The unauthorized transmission of data from an organization to any external source is known as data leakage. This data can be leaked physically or electronically via hard drives, USB devices, mobile phones, etc., and could be exposed publicly or fall into the hands of a cyber criminal.
While the terms data leakage and data loss are similar, they differ in the following ways:
Data leakage is classified based on how the leak occurs or by whom it was perpetrated.
Unhappy employees or business partners who leave the organization may try to steal data and leak it to competitors, or sell it for a hefty amount on the black market.
Hard drives or USB devices with sensitive content are often left unattended by employees, putting data at risk.
Many organizations are embracing bring your own devices (BYOD) policies and encouraging employees to use their own devices at work. Hackers take advantage of this and try to trick the user into clicking unassuming links, giving the hackers access to the devices and the data on them.
The most common cause of data leak is human error. Frequent mishaps include employees sending emails containing critical information to the wrong recipients, flaws in security policies such as excessive permissions to critical files, sensitive data left exposed due to unpatched vulnerabilities in the software, etc.
An increasing number of companies have fallen victim to data security threats. Some of the most infamous data leak incidents that have taken place include:
The Facebook-Cambridge Analytica scandal came to light in 2018, when an ex-employee of Cambridge Analytica, a British political consulting firm, revealed information on how the company had acquired the data of more than 50 million Facebook users. The firm developed an app named This is your digital life, which acquired its users' and their friends' details from Facebook. This data was used to influence users during a political campaign.
Amazon Simple Storage Services, or Amazon S3, is no stranger to data leaks. There have been several instances when its cloud storage buckets have been misconfigured and permissions set to public inadvertently by organizations. In December 2019, a UK consulting firm's storage bucket leaked, revealing sensitive information including criminal records, emails, and job applications dating back to 2014.
A Florida-based marketing firm named Exactis found that its consumers' data has been exposed due to an unprotected server that allowed public access. While the data did not contain Social Security numbers or credit card information, it did include other personally identifiable information (PII) such as phone numbers and email addresses.