What Is a Data Breach? Causes, Costs, and How to Respond

Posted: December 31, 1969 to Cybersecurity.

What Is a Data Breach? Causes, Costs, and How to Respond

A data breach occurs when sensitive, protected, or confidential information is accessed, disclosed, or stolen by an unauthorized party. That definition covers a broad range of events, from a sophisticated nation-state attack that exfiltrates millions of records to an employee accidentally emailing a spreadsheet of customer data to the wrong recipient. The common thread is that information ends up where it should not be, and the consequences for businesses, their customers, and their legal standing can be severe.

Understanding what constitutes a data breach, what causes them, what they cost, and how to respond when one occurs is not optional knowledge for business leaders. It is a core responsibility. Over more than 23 years of protecting businesses and responding to security incidents, Petronella Technology Group has guided organizations through breaches of every scale. This guide consolidates what we have learned into a practical reference for understanding and preparing for what remains one of the most significant risks facing any organization that stores digital information.

Data Breach Defined

A data breach is any security incident in which unauthorized individuals gain access to confidential data. This includes personal identifiable information (PII) like names, Social Security numbers, and addresses. It includes financial data like credit card numbers and bank account details. It includes protected health information (PHI) governed by HIPAA. It includes trade secrets, intellectual property, and any other information that an organization is obligated to protect.

Not every security incident is a data breach. A denial-of-service attack that takes your website offline is a security incident but not a breach unless data was also compromised during the disruption. A malware infection on a workstation is a security incident that becomes a breach if the malware exfiltrated data or provided an attacker with access to sensitive systems. The distinction matters because breach classification triggers specific legal notification requirements that do not apply to other types of security incidents.

Our CEO Craig Petronella has served as an expert witness in data breach litigation, providing technical analysis on how breaches occurred, whether reasonable security measures were in place, and the scope of data exposure. One consistent finding across those cases is that the organizations involved often could not answer a basic question: exactly what data was compromised and how many individuals were affected. That inability to answer compounds the legal, financial, and reputational damage.

Common Causes of Data Breaches

Data breaches stem from four broad categories: external attacks, insider threats, accidental exposure, and physical theft. Each category demands different preventive measures.

External Attacks

External attacks include any unauthorized access originating from outside the organization. Phishing remains the most common initial access vector, accounting for approximately 36 percent of breaches in 2025 according to the Verizon Data Breach Investigations Report. Attackers send convincing emails that trick employees into revealing credentials or installing malware. Once inside, attackers move laterally through the network, escalate privileges, and locate valuable data.

Ransomware attacks represent a particularly destructive category. Attackers encrypt an organization's data and demand payment for the decryption key. Modern ransomware operators also exfiltrate data before encrypting it, creating a double-extortion scenario where victims face both operational disruption and the threat of public data exposure. Exploitation of known vulnerabilities in public-facing systems, such as unpatched VPN appliances, web servers, and email gateways, provides another common entry point for external attackers.

Insider Threats

Insider threats come from current or former employees, contractors, and business partners who have legitimate access to organizational systems. Malicious insiders deliberately steal or expose data for financial gain, competitive advantage, or personal grievance. The 2025 Ponemon Institute Cost of Insider Threats study found that malicious insider incidents cost an average of $756,000 per event and take an average of 85 days to contain.

Not all insider threats are malicious. Negligent insiders, employees who accidentally cause breaches through carelessness or lack of training, are actually more common. Sending sensitive data to the wrong email recipient, misconfiguring a cloud storage bucket to be publicly accessible, or falling for a phishing email all fall into this category. The damage is the same regardless of intent.

Accidental Exposure

Accidental exposure occurs when data is made accessible without any attack or deliberate action. Misconfigured databases exposed to the internet, cloud storage with incorrect permissions, unencrypted backups stored in insecure locations, and software bugs that inadvertently reveal data all fall into this category. In 2025, misconfigured cloud resources accounted for approximately 15 percent of confirmed breaches, a number that has grown steadily as organizations migrate to cloud infrastructure without fully understanding the shared responsibility model for cloud security.

Physical Theft

Physical breaches involve the theft or loss of devices containing sensitive data. Stolen laptops, lost USB drives, improperly disposed hard drives, and stolen paper records all constitute data breaches if the information they contain is not encrypted or otherwise protected. While physical theft accounts for a smaller percentage of breaches than digital attacks, the breaches can be significant. A single stolen laptop with an unencrypted database can expose thousands of records.

Data Breach Statistics for 2026

The scope of the data breach problem continues to expand. IBM's 2025 Cost of a Data Breach Report, the most recent comprehensive study available, found that the global average cost of a data breach reached $4.88 million, a 10 percent increase from the previous year. For breaches in the United States, the average cost was $9.36 million. Healthcare organizations bore the highest costs at $9.77 million on average, maintaining their position as the most expensive industry for breaches for the fourteenth consecutive year.

The average time to identify a breach was 194 days, and the average time to contain it was an additional 64 days. That means the typical organization does not fully resolve a breach for over eight months after it begins. Organizations that used AI-powered security tools and had an incident response plan in place reduced their average breach cost by $2.22 million compared to those without these capabilities.

