Skip to main content

Data Leak

What Is a Data Leak?

A data leak occurs when confidential or sensitive information (for example, personal data, PII, or trade secrets) is exposed. Data leaks usually happen because of companies’ poor data security and data protection strategies.

Common causes of data leaks include misconfigured databases, vulnerable software, accidental publication of sensitive data, email misdelivery (i.e., sending an email with confidential/sensitive data to the wrong person), and misplaced devices (such as laptops and hard drives). 

When stolen data is published on the dark web, that’s also classified as a data leak. 

Data leaks can expose personal, financial, and other sensitive and confidential information, leading to reputational damage, identity theft, and other adverse outcomes for organizations and individuals affected by the leak. 

Third-party definition 

The unauthorized transmission of information from an organization to some external recipient. The recipients are normally unauthorized to receive the data leaked to them. – Cyberwire

Difference Between a Data Leak and a Data Breach

The two terms are often used interchangeably despite having different meanings. 

Data breaches are cyber security incidents where hackers gain unauthorized access to protected data. They’re typically the result of a cyberattack and are intentional and malicious in nature. 

Common causes of security breaches include malware (like ransomware attacks), social engineering (including phishing attacks), and human errors like weak password use. Malicious insiders can also cause data breaches. 

On the other hand, data leaks tend to be accidental, like when companies accidentally expose internal servers to the internet. In cases like these, it can be difficult to know how severe a data leak is and if cybercriminals/other bad actors gained access to exposed information. 

However, data leaks can also happen as a result of bad actors. Ransomware attackers are increasingly threatening companies they breach to leak the data they stole as a way to put pressure on them to pay a ransom. 

Biggest Data Leaks of the 21st Century 

Here are some of the biggest data leaks of the 21st century (note that this is by no means a comprehensive list):

  • First American Corporation. In 2019, the financial services company First American Corporation leaked around 885 million customer data files going back to 2003. Anyone who knew the URL for a valid document on the company’s website could view other documents by modifying the URL. Leaked data included Social Security numbers, mortgage and tax records, driver’s license images, wire transaction receipts, and bank account numbers and statements. 
  • Deep Root Analytics. The Republican data analysis company Deep Root Analytics left a database with 198 million American voter records exposed to the web in 2017. The leaked data included names, addresses, phone numbers, self-reported racial demographics, and registered parties. 
  • Exactis. 340 million individual records were left exposed by the data broker Exactis on a publicly accessible server. The exposed information included personal details like addresses, phone numbers, genders, dates of birth, estimated income, credit rating, political preferences, and interests. 
  • Microsoft. As a result of a server misconfiguration in 2019, Microsoft leaked 250+ million customer service and support records from 14 years (2005 to 2019).
  • Verifications.io. An unprotected database created by Verifications.io exposed 800+ million email records. Many of these records were also linked to other personally identifiable information. 
  • Social Data Trading Limited. The social media data broker Social Data Trading Limited leaked a database containing about 235 million social media profiles in 2021. The leaked data included names, contact details, images, and follower numbers. 
  • LinkedIn. In 2021, hackers leaked data on 700+ million LinkedIn users. The data was scraped from LinkedIn and included data points like LinkedIn profile names and IDs, LinkedIn URLs, locations, and email addresses. 

Impact of Data Leaks On Individuals’ Privacy

Depending on the kind of information that is exposed (general user data, credit card numbers, etc.), a data leak can have severe consequences for individuals, including identity theft, financial loss, and emotional distress. 

If leaked information ends up on the dark web, it can also be used to carry out cyber breaches against companies and attacks against individuals, like targeted phishing scams. 

How to See If Your Data Was Involved In a Data Leak

Organizations involved in a data leak might notify those affected. However, you can’t count on that. 

Instead, you should periodically check the HaveIBeenPwned website to see if you were part of any data leaks. You can also subscribe to HaveIBeenPwned breach notifications to get alerts when your information is involved in leaks. 

If you were part of a data leak, you should ensure all your accounts have strong passwords (consider also using a password manager) and multi-factor authentication. 

Depending on what kind of information was exposed, you might also need to contact government or financial institutions and file an Identity Theft Report with the Federal Trade Commission.