What is a Data Breach

Learn how to spot and prevent data breaches before they damage your business.

According to IBM’s 2025 Cost of a Data Breach Report, the average breach costs $4.44 million globally. Even with a 9% drop from last year, that’s still a massive hit for most companies.

Breaches don’t just cost money. They erode customer trust and take months to detect. IBM found the average breach lifecycle is still 241 days.

The root causes haven’t changed much. Stolen credentials and unpatched systems still account for most incidents.

This guide covers what a data breach actually is, how they happen, and what you can do to prevent them.

A data breach is when someone accesses your sensitive data without permission. It doesn’t matter how. Maybe attackers exploited a vulnerability. Maybe an employee misconfigured a database. If confidential data ended up where it shouldn’t be, that’s a breach.

Breaches hit companies of every size. And the damage isn’t just financial. You lose customer trust and spend months dealing with regulators.

What Data Do Attackers Target?

Attackers go after whatever they can sell or use. What they take determines how much it costs you.

Credentials and session tokens are the most valuable target. A stolen password lets attackers log in as your employee. A stolen session cookie from infostealer malware lets them skip the login entirely. Credentials sell fast on criminal markets because they provide direct access.

Personal information like Social Security numbers and dates of birth fuels identity fraud. You can reset a password. You can’t reset a Social Security number.

Financial records including credit card numbers and bank account details let attackers make unauthorized transactions. They can also sell the data on dark web markets where buyers use it for fraud.

Healthcare data sells for more than credit cards on criminal markets. A single medical record has enough detail for full identity fraud: insurance info, diagnoses, personal details.

Intellectual property and trade secrets give competitors an unfair advantage or let attackers extort the victim company. State-sponsored attackers often target IP specifically.

What Are the Different Types of Data Breaches?

Breaches don’t all look the same. The type depends on how attackers got in.

Credential-based breaches are the most common. Attackers use stolen passwords or session tokens to log into systems as a legitimate user. These are hard to detect because the access looks normal.

Malware-based breaches involve software that infiltrates systems to steal data. Ransomware encrypts your data and demands payment. Infostealers harvest credentials silently from browser databases.

Physical breaches happen when devices containing sensitive data are stolen or lost. Laptops and USB drives with unencrypted data are common targets.

Third-party breaches occur when a vendor or partner gets compromised and your data is exposed through their systems. You didn’t get hacked directly, but your data was still breached. The LastPass breach showed how one compromised developer account at a vendor can expose millions of users.

Accidental breaches result from misconfiguration or human error. A database left open to the internet or an email sent to the wrong recipient can expose sensitive records. These aren’t attacks, but the data is still compromised.

How Do Data Breaches Happen?

The attack paths are well-known at this point. Here’s how most breaches actually start.

Stolen Credentials

Stolen passwords are still the most common way attackers get in. The Verizon 2025 DBIR puts credentials at the top of the list.

Attackers get credentials through third-party breaches where employees reused their corporate passwords. They also buy leaked credentials in bulk from dark web forums. The Marriott breach is a good example. Attackers used stolen credentials to maintain access for four years before anyone noticed.

Infostealer Malware

Infostealer malware like RedLine and Vidar infects employee devices and extracts saved passwords from browser credential databases. They also steal active session cookies that let attackers bypass MFA.

These stealer logs hit Telegram channels and underground marketplaces fast. Credentials from an infected device can be for sale the same day.

Phishing

Phishing tricks employees into entering credentials on fake login pages. The pages look like your real SSO or VPN portal. Once an employee submits their password, it’s gone. Spear phishing makes this worse by targeting specific people with personalized messages.

Unpatched Vulnerabilities

Old software with known vulnerabilities is an open door. The Equifax breach happened because of an unpatched Apache Struts vulnerability. A fix had been available for months. 147.9 million records exposed because nobody applied it.

Human Error

Plain old mistakes cause a lot of breaches. Someone misconfigures a cloud storage bucket. Someone emails a spreadsheet to the wrong person. See our guide on how human error causes data breaches for a deeper breakdown.

