What Is a Data Breach?

Quick Answer

A data breach is the theft of personal information, such as Social Security numbers, credit card numbers or passwords, from an organization’s digital records. Criminals may use stolen data to impersonate you and seek credit in your name.

Concerned woman sitting on the sofa and holding a smartphone and a credit card

A data breach occurs when criminals steal personal information by breaking into an organization's electronic records. Last year set a record high for total reported data breaches: The Identity Theft Resource Center (ITRC) tracked 3,205 breaches in 2023. And so far, this year is on pace to set a new record, with data breaches up 14% year-over-year in the first half of 2024.

The cybercriminals who carry out breaches are constantly evolving their tactics. They personalize their attacks to trick company insiders. They gather information on software vulnerabilities, and create custom malware to hack anything from a company's computer system to global satellite internet networks.

These sophisticated attacks can turn into what some experts call "mega-breaches," or large breaches in which millions of records are exposed. There were seven mega-breaches that compromised 1 million or more records in 2023, according to Experian's 2024 Data Breach Industry Forecast.

If you learn that your data was exposed in a breach, it's important to act quickly. Here's more on what data breaches are, how they happen, how to protect your data and what to do if you're impacted by a breach.

What Is a Data Breach?

A data breach is when someone illegally accesses sensitive information. Data breaches may happen when a criminal intentionally carries out a cyberattack to infiltrate a company or organization's records for the purpose of stealing personal data. They can also happen unintentionally, such as if an organization accidentally publishes sensitive information.

Victims of data breaches may include customers, account holders, clients and employees. Data breaches can lead to identity theft and fraud, with devastating financial consequences. There were 2.6 million reports of fraud with total reported losses of $10 billion in 2023, according to Federal Trade Commission (FTC) data.

Learn more >> Identity Theft Statistics: Fraud on the Rise

How Do Data Breaches Happen?

Data breaches happen when criminal actors get their hands on sensitive information.

Data breaches may happen in a few main ways:

  • Hackers exploit vulnerabilities to steal information from servers
  • Corporate or organizational insiders steal sensitive information
  • A corporation or other organization accidentally exposes sensitive information on its websit

The methods criminals use to pierce organizational security measures often involve tricking the users of a system—employees or end users—into giving up information needed to gain access.

Third-Party Data Breaches

It's increasingly common for criminals to target third-party softwares and technologies—outside vendors or suppliers that other companies contract and that may provide a point of entry into client data systems. For example, hackers may target a software company that provides a cloud software other companies rely on for data management and for storing sensitive information.

When third-party attacks are successful, the scope of the damage can be far-reaching. An example of a third-party application data breach is 2023's MOVEit data breach, which impacted more than 60 million people.

What Information Is Targeted in Data Breaches?

When criminals infiltrate a company's data, they typically take whatever information they can get, including:

  • Social Security numbers
  • Financial account numbers
  • Credit card numbers
  • Home addresses
  • Birth dates
  • Usernames and passwords
  • Driver's license numbers
  • Passport numbers
  • Immigration status
  • Medical information

Types of Data Breaches

One way to differentiate between different types of data breaches is to look at how the breach was carried out. Here are some specific ways that data breaches may happen:

  • Human error: Mistakes by employees, such as improper configuration and use of security systems, can leave organizations vulnerable to attack.
  • Phishing: Phishing is when a fraudster tries to get someone to divulge sensitive information. It's usually through an unsolicited email or text where they pose as a company and request that you share personal information.
  • Business email compromise: In this increasingly common form of phishing, a scammer infiltrates an organization's email system by impersonating a manager or client and requesting access to critical data. Communications that appear to come from trusted individuals inside company security structures can be especially hard to detect.
  • Malware: Viruses and other malicious software can be used to attack and seek out customer and employee data within targeted organizations. They can gain entry as email or text attachments, on contaminated thumb drives or other storage devices, or by masquerading as legitimate software downloads.
  • Ransomware: Ransomware is a type of malware cybercriminals use to illegally encrypt an organization's files, blocking all authorized access to a computer system until a hefty ransom is paid.

How Do Data Breaches Impact You?

If your information is compromised in a data breach, you may be at an increased risk of falling victim to identity theft and other types of fraud. As a few possible examples, criminals may use information stolen in data breaches to:

  • Make unauthorized purchases on your credit cards
  • Apply for credit or loans in your name
  • Obtain your tax refunds or government benefits
  • Take over your existing bank accounts to steal your money

They also may offer your personal information for sale to other criminals on the dark web.

Learn more >> What Is the Dark Web?

How to Help Avoid Data Breaches

Many of the factors behind data breaches fall outside of an individual's control. That's because data breaches often involve attacks on a large scale, by targeting company databases, for example.

Companies must implement strong security practices to avoid breaches, including encryption, employee training and enforcement of strong passwords and other cybersecurity practices.

For employees: A data breach at your workplace not only affects your own data security, but that of your employer, customers and clients. Align yourself with the security protocols your employer uses to keep your systems safe. Here are some tips:

  • Follow your employer's security protocols to keep important data safe
  • Report the loss or theft of work-issued laptops, phones or tablets promptly
  • Maintain up-to-date software on your devices and use strong, unique passwords

At an individual level, the best way to avoid breaches is to learn about how criminals use social engineering to trick employees into giving them an in. Data breaches often occur due to human error; in fact, 82% of breaches involve a human element, according to Verizon's 2022 Data Breach Investigations Report.

