Safeguard
Best Practices

What is a Data Breach

A data breach is unauthorized access to sensitive data. See real causes like MOVEit and Log4Shell, average costs, and how to prevent one.

Safeguard Research Team
Research
7 min read

A data breach is any incident in which sensitive, protected, or confidential data is accessed, copied, transmitted, or stolen by someone who is not authorized to have it. That includes customer records, employee Social Security numbers, source code, API keys, and internal credentials. In 2023 alone, the Identity Theft Resource Center recorded 3,205 publicly reported data compromises in the United States, affecting over 353 million individuals — a 78% jump over 2022. The average global cost of a breach reached $4.45 million in IBM's 2023 Cost of a Data Breach Report, and $9.48 million in the U.S. specifically. Breaches aren't abstract risks: Equifax lost 147 million records to an unpatched Apache Struts flaw (CVE-2017-5638) in 2017, and the 2023 MOVEit Transfer exploit (CVE-2023-34362) hit more than 2,700 organizations, from the U.S. Department of Energy to Shell and British Airways. Here's what actually causes breaches, what they cost, and how to stop them.

What counts as a data breach?

A data breach occurs the moment unauthorized parties gain access to confidential data, regardless of whether that data is actually misused afterward. This distinguishes a breach from a mere security incident: a failed login attempt or a blocked malware payload is an incident, but the moment an attacker successfully reads, exfiltrates, or copies protected data — even a single customer record — it's a breach under most legal definitions, including the EU's GDPR (Article 4(12)) and all 50 U.S. state breach notification laws. Breaches can be external (an attacker exploiting a vulnerability), internal (an employee misusing access), or accidental (a misconfigured S3 bucket left public). The 2019 Capital One breach, for example, exposed 106 million records not through a zero-day exploit but through a misconfigured web application firewall on AWS that let a former employee query internal metadata and pivot into stored customer data.

What are the most common causes of data breaches?

The most common causes are stolen or weak credentials, unpatched software vulnerabilities, and misconfigurations — Verizon's 2023 Data Breach Investigations Report found that 83% of breaches involved external actors and roughly half involved stolen credentials. Software vulnerabilities are a close second and increasingly the higher-impact vector: Log4Shell (CVE-2021-44228), disclosed in December 2021, was exploited within hours of publication and remained a top attack vector into 2023 because so many organizations couldn't identify every application that bundled the vulnerable Log4j library. Third-party and supply chain compromise is the fastest-growing category — the 2020 SolarWinds Orion breach let attackers slip malicious code into a signed software update that reached roughly 18,000 customers, including nine U.S. federal agencies. Misconfigured cloud storage remains a persistent, low-effort cause: in 2023, security researchers found an exposed Microsoft Azure storage container that had leaked 38 terabytes of internal data since 2020 due to an overly permissive shared access signature (SAS) token.

How much does a data breach actually cost?

A data breach costs an average of $4.45 million globally and $9.48 million in the United States, per IBM's 2023 report, but costs vary enormously by cause and detection speed. Breaches caused by stolen credentials or misconfigurations averaged over $4.5 million, while breaches involving a malicious insider ran higher still, near $4.9 million. Time matters just as much as cause: breaches that took longer than 200 days to identify and contain cost organizations roughly $1.02 million more on average than those contained faster. Healthcare has been the costliest sector for 13 consecutive years, averaging $10.93 million per breach in 2023 — a figure driven up by the February 2024 Change Healthcare ransomware attack, which disrupted claims processing for thousands of U.S. pharmacies and exposed protected health information for an estimated one-third of Americans.

How is a data breach different from a data leak?

A data breach involves an active, unauthorized intrusion to access data, while a data leak refers to sensitive data being exposed unintentionally, without an attacker needing to breach any system at all. A leak might be a developer accidentally committing an AWS access key to a public GitHub repository, or a company publishing an internal spreadsheet with customer PII to a public-facing website. GitGuardian's 2023 State of Secrets Sprawl report found over 12.7 million hardcoded secrets — API keys, tokens, and credentials — exposed on public GitHub in 2023 alone, a 67% increase over 2022. The distinction matters operationally: a leak often becomes the entry point for a subsequent breach, as attackers scan public code repositories and misconfigured buckets specifically looking for credentials they can use to pivot into a live breach.

How do software supply chain attacks lead to data breaches?

Supply chain attacks cause data breaches by compromising a trusted upstream component — a library, build tool, or vendor — so that the malicious code rides along into every downstream system that depends on it. The 2023 MOVEit breach worked this way: Progress Software's file-transfer product had a SQL injection flaw (CVE-2023-34362) that the Cl0p ransomware group exploited to exfiltrate data from over 2,700 organizations that had no direct relationship with the attackers, only a shared vendor. The 2024 discovery of a backdoor in XZ Utils (CVE-2024-3094), a compression library embedded in most Linux distributions, showed how close a similar attack came to compromising SSH access across a huge portion of internet infrastructure before a Microsoft engineer caught it by chance during a performance investigation. These incidents share a root problem: most organizations cannot produce, in minutes, an accurate list of every open-source component and version running in production, which is exactly what attackers count on.

How can organizations detect and prevent data breaches faster?

Organizations detect and prevent breaches faster by combining accurate software inventories with continuous vulnerability monitoring and enforced access controls, rather than relying on periodic audits. IBM's 2023 data shows organizations using security AI and automation extensively identified and contained breaches 108 days faster on average than those without it, and saved $1.76 million in breach costs. Practically, that means maintaining a live Software Bill of Materials (SBOM) for every application, rotating and vaulting credentials instead of hardcoding them, enforcing least-privilege IAM policies on cloud storage, and patching known-exploited vulnerabilities on the CISA KEV list within days, not months — CISA's own data shows federal agencies cut median remediation time for KEV-listed flaws from 41 days to under 20 days after Binding Operational Directive 22-01 took effect. Prevention increasingly depends on knowing which vulnerabilities are actually reachable in your running code, since scanning alone produces far more findings than any team can triage.

How Safeguard Helps

Safeguard reduces breach risk by closing the gap between "a vulnerability exists somewhere in our stack" and "we know exactly where it's exploitable." Our reachability analysis traces whether a vulnerable function in a dependency is actually called by your application code, cutting through the noise that buries critical, exploitable flaws like Log4Shell or MOVEit-style SQL injection under thousands of low-risk CVEs. Griffin AI triages and prioritizes findings using the same context a human security engineer would — exploit maturity, exposure, and business impact — so teams fix what matters first. Safeguard generates and ingests SBOMs automatically across your build pipeline, giving you the live component inventory that most breach post-mortems reveal was missing, and our auto-fix pull requests patch reachable, exploitable dependencies directly in your codebase, shrinking the mean-time-to-remediate window that attackers depend on.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.