What is a Data Leak?

    Understand what data leaks are, the difference between data leaks and breaches, their causes, and discover effective prevention strategies to safeguard your sensitive information.
    Overview

    Your enterprise collaboration platforms could be an open door for data exfiltration.

    What if we told you there was a place where confidential information is available to almost your entire organization? Where outsiders are invited in and data can be accessed, downloaded, or copied in a click. Unless you’ve taken steps to prevent it, it’s happening in your organization right now.

    We’re talking about enterprise collaboration and social network tools. Most companies use at least two. Slack, Microsoft Teams, Workplace from Meta, Yammer…. All these platforms are helping to break down silos and turbocharge productivity in the workplace. But at what cost?

    The basics of a data leak: definition and key facts

    Any time restricted data is inadvertently released, that’s a data leak. Data leaks aren’t the same thing as data breaches. In cases of data breaches, the organization comes under attack from a bad actor who wants to steal that information. Data leaks happen through negligence or oversight, and don’t always require an attack to trigger them.

    Modern enterprises have safeguards and security tools in place to shield against data breaches. But many organizations still overlook the risk posed by modern internal collaboration platforms. And that can have disastrous consequences.

    Data leak vs. data breach

    Most data leaks pose a small but manageable risk to a company’s finances, brand reputation, and employee trust, while a data breach is a data leak that has spiraled out of control. A data breach’s effects on the company create significant costs that threaten the company’s very survival.

    Because no two companies are exactly alike, a data leak for one company might be a breach for another, based on company size, finances, and resources. A large, established company might be able to weather large fines, lost customer confidence, and lawsuits, but a small startup might go under from just a couple minor data leaks. But for both enterprise and smaller players, catching and repairing a leak should be a top priority, because the consequences of a leak-turned-breach can be severe. Both data leaks and breaches can come from within an organization, often resulting from an accidental employee mistake. Not all data leaks result from employee negligence, though. For example, an insider might maliciously share data with a third party. To be clear, 80% of incidents are not malicious, but regardless of intent, leaks have the potential to balloon and take your business down.

    Leaks don’t get the same airtime and attention as breaches. We often hear about big data breaches that make headlines and cost companies millions. But data leaks, while smaller, can still cause serious pain, especially for those working in the security space. With the recent December 2023 SEC regulation updates, you may need to report even small leaks if they significantly alter the overall security reputation of your company.

    What causes data leaks?

    While talk of data leaks might bring to mind images of computer hackers and corporate espionage, the reality is much more mundane. In 2021, the most common cause of data leaks was software misconfiguration. For example, UpGuard discovered settings in Microsoft Power Apps that exposed 38 million records.

    Misconfiguration is a growing cause of enterprise data leaks, responsible for more than 40% of incidents in 2019. That’s a five-fold increase since 2015 — a rise that has gone hand-in-hand with the digital transformation of the modern workplace. Simply, using more cloud-based applications means more opportunities for data to slip through the cracks.

    Relying on default or recycled passwords also poses a danger to information security. This is especially problematic when Internet of Things devices are connected to a wider business network. That smart fridge, thermostat, or fitness tracker could be opening a backdoor into your organization’s digital vault.

    Finally, when unscrupulous actors want access to your company’s sensitive data, many find it’s easier to hack your people than your software. Social engineering scams rely on business hierarchies to trick employees into giving away access credentials. Think about a receptionist getting a text from the CEO asking for the company credit card details. Or an email from Mike in IT saying all hands need to click on a link to complete a security login. Except, of course, the CEO sent no such message, and there is no Mike in IT.

    Common data leak risks: protect your sensitive information

    The term “data leak” can seem pretty broad. What specific kinds of information might be part of a data leak? Most data involved in leaks has the potential to compromise your organization’s customers, employees, and proprietary internal knowledge:

    • Customer data: Phone numbers, addresses, emails, credit card numbers, social security numbers, and other personally identifiable information
    • Internal employee data: Addresses and emails as well as human resource information like background checks, passport scans, and compensation data
    • Intellectual property: Research, trade secrets, internal documentation, and source code
    • Security credentials: Passwords or phone numbers for multi-factor authentication (MFA)

    Are data leaks serious?

    Not all the information disclosed in a data leak will be critical for the organization. However, the presence of the leak is itself a serious problem. The average data breach costs $3.92 million to mitigate, and 280 days to detect and contain. Some of the consequences of data leaks include:

    • Loss of client or customer trust
    • Regulatory fines
    • Operational downtime
    • Competitors accessing intellectual property

    Because data leaks are usually the result of negligence or oversight, they can cause more damage to the company’s reputation than a targeted attack by malicious actors. Yet most companies spend far more time and resources defending against hackers. It’s easy to overlook the training and technology that could prevent accidental leaks.

    Data leakage examples

    Many companies have experienced leaks like those described above. A few key examples from industry leaders highlight just how much harm data leakage can cause.

    Boeing

    Global aerospace company Boeing experienced a leak when in 2017 one of its employees emailed a spreadsheet to his wife, a non-employee. He hoped that she could help him with some formatting issues, but he didn’t realize that the spreadsheet included personal data of 36,000 Boeing employees within hidden columns.

