenses.

Type 1: Credential Theft

This is the most common type of data breach and the hardest to detect.

Attackers get valid passwords from two main sources: third-party data breaches where employee passwords were reused, and infostealer malware that harvests saved browser passwords. Phishing pages that capture login details are another common source. Those credentials end up on dark web marketplaces, often within hours.

Then attackers log in. Your firewall sees a legitimate user. Your EDR sees normal behavior. Nothing triggers an alert because the credentials are real.

The Verizon 2025 DBIR found that stolen credentials were involved in 22% of all breaches. IBM found that these breaches cost $4.67 million on average and take 246 days to detect – the longest of any attack vector.

The Ticketmaster breach in 2024 showed exactly how this works. It exposed data on 560 million customers. Attackers used credentials stolen by infostealer malware to access Ticketmaster’s Snowflake cloud account. No exploit was needed. They had valid login details.

Enforce MFA everywhere. Mandate password managers to eliminate reuse. And monitor for leaked credentials with dark web monitoring so you can force resets before attackers use them.

Type 2: Phishing and Social Engineering

Attackers don’t need to find a technical vulnerability when they can trick someone into handing over access.

Phishing is the second most common breach vector, responsible for 16% of breaches according to IBM’s 2025 report. The average phishing breach costs $4.80 million.

Modern phishing goes far beyond obvious scam emails. Attackers research their targets and clone real login pages. The fakes are hard to distinguish from legitimate ones. Even security-aware employees get caught when the fake is convincing enough.

Business email compromise (BEC) takes this further. Attackers impersonate executives to authorize wire transfers or data access. No malware involved – just a convincing email from what looks like the right person.

In 2020, attackers called Twitter employees and convinced them to hand over internal tool access through social engineering. They hijacked high-profile accounts including Barack Obama and Elon Musk. Pure human error, no technical exploit.

MFA blocks most phishing attacks that capture passwords. Email filtering catches the obvious fakes. Regular phishing simulations train employees to spot the rest. But no training program is 100% effective, which is why technical controls matter more than awareness alone.

Type 3: Ransomware and Extortion

Ransomware has evolved from simple encryption to a double extortion model. Attackers steal your data first, then encrypt your systems. Even if you restore from backups, they threaten to publish the stolen data unless you pay.

IBM’s 2025 report found that ransomware incidents cost $5.08 million on average when the attacker disclosed the breach. The average ransom payment dropped to about $1 million in 2025 (down 50% from 2024), but total attack costs keep climbing because recovery and legal expenses don’t go down.

63% of victims now refuse to pay, up from prior years. But refusing to pay doesn’t mean the breach is cheap.

Colonial Pipeline is the cautionary tale. They paid $4.4 million in ransom in 2021 after attackers used a single compromised VPN password to access their network. The password had been reused from a previous breach. That one credential shut down fuel delivery across the eastern US.

Offline, immutable backups are your last line of defense. Network segmentation limits how far attackers can spread. Credential monitoring catches the stolen passwords that give attackers their initial access – like the Colonial Pipeline VPN credential.

Type 4: Insider Threats

Not all breaches come from the outside. Sometimes the person causing the breach already works for you.

IBM found that malicious insider breaches cost $4.92 million on average – the most expensive of any attack vector. They’re also harder to detect because the person has permission to access the data. The activity looks normal. Only the intent is wrong.

Accidental insider threats are more common than malicious ones. An employee emails a spreadsheet of customer data to the wrong recipient. A developer pushes API keys to a public GitHub repo. A manager shares credentials over an unsecured channel.

In 2023, a Tesla employee leaked personal data of over 75,000 employees to a German news outlet. The data included names, addresses, and Social Security numbers. Tesla confirmed it was an insider who violated company policies.

Least privilege access limits what any single person can reach. Data loss prevention (DLP) tools flag sensitive data leaving the network. Access reviews catch permission creep. And insider threat detection watches for anomalous behavior from legitimate accounts.

Type 5: Supply Chain Breaches

When your vendor gets breached, their problem becomes your problem.

Supply chain attacks are the second most expensive breach type at $4.91 million per incident. They also take the longest to resolve at 267 days on average (IBM 2025). The challenge is that you’re not being attacked directly – the compromise happens upstream.

Attackers target vendors because one compromised vendor gives them access to hundreds or thousands of downstream customers. It’s more efficient than attacking each company individually.

The SolarWinds attack in 2020 is still the largest known supply chain breach. Attackers inserted malicious code into a routine software update. Over 18,000 organizations downloaded the compromised update, giving attackers access to government agencies and Fortune 500 companies. The breach went undetected for over 14 months.

The MOVEit breach in 2023 followed a similar pattern – attackers exploited a vulnerability in a widely used file transfer tool, compromising data from hundreds of organizations that used the service.

Assess your vendors’ security practices before giving them access. Monitor for their exposed credentials too, not just your own. Limit vendor access to the minimum needed. And have a plan for what you’ll do when (not if) a vendor gets compromised. See our guide on third-party risk management.

Type 6: Cloud Misconfiguration

Misconfigured cloud services have caused some of the largest data leaks in recent years. Unlike other breach types, these aren’t attacks at all. Nobody breaks in. The data is just sitting there, exposed.

Common misconfigurations include publicly accessible S3 buckets on AWS and databases with default credentials. Automated scanners find these within hours of exposure.

The problem is growing because cloud environments are complex and change constantly. A single misconfigured setting can expose millions of records. And because there’s no attacker to detect, traditional security tools don’t flag it.

In 2022, Microsoft disclosed that a misconfigured endpoint exposed business transaction data of over 65,000 entities. The data was accessible to anyone with the URL. No authentication required.

Audit cloud configurations against your provider’s security benchmarks. Automate compliance checking so misconfigurations get flagged before they’re exploited. Never use default credentials. And treat cloud security as an ongoing process, not a one-time setup.

Type 7: Physical Breaches

The least technical breach type and the one most companies overlook.

Physical breaches happen when someone steals a laptop or accesses a server room without authorization. They don’t require any hacking skills. They just require physical access.

In 2017, a Lifespan Health System employee left an unencrypted laptop in their car. It was stolen. The laptop contained protected health information on 20,431 patients. HHS fined Lifespan $1.04 million – not because the laptop was stolen, but because they’d already decided encryption was necessary and still hadn’t done it.

Encrypt all devices. Enforce screen locks. Restrict physical access to server rooms and data centers. Have a process for remote wiping lost devices. And make sure terminated employees return all hardware immediately.

How Do You Protect Against All Types?

No single control stops every breach type. The seven types above exploit different weaknesses – credentials, human judgment, vendor trust, and configuration errors.

The most effective protection combines:

• MFA to block credential theft and phishing
• Offline backups to survive ransomware
• Least privilege access to limit insider damage
• Vendor assessments to manage supply chain risk
• Cloud configuration auditing to catch misconfigurations
• Full disk encryption to protect against physical theft
• Credential monitoring to catch exposed passwords across all breach types

Credential theft is the thread that runs through most of these. Phishing steals credentials. Infostealers harvest them. Insider threats abuse them. Supply chain attacks exploit vendor credentials. Monitoring for leaked passwords is the one control that addresses the most common element across all breach types.

Book a demo to see how Breachsense monitors the dark web for your organization’s exposed credentials.