Learn more >> What Is Social Engineering?

How to Protect Your Data

While you may not be able to control the factors leading up to a breach, there are steps you can take to protect yourself and your personal information. Here are tips to protect your data:

  • Protect your login information. Use strong passwords (and consider a password manager that generates random passwords for you), change those passwords often and activate multifactor authentication on smartphone apps and websites where sensitive information is kept.
  • Guard your credentials. Keep account numbers and passwords to yourself and don't offer up information to anyone who asks for your Social Security number, bank account number or other personal credentials "for verification purposes" or any other reason. Unless you can be absolutely sure they are who they say they are, end the conversation or online session and call the organization in question yourself, using a public address or phone number you look up yourself.
  • Watch for signs of fraud. Check your credit report regularly for accounts or new credit applications you don't recognize.
  • Get rid of old paperwork. Shred and discard old documents containing your Social Security number and account numbers.
  • Purge your digital devices. Clear data on old phones, tablets and PCs before donating or selling them. Special software can help you make sure this data can't later be recovered.

What to Do if Your Data Has Been Breached

If your information is exposed in a data breach, it's important to act right away to understand what types of data were compromised and take defensive steps.

1. Pay Attention to Breach Notifications

If you hear that an organization you work with has experienced a data breach, keep an eye out for notification whether your information was involved.

Breaches don't necessarily affect all of a victim organization's customers, members, employees or other related individuals. You'll be notified if you're affected, and you may also be able to visit a website set up to let you check whether your data was exposed.

2. Place a Fraud Alert on Your Credit

You have the right to request a fraud alert or credit freeze on your credit report for extra protection. A fraud alert instructs creditors to verify your identity before processing the application.

You can also consider freezing your credit for an additional layer of security. A credit freeze hides your credit report from most creditors and makes processing new credit applications impossible.

3. Monitor Your Credit and Financial Accounts

Carefully review your bank and credit card statements and your Social Security account, back to the date the breach is believed to have occurred. Look for transactions or activity you don't recognize and report any to the relevant institution and law enforcement as appropriate.

You should also check your credit reports at all three national credit bureaus (Experian, TransUnion and Equifax) for signs of suspicious activity. You have the right to dispute information on your credit report, including that which you believe to be the result of identity theft.

4. See if Your Data Was Exposed

Run a privacy scan to locate information that might be exposed in public databases. If any turns up, you can ask to have it removed. Also, a dark web search can make you aware of account numbers, passwords and other information that may be circulating on illicit hidden websites. You can't easily get them removed, but you can change affected passwords and account numbers.

5. Report Fraud to Authorities

If you've been victimized, report credit or identity fraud to the FTC, the FBI and local law enforcement agencies.

Learn more >> How to Report Identity Theft

Frequently Asked Questions

  • There is no federal law requiring companies to disclose data breaches. That said, all 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation that set requirements for companies operating within those states for disclosing breaches to impacted consumers within a given timeframe.

    Also, in 2023, the U.S. Securities and Exchange Commission (SEC) adopted a new rule requiring public companies to disclose cybersecurity breaches that could impact consumers within four days. The rule is intended to protect investors by increasing transparency around company risk.

  • The National Public Data breach is a breach in which hackers infiltrated a database of almost 3 billion people's sensitive information. National Public Data is a background checking company. According to National Public Data's website, criminals carried out a cyberattack in December of 2023 before leaking stolen data in April and summer of 2024.

    Information leaked in the National Public Data breach could include:

    • Full names
    • Dates of birth
    • Social Security numbers
    • Mailing addresses
    • Email addresses
    • Phone numbers

    If your data was exposed in the breach, take steps to monitor your financial accounts and your credit for any signs of fraud. You can also place a fraud alert on your credit file to instruct creditors to take additional steps to confirm your identity before processing applications for credit.

  • If you get a data breach notification, your sensitive information may have been exposed in a breach. Organizations are often required by law to notify those impacted in breaches. Read the data breach notification carefully for information on what happened, what data was impacted and what to do next. The company may provide you with free credit monitoring and identity theft protection after the breach.

  • Security breaches and data breaches are interrelated, but they're not exactly the same.

    A security breach occurs when criminals break into an automated system, whether they steal anything or not. On the other hand, a data breach is theft of information, often obtained by defeating an organization's data security measures. Every data breach is also a security breach, but some security breaches are not data breaches.

    In the physical world, a data breach is analogous to burglary where items are stolen, while a security breach is analogous to someone kicking in your front door.

Stay Vigilant to Signs of Fraud

Data breaches are an unfortunate side effect of our reliance on digital technology. While you may not be able to do much to stop cyberattacks aimed at data theft, you can and should remain watchful.

Respond quickly to any alert you receive that your data has been compromised, change passwords regularly and check your account statements and credit reports regularly for signs of suspicious activity. Consider using Experian's identity theft protection service to alert you of potential fraud.