    By emailing the spreadsheet to an unsecured device and non-employee email account, he went around security protocols and compromised the employee IDs, place of birth, and social security information of his coworkers.

    Boeing said it was confident that the data stayed limited to the employee’s device and his wife’s, but it did offer all affected employees two years’ worth of free credit monitoring — an estimated cost of $7 million.

    Microsoft

    Software giant Microsoft experienced firsthand what can happen from careless mistakes.

    In August 2022, cyber security firm spiderSilk noticed leaked login credentials in Microsoft’s Github environment. If cyber criminals had found the credentials, they could have been the entry point to access Microsoft’s Azure servers and possibly other internal systems.

    The effects of exposed Microsoft data and source code could have been catastrophic for the organization, its customers, and its employees. Although Microsoft didn’t disclose the specific systems the credentials gave entry to, if outsiders had gained access to European Union customer information, Microsoft could have received a fine of up to €20 million for violating GDPR regulations.

    Upon further investigation, Microsoft confirmed that no one accessed the data and is implementing new safeguards to prevent another leak.

    Amazon

    Many companies rely on AWS products, including Amazon S3, but incorrect configurations of S3 buckets have led to leaks. For example, in 2019, researchers at firm vpnMentor found a publicly available s3 bucket full of data from the human resources departments of multiple UK consulting firms. These files included sensitive personnel information like passports, tax documents, background checks, dates of birth, and phone numbers.

    How to prevent data leaks

    The majority of data leaks are caused by human error. That means they need human solutions. Training staff on the proper procedures for accessing or sharing information should be an ongoing process. Having new hires watch an hour-long video during onboarding won’t cut it. As technology evolves — and scammers become more sophisticated — the steps to prevent a leak must be updated.

    Routine refresher courses on best data security practices should be part of your organization’s normal business operations. Create clear policies on how to handle information, where to store passwords, and what to do to validate an unusual request.

    The shift to remote work during the pandemic dramatically increased the risk to organizations. The overnight adoption of new technologies created large holes in digital security. Faced with unprecedented upheaval, employees were left unsure how to protect themselves or their organizations. With remote work here to stay, businesses need to review their current tech stack to identify and close potential points of entry.

    Collaboration platforms and data leaks

    In tandem with improved employee training, businesses should also provide their staff with the right tools to safeguard their information. There might be no clean desk policy for remote work, but security is still mission critical. Employees should know the procedures for how to store passwords, access company files, and share information.

    Password managers, VPNs, centralized storage solutions, and SSO/zero trust can all help to secure confidential information within the remote workplace. However, there is one common place where information is freely shared, and outsiders are often invited to participate. That’s your digital collaboration platforms.

    The goal of collaboration is to break down internal silos and democratize information access. The faster and easier it is for people across the organization to communicate, the better they can all do their jobs. To facilitate easier information-sharing, collaboration platforms can plug into any number of other programs. Slack enables hundreds of different integrations, from project management and productivity tools to file sharing, social media, and games. It’s the same story with Microsoft Teams and Workplace from Meta. Even Yammer allows about a hundred third-party apps to connect to your remote office.

    Each of these applications exposes your online workplace to new vulnerabilities. A breach of one could open a back door to all the information shared across your collaboration network. That’s why it’s important to carefully vet and approve each integration that your employees connect to your platforms — before they do so. Another concern for businesses using collaboration is third-party user access. Slack Connect allows users to invite clients, contractors, and vendors into the workplace Slack environment to make it even easier to communicate and share documents. Similar functionality exists across most collaboration platforms, including Teams Connect, Workplace multi-company groups, and Yammer external groups.

    Allowing third parties access to company collaboration platforms has proven benefits for the business. It can accelerate projects, strengthen working relationships, and produce better outcomes for all parties. But it doesn’t come without risk. Business relationships can change, and when they end you don’t want old documents, IP, and other sensitive information to remain in a single shared repository.

    Even if you remain on good terms with a business partner in a shared collaboration space, how can you be sure that their security policies match your own? Have they written down or shared their access details with a third party, such as a contractor working on their behalf? How would you know if they had? And how can you be sure that every actor within your collaboration ecosystem is taking steps to safeguard the confidential information shared within its network of messages and chats?

    How Mimecast can help prevent data leaks in collaboration

    Many potential data leaks can be prevented by implementing a single, secure monitoring solution. Our platform connects to all major collaboration networks via API and webhooks, meaning no additional IT lift is required. From there, you can set policies that apply across your collaboration ecosystem and we will take care of implementation.

    Continuous uploading means we capture the full context of collaboration in near real-time, including revisions and deletions. Other collaboration security tools rely on batch ingests to record data, resulting in lost information and incomplete context. Only we can deliver a complete, 360-degree contextualized oversight of activity within collaboration.

    Then we take collaboration security a step further, with automated conversation monitoring using AI/ML-infused insights trained to understand short-form collaboration messages. Our natural language processor is best-in-class for collaboration, because it was built and trained specifically for this task. Get authentic insights into employee sentiment and understand where risk exists within your collaboration environment. We empower some of the world’s biggest organizations to get proactive about collaboration data security.

    Haut de la page