What Is a Data Leak and How Do They Happen?
Data leaks are a serious problem for organisations and individuals. In this day and age, individuals freely provide personal information to organisations, therefore a data leak can have a significant impact on both the company and the person. They often involve the exposure of personal data (such as name, address and financial details), with additional damage to the company or organisation in terms of potential financial loss and reputational damage.
The terms “data leak” and “data breach” are often intertwined. It is important to understand the difference, and how to avoid falling victim to a leak.
In this article, we will explore:
- What is a data leak?
- What are the consequences of a leak?
- What is the difference between a data leak and a data breach?
- High-profile data leaks
- Do you need to inform the ICO of a data leak?
- What you need to do following a data leak
- How to protect yourself from data leaks
A data leak is the inadvertent exposure of sensitive or confidential information. It occurs when physical or digital information has been revealed unknowingly or as a result of a mistake. The information that is leaked allows bad actors (a person or organisation that purposely engages in bad behaviour) to gain unauthorised access to identifiable information, with the potential for exploitation of individuals or organisations.
It’s important to note that the term “data leak” is not one which is recognised in relation to GDPR, but we’ll explain more about that later in this article.
When information is leaked, it will not necessarily lead to severe consequences. Yet the possibility for serious issues arising is high if the leak is not acted upon immediately.
The most critical consequences occur when a data leak is discovered but not acted upon. Failure to act on the data leak can result in:
- Privacy violation: sue, such as names, addresses, and financial information are exposed to the hands of someone who isn’t authorised to have them. This can lead to identity theft and fraud.
- Financial loss: stolen credit card numbers and company bank details can result in unauthorised transactions, fraudulent activities, and financial loss for both an individual and businesses.
- Disruption: it takes time and money to assess and rectify the source of the leak; things that many smaller businesses struggle to cope with.
- Reputational damage: if your organisation experiences a data leak, your reputation as a company may suffer. A lack of cybersecurity awareness can lose you customers, and effectively, the business as well. In the case of small companies, 60% of small companies close within 6 months of being hacked.
- Legal and regulatory consequences: subject to the data leak, your company may face legal actions, fines, reprimands and penalties for the disclosure of sensitive information.
- Cybersecurity risks: once a cybercriminal has access to you or your company’s data, it gives them an opportunity to implement a future cyber attack.
If data falls into the wrong hands it will be used for exploitation. An individual may fall victim by:
- Social engineering: using a targeted fake email from a cyber criminal impersonating a colleague to gain information, such as passwords or customer information.
- Doxxing: gaining access to personally identifiable information without the victim’s permission.
As of 2023, there are more than 5 billion active internet users around the world. That’s a lot of data! However, there are now tools to identify if your data has been compromised, such as Have I Been Pwned? Individuals are able to check if their email address has been used unknowingly, at which point they can inform other people or organisations their data has been compromised to avoid potential consequences.
The answer to this depends on whether or not you're using the term in relation to GDPR.
Many articles online use the term “data leak” in relation to GDPR. However, use of the term in this way is incorrect. The ICO have confirmed that neither they, nor the GDPR use or recognise the term data leak. In their eyes a leak of data, no matter how caused, is classed as a data breach, and therefore the term data leak doesn’t exist and should be avoided.
So where does the term data leak come from?
We did some digging to find out and as it turns out, the term is used in cyber-security circles. We spoke with the National Cyber Security Centre (Part of GCHQ) and they confirmed that:
“Whilst a data breach and a data leak are closely related concepts and can have similar impacts, they are not exactly the same thing.
A data breach occurs when information held by an organisation is stolen or deliberately accessed without authorisation, whether as the result of an external attack or as a release of data by an authorised employee to an unauthorised individual.
On the other hand, a data leak occurs when data is unintentionally left accessible and unprotected. For example, this could be caused by misconfigured security settings allowing unauthorised users to access data, or by an employee accidentally sending sensitive information to the wrong recipient (as could happen if an email address was mis-typed.)
So, while both a data leak and a data breach involve unauthorised access to data, the key difference lies in the intent behind the incident. A data breach is often the result of a deliberate attempt to access data, while a data leak is usually an unintentional incident.”
So to recap - if you’re talking about cyber security then you can use the term data leak to convey a very specific type of breach. However, if you’re discussing a breach in relation to GDPR, then all breaches are considered “data breaches”.
Now that you know the difference and can use the correct terminology appropriately, you may find it helpful to read our article on how to identify a data breach, and what you need to do next.
It is not uncommon to fall victim to a data leak, and it happens to high-profile organisations as well as smaller businesses. The 2023 Data Breach Investigations Report found that 74% of breaches happened because of human error.