Insider Threats

Disgruntled employees sometimes leak data on purpose. They already have legitimate access, so it’s hard to catch. Careless insiders who mishandle data are an even more common problem. Access controls and monitoring help with both.

What Does a Data Breach Cost?

The cost goes well beyond the initial cleanup.

Direct costs include forensic investigations and legal fees. Regulatory fines add up fast. The Capital One breach resulted in an $80 million fine from the OCC alone.

Customer notification is legally required in most jurisdictions. For large breaches, this means contacting millions of individuals and offering credit monitoring services. The Home Depot breach required notification of 56 million cardholders.

Reputation damage is the hardest to quantify but often the most expensive. Customers leave. The Target breach is a good example: over $200 million total across settlements, direct expenses, and lost revenue.

Regulatory penalties are increasing. GDPR fines can reach 4% of global revenue. US states keep adding their own breach notification requirements.

Operational disruption hits right away. Systems go offline during investigation. Your team spends weeks on incident response instead of their actual jobs. The Change Healthcare breach disrupted healthcare billing across the US for weeks.

What Is the Difference Between a Data Breach and a Data Leak?

People use these interchangeably, but they’re different. A security breach is broader - any unauthorized access to a system, whether data was taken or not. A data breach means data was actually accessed or stolen.

A data breach involves unauthorized access. Someone breaks in and bypasses security controls to access data they shouldn’t have. It’s an active attack.

A data leak is accidental exposure. A misconfigured database or a public S3 bucket. No one broke in. The data was simply left exposed.

Both are serious and both need a response. But the prevention is different. Breaches need access controls and credential monitoring. Leaks need configuration management and regular audits of what’s exposed.

In practice, the line blurs. An accidental leak becomes a breach the moment an attacker finds and exploits the exposed data.

How Can You Prevent Data Breaches?

You can’t eliminate all risk. But the most common attack vectors are well-known and preventable.

Enforce Multi-Factor Authentication

MFA blocks most credential-based attacks. Even if attackers have a stolen password, they can’t log in without the second factor. Start with email and VPN. Admin accounts are next.

Patch Systems Quickly

The window between a patch being released and attackers exploiting the flaw keeps shrinking. Automated scanning tools make it easy for them to find unpatched systems. If you don’t have a patching process with clear SLAs, build one.

Monitor for Leaked Credentials

Your employees’ credentials are probably already on the dark web. Data breach monitoring catches exposed passwords so you can reset them before anyone logs in with them. Especially important for credentials from stealer logs, which get listed within hours.

Implement Access Controls

Not everyone needs access to everything. Limit access based on what people actually need for their job. Review permissions regularly. When someone changes roles or leaves, revoke access that day.

Train Employees on Phishing

Phishing still works. Run simulations and teach employees to spot suspicious emails. But don’t rely on training alone. Email filtering catches what people miss.

Build an Incident Response Plan

When a breach happens, you don’t want your team figuring out the process for the first time. Have a documented response plan and practice it before you need it.

What Should You Do After a Data Breach?

Here’s the short version: contain first, investigate second, notify third.

Contain it. Isolate affected systems. Revoke compromised credentials. Disconnect infected devices from your network.

Figure out how they got in. Stolen password? Unpatched vulnerability? The answer determines what you fix.

Notify who you need to. GDPR requires notification within 72 hours. US state laws vary but are getting stricter. Don’t wait to start this process.

Fix what broke. Patch the vulnerability. Reset compromised credentials. Add monitoring so the same attack doesn’t work twice.

For a complete walkthrough, see our guide on what to do after a data breach.

Conclusion

A data breach happens when someone accesses your sensitive data without authorization. The entry points are predictable. Credentials get stolen through infostealers and third-party breaches. Software goes unpatched. Employees click the wrong link. The average cost: $4.44 million.

Prevention starts with the basics. Enforce MFA. Use a password manager. Patch quickly. Monitor for leaked credentials.

Credentials sit on criminal markets for days or weeks before anyone uses them. That window is your chance to reset them first.

Book a demo to see how Breachsense catches exposed credentials before attackers use them.