Small and mid-sized businesses are disproportionately affected relative to their resources. While the absolute dollar amount of a breach may be lower for a smaller organization, the impact as a percentage of revenue is far greater. A $500,000 breach that represents a rounding error for a Fortune 500 company can be an existential threat to a 50-person business.

Breach Notification Requirements

Every U.S. state has enacted data breach notification laws, and the requirements vary significantly. Understanding your obligations before a breach occurs is critical because notification deadlines are often measured in days, not weeks, from the point of discovery.

State notification laws. Most states require notification to affected individuals within 30 to 60 days of breach discovery. Several states, including Florida and Colorado, require notification within 30 days. Others allow up to 60 or 90 days. North Carolina requires notification without unreasonable delay. Many states also require notification to the state attorney general when breaches exceed a certain number of affected individuals.

HIPAA breach notification. For breaches involving protected health information, HIPAA requires notification to affected individuals within 60 days of discovery. Breaches affecting 500 or more individuals must also be reported to the Department of Health and Human Services and to prominent media outlets in the affected jurisdiction. Smaller breaches must be logged and reported to HHS annually.

Federal contractor requirements. Organizations operating under CMMC or handling Controlled Unclassified Information (CUI) must report cybersecurity incidents to the DoD within 72 hours. This is a significantly tighter timeline than most state notification laws and requires that organizations have detection and reporting capabilities that can operate within that window.

SEC requirements. Publicly traded companies must disclose material cybersecurity incidents within four business days under SEC rules that took effect in late 2023. This requirement has fundamentally changed how public companies approach breach disclosure, making rapid detection and assessment capabilities a board-level priority.

How to Respond to a Data Breach

The actions taken in the first hours and days after a breach is discovered determine the eventual scope of damage, the cost of recovery, and the organization's legal exposure. Having an incident response plan in place before a breach occurs is the single most impactful preparation an organization can make.

Step 1: Contain the Breach

The immediate priority is stopping the unauthorized access and preventing further data loss. This may involve isolating compromised systems from the network, disabling compromised user accounts, blocking malicious IP addresses, changing credentials for affected systems, and preserving forensic evidence. Containment must be balanced with evidence preservation. Shutting down a server stops the bleeding but may destroy volatile data that forensic investigators need to determine what happened.

Step 2: Assess the Scope

Determine what data was accessed, how many records were affected, what systems were compromised, and how the attacker gained access. This assessment drives every subsequent decision, from who needs to be notified to what the legal exposure looks like. Engage forensic investigators if the breach involves sophisticated attack methods, large volumes of data, or if you need evidence that will withstand legal scrutiny.

Step 3: Notify Affected Parties

Based on the scope assessment, determine your notification obligations. Notify affected individuals, regulators, law enforcement, and business partners as required by applicable laws and contracts. Notification letters should clearly explain what happened, what data was involved, what the organization is doing in response, and what steps affected individuals can take to protect themselves. Many organizations offer credit monitoring or identity theft protection services to affected individuals.

Step 4: Remediate

Address the vulnerabilities that enabled the breach. If the attacker exploited an unpatched system, apply the patch and audit for similar vulnerabilities elsewhere. If the breach resulted from a phishing attack, enhance email security controls and conduct targeted training. If credentials were compromised, force password resets across affected systems. The goal is to ensure the same attack path cannot be used again.

Step 5: Review and Improve

After the immediate crisis is resolved, conduct a thorough post-incident review. Document what happened, how it was detected, how the response unfolded, what worked well, and what needs improvement. Update your incident response plan based on lessons learned. Brief leadership and the board on the incident and the improvements being made.

Prevention Checklist

Preventing data breaches requires a layered approach that addresses technical, administrative, and human factors. This checklist covers the fundamental controls that every organization should have in place.

Deploy multi-factor authentication on all systems that contain or provide access to sensitive data. Encrypt sensitive data both at rest and in transit. Implement network segmentation to limit the blast radius of a breach. Maintain a rigorous patch management program that addresses critical vulnerabilities within 48 hours. Conduct regular security awareness training with simulated phishing exercises. Implement the principle of least privilege for all user accounts. Monitor network traffic and system logs for indicators of compromise. Maintain and test offline backups. Conduct regular vulnerability assessments and penetration tests. Develop and rehearse an incident response plan.

At PTG, we operationalize this checklist through our ComplianceArmor platform, which maps technical controls to compliance requirements across frameworks including HIPAA, CMMC, NIST 800-171, and PCI DSS. This approach ensures that breach prevention efforts simultaneously satisfy regulatory obligations, eliminating the disconnect between security operations and compliance documentation that trips up so many organizations during audits and, more critically, during breach investigations.

Moving Forward

Data breaches are not theoretical risks. They are statistical certainties for organizations that fail to implement reasonable security measures. The question is not whether your organization will face a security incident but whether you will detect it quickly, respond effectively, and recover with minimal damage. Preparation makes the difference between a manageable incident and a catastrophic one.

If your organization needs help assessing its breach readiness, developing an incident response plan, or implementing the preventive controls outlined in this guide, contact our team. We bring over two decades of real-world experience in breach prevention and response, and we are ready to help you build the defenses your data deserves.