Thames Valley Police
One example of a data leak is the case of Thames Valley Police, reprimanded by the ICO on the 30th May 2023 for a data breach that occurred when witness details were released to suspected criminals resulting in the criminals knowing the address of that witness. This data leak seriously disrupted the criminal case, and the data subject had to move house, putting them in a vulnerable position.
The cause of this data leak was down to a few factors; failure to make sure the individual's personal information was protected, lack of awareness of the necessary policy, and lack of appropriate training.
A serious incident like this has a direct impact on the person whose safety is at risk, and also on the trustworthiness of the Police.
Since the issue, Thames Valley Police have taken the following steps:
- Provide training to their officers to prevent such leaks from happening again
- Provide operational guidance on when, and when not to, share information
- Update their policy documents to include more detail on making redactions
Ministry of Justice
Another example of a high-profile case of a data leak was with the Ministry of Justice, on the 26th of February, 2022. The absence of a shredding lorry arriving at a prison to collect their confidential waste resulted in 14 bags of confidential information being left in an unsecured holding area, accessible to both staff and prisoners for 18 days. Within this time, up to 44 individuals saw the information and some of the material was removed.
The information falling into the hands of both unauthorised staff and prisoners puts individuals at risk. To further prevent such a situation from happening, the Ministry of Justice took the following actions:
- Introduction of a new process to ensure waste was collected within a certain time slot
- Making sure the waste was stored in a more secure environment
- Sufficient shredders have been brought on-site to enable prior shredding of waste can be carried out
Multinational American vehicle company, Tesla, also experienced the consequences of a data leak spanning between 2015 and March 2022. German newspaper, Handelsblatt reported that Tesla customers made over 2,400 complaints about self-acceleration problems and 1,500 complaints about brake issues. A whistleblower leaked internal documents regarding issues with Tesla’s automated driving, which they reported to the German media organisation.
The leaked information, which came from their IT system, contained complaints about the full self-driving features, which came from multiple locations; such as the USA, Europe and Asia. Personal information of the customers was also leaked, including phone numbers.
The issue of technical faults with the self-driving feature resulted in errors and overall safety flaws, including not being able to stop the cars, problems with the automatic application of emergency brakes, and vehicle collisions.
Dagmar Hartge, the state’s Data Protection Officer, understood and acknowledged the issues raised, and sent the case to a private advocate in the Netherlands for further investigations.
Tesla’s response explained:
“Tesla rigorously protects its confidential information and the personal information of its employees and customers. We intend to initiate legal proceedings against this individual for his theft of Tesla’s confidential information, and employees’ personal data”.
Note: As the breach occurred outside of the UK it is outside the ICO's remit to reprimand the organisation.
As touched on above, the term “data leak” is one which is not used in relation to GDPR. Therefore, does that mean you don’t need to report one?
The answer is no. A data leak must be treated exactly the same as a data breach because in the eyes of the ICO, they’re exactly the same thing.
In the event of a data breach, you need to inform the Information Commissioner’s Office only if the breach is likely to impact the rights of an individual. If unaddressed, it can have a detrimental effect on the individual’s reputation, finances, or confidentiality. Any incident such as this must be informed to the ICO immediately.
Although you might be able to prepare yourself for a future leak, it is also just as important to understand what to do if you experience a data leak.
If you encounter a data leak, you must:
- Confirm the data leak: find the cause of what happened, the authority of the staff involved, where information was taken, and examine the consequences of the exposed data.
- Discuss whether to report to ICO: analyse if the leaked data will impact an individual’s reputation and personal details. If so, contact the ICO immediately.
- Retrain your staff: to avoid this happening in the future, ensure your staff are aware of the problem. Enrolling your colleagues in a data and GDPR course is recommended.
- Secure your passwords: it is essential that you secure your accounts, log-ins, and passwords to prevent a cybercriminal from gaining further information.
Data leaks are caused by either human or technical errors. Fortunately, there are manageable ways to avoid a leak happening.
Make sure that you:
- Assess that your organisation has the appropriate regulations in place to protect your data.
- Make sure that any work that involves sensitive information is stored correctly and securely.
- Train your employees on cybersecurity awareness to prevent a data leak caused by human error.
We understand that a situation such as a data leak can be frightening and detrimental to your organisation. At Databasix, we are a people-focused data consultancy. Our range of courses can help you and your colleagues understand the way data is collected, understood, and used.
Check out our range of courses:
- GDPR training courses
- Cyber awareness training course
- Rapid Response service - for emergency help with data leaks
- Data mapping
We can also help your organisation with a data protection impact assessment. It is a process that helps you identify all the potential risks or harms that may affect individuals’ rights and freedoms, as a result of the data processing you plan to carry out. For more information, have a look at our training services.
To protect yourself or your organisation from cyber attacks, contact us today.