Data leakage

What is data leakage?

The unauthorized transmission of data from an organization to any external source is known as data leakage. This data can be leaked physically or electronically via hard drives, USB devices, mobile phones, etc., and could be exposed publicly or fall into the hands of a cyber criminal.

How is data leakage different from data loss?

While the terms data leakage and data loss are similar, they differ in the following ways:

• Data is said to be lost when it is no longer accessible. Data loss occurs primarily through hardware issues like power outages, computer failure, hard drive crashes, etc. This lost data may be restored depending on several factors.
• In the case of a data leak, the information is exposed outside the organization. It could be lost, or be possessed by someone who does not hold the legal right to it.

Types of data leakage

Data leakage is classified based on how the leak occurs or by whom it was perpetrated.

• Malicious insiders

  Unhappy employees or business partners who leave the organization may try to steal data and leak it to competitors, or sell it for a hefty amount on the black market.

• Physical exposure

  Hard drives or USB devices with sensitive content are often left unattended by employees, putting data at risk.

• Electronic communication

  Many organizations are embracing bring your own devices (BYOD) policies and encouraging employees to use their own devices at work. Hackers take advantage of this and try to trick the user into clicking unassuming links, giving the hackers access to the devices and the data on them.

• Accidental leakage

  The most common cause of data leak is human error. Frequent mishaps include employees sending emails containing critical information to the wrong recipients, flaws in security policies such as excessive permissions to critical files, sensitive data left exposed due to unpatched vulnerabilities in the software, etc.

Data leakage examples

An increasing number of companies have fallen victim to data security threats. Some of the most infamous data leak incidents that have taken place include:

Facebook-Cambridge Analytica data leak

The Facebook-Cambridge Analytica scandal came to light in 2018, when an ex-employee of Cambridge Analytica, a British political consulting firm, revealed information on how the company had acquired the data of more than 50 million Facebook users. The firm developed an app named This is your digital life, which acquired its users' and their friends' details from Facebook. This data was used to influence users during a political campaign.

Amazon S3 cloud leak

Amazon Simple Storage Services, or Amazon S3, is no stranger to data leaks. There have been several instances when its cloud storage buckets have been misconfigured and permissions set to public inadvertently by organizations. In December 2019, a UK consulting firm's storage bucket leaked, revealing sensitive information including criminal records, emails, and job applications dating back to 2014.

Exactis data leak

A Florida-based marketing firm named Exactis found that its consumers' data has been exposed due to an unprotected server that allowed public access. While the data did not contain Social Security numbers or credit card information, it did include other personally identifiable information (PII) such as phone numbers and email addresses.