By: Nihad Hassan
June 10, 2021
What is Data Leakage?
By: Nihad Hassan
June 10, 2021
The digital revolution has impacted all our life aspects; the proliferation of computers and internet technologies is now evident in organizations of all types and across all industries. The most apparent evidence of digitalization was the massive increase in digital data. For instance, nowadays, most data are created digitally and never find their way into papers. According to Seagate, by 2025, more than 5 billion consumers (75% of the world's population) will interact with data every day. In 2025, each connected person will have at least one data interaction every 18 seconds.
Digital data is not only generated by organizations' works and people's interactions with data. The rapid increase in Internet of Things (IoT) devices will also have a significant impact on digital data volume. Seagate predicts that IoT devices will create over 90ZB of data in 2025.
Digital data has become the lifeblood of organizations, and protecting it has become the top priority for every manager. Cybercriminals know the importance of data and are always looking to find ways to steal sensitive data such as business trade secrets, customer personal information, and other confidential information. Data leaks are considered significant threats when discussing threats against digital data.
Data leak incidents do not occupy the headlines similar to data breaches. However, data leaks can have similarly devastating effects on organizations' works and reputation. This article will define the term data leak, list what types of data can be leaked, and discuss how data leaks can happen.
What is a data leak, and what distinguishes it from a data breach?
A data breach occurs when an adversary from outside your organization gains unauthorized access to sensitive resources. Global media announce a data breach almost every day, and many of them are targeting a giant organization. For example, a recent massive data breach hit Facebook and resulted in the exposure of private information for over 500 million Facebook users.
Data leakage, on the other hand, happens from the inside target organization. Hence, an intruder working in a subject organization leaks sensitive information to outside parties or leaves a gap in security defenses that external attackers can exploit to gain a foothold inside the organization network. Keep in mind that data leakage incidents are not always a result of deliberate action. For example, an employee may leak sensitive information accidentally when sending an email containing confidential information to the wrong recipient.
A data leak can bring severe financial and reputational damage to the subject organization, like a data breach. For example, people affected by a data leak may raise a lawsuit against the organization, and regulatory compliance bodies may impose enormous fines for non-compliance. The EU General Data Protection Regulation (GDPR) has two tiers of administrative fines: 1) Up to €10 million, or 2% annual global turnover, or, 2) Up to €20 million, or 4% annual global turnover. A data leak can also have a significant negative impact on business reputation in the long run. According to Centrify, 65 percent of data breach victims lost trust in an organization due to the breach.
Types of leaked data
Most business data is meant to be private. Examples of such data include:
- Trade secrets
- Customers private information
- Third-party and external contractors private info
- Legal documents
- Source code
- Employees private data
- Inventory information
How data leaks occur?
Data can leak in various ways. The following list the most common three methods.
Working from home
Since the COVID-19 pandemic, organizations around the world have adopted the work-from-home model. The massive workforce shift has become remote has introduced serious risks to IT systems. For instance, employees' home devices are not equally protected compared with their working environment devices. Accessing corporate resources remotely from compromised endpoints devices can result in malware infection leading to data leakage. A study by Netwrix found that 60% of the surveyed IT professionals found new security gaps due to remote work transition.
Disgruntled or Careless employees
As we already said, not all data leakage incidents are deliberate. For example, a careless employee may type his password on a piece of paper placed on the front of his computer screen. Outside observers can easily capture the password and gain unauthorized access to the protected resources.
According to Forrester, 33% of data breaches in 2021 are projected to be caused by insider incidents.
A good example of an insider data leakage caused by a malicious insider is the Tesla data leakage incident. Tesla announced a software engineer uploaded about 26,000 confidential documents, including trade secrets, to his Dropbox during his first week of work.
Applications and other IT systems can be a source of data leakage. A bug in an application can result in accidentally leaking sensitive data. A good example is the Danish tax portal which suffered from a software bug that exposed the ID numbers for 1.26 million Danish citizens.
Data leakage is a significant problem impacting data security. No matter the size or industry type of the affected organization, data leakage can have catastrophic consequences, from losing revenue and reputation to ending with financial penalties imposed by regulatory compliance bodies and lawsuits raised by affected parties.