Data Breach
Definition
A data breach is a security event in which information is accessed, disclosed, altered, destroyed, or exfiltrated by an unauthorized person or process, resulting in a loss of confidentiality, integrity, or availability of data. A breach can involve personal data, confidential business information, credentials, intellectual property, or regulated records, and it may occur through external attacks (e.g., phishing, malware, exploitation of a vulnerability) or internal causes (e.g., misconfiguration, accidental sharing, misuse of privileges). Not every security incident is a data breach: an incident becomes a breach when there is credible evidence (or a reasonable likelihood) that protected information was exposed or compromised beyond approved access. Effective breach management typically includes rapid detection and containment, preservation of evidence, impact assessment (what data, whose data, and how much), notification decisions based on legal and contractual obligations, remediation to prevent recurrence, and a structured post-incident review to improve controls and response readiness. Organizations commonly formalize these steps in an incident response plan, define roles and escalation paths, and maintain logs and forensic artifacts to support investigation and accountability.
Real-World Examples
Startup misconfigured storage
A startup accidentally makes a cloud storage bucket public, exposing customer support attachments containing IDs and invoices until the configuration is corrected.
Phishing-led account takeover
An employee enters credentials into a fake login page; the attacker uses the account to access an internal database and download customer contact records.
Ransomware data exfiltration
A scaleup is hit by ransomware; attackers exfiltrate HR and finance files before encrypting systems, triggering an investigation, containment, and notification decisions.
Privileged misuse in production
An admin uses elevated access to export a subset of production data to an unapproved location, violating access policies and requiring evidence collection and corrective action.
A data breach is an event where information is accessed, shared, changed, destroyed, or taken by someone or something without authorization, resulting in loss of confidentiality, integrity, or availability of data.
A security incident is any event that threatens security (e.g., malware detection or a failed login storm). A data breach is a subset of incidents where protected information is actually exposed or credibly suspected to be compromised beyond authorized access.
Sensitive data commonly includes identifiers, authentication secrets, financial details, health or biometric data, confidential business records, source code, and any data classified as restricted by internal policy, contracts, or applicable regulations.
Teams correlate logs, alerts, and forensic artifacts to confirm access paths and data movement, looking for unusual queries, large exports, abnormal network transfers, account misuse, and evidence of files being staged, compressed, or sent to external destinations.
Start by activating the incident response process, containing the threat (isolate systems, disable compromised accounts), preserving evidence, scoping impacted data and systems, documenting actions, and engaging legal, security, and communications stakeholders for coordinated decisions.
Notification depends on contractual commitments and applicable legal requirements. Common recipients include affected individuals, key business customers, critical partners, insurers, and regulators when thresholds are met, with timing driven by risk and mandated deadlines.
A strong report covers timeline, detection method, root cause, affected systems and data categories, number of records impacted (if known), containment and eradication actions, evidence summary, notification decisions, remediation plan, and lessons learned with control improvements.
Effective breach management typically includes incident response planning and preparation, event triage and impact assessment, coordinated containment and eradication, preservation of evidence, timely notification decisions based on obligations, remediation to prevent recurrence, and a structured post-incident review with measurable control improvements.
Retention should follow defined logging and evidence retention policies and align with business needs, contractual terms, and applicable legal requirements; many organizations retain investigation artifacts long enough to support audits, claims, regulatory inquiries, and potential litigation.
Prevention typically combines least privilege and strong authentication, secure configuration and patching, data classification and handling rules, encryption, continuous monitoring and alerting, endpoint protections, network segmentation, DLP where appropriate, and regular testing of incident response readiness.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-26 | WatchDog Security GRC Wiki Team | Initial publication |
