What is a data breach and how to defend against one

By IBM Services

What is a data breach?

A data breach is an IT security incident where private information is exposed due to malicious attack, human error or negligence, IT system malfunction⁽¹⁾ or a combination thereof.

The data exposed can include names, addresses, telephone numbers, email addresses birth dates and more. It can be highly sensitive information like account numbers, social security numbers (US), driver license numbers (US), passwords, credit card numbers, PINs, user names or IDs. It can also include personal information such as health, financial or legal records.

Breaches of data incidents involve a relatively high number of compromised records entrusted to businesses, large enterprises and public institutions. The global average of the number of records lost or stolen per breach is 24,615. IBM® has classified a larger class of data breach called mega breaches. A mega breach involves more than 1 million compromised records.⁽²⁾


A few examples:

Facebook: In September of 2018, Facebook reported that an attack on its network had exposed the information of nearly 50 million users (later revised to 30 million⁽³⁾) with 14 million having user name and recent Facebook searches accessed. According to the New York Times, “The attackers exploited a feature in Facebook’s code to gain access to user accounts and potentially take control of them.”⁽⁴⁾

Equifax: Credit reporting agency Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide.⁽⁵⁾ In September 2017, it announced that “a cybersecurity incident potentially impacting approximately 143 million US consumers. Criminals leveraged a US website application vulnerability to gain access to certain files.”⁽⁶⁾

United States Office of Personnel Management (OPM): OPM collects personnel information for US federal workers. It reported a cyber attack in May of 2015 that compromised the data of about 4 million current and former employees.⁽⁷⁾ One of the factors was the failure by OPM to implement security measures such as two-factor authentication. According to WIRED “OPM has a multifactor authentication scheme, but it wasn’t fully implemented until January 2015 — too late to prevent the [PlugX] attack.”⁽⁸⁾

There may be human error or system shortcomings associated with a data breach, but malicious attack is the common factor. IBM and Ponemon Institute report in a 2018 study that 48 percent of all breaches were caused by malicious or criminal cyber attack, making it the leading cause of data breaches.


2018 Cost of a Data Breach Study by Ponemon Institute

Understand the implications and effects of a data breach. Ponemon Institute's study of over 477 organizations around the globe details costs and impact of data breaches, with breakdowns by industry and country.

Register and read


Cost of a data breach calculator

Companies face the constant, rising threat of data breaches each year. But the cost of a breach differs for every organization. How much would it cost yours? This interactive experience can help calculate.

Launch the calculator


Why are data breaches important?

Data breaches are important to avoid. They can bring significant direct and indirect costs to a business or institution. According to the 2018 Cost of a Data Breach Study by Ponemon and IBM, the average total cost of a data breach is $3.86 million.


A data breach can:

  • Damage brands and reputations
  • Disrupt business processes
  • Erode and even decimate customer loyalty
  • Result in loss of intellectual property
  • Help drive companies out of business
  • Invite regulatory penalties
  • Impair security for governments and states
  • Increase potential for future attacks

IBM views the direct and indirect costs of a data breach as:

Direct costs involve funds spent to accomplish a given activity such as engaging forensic experts, hiring a law firm or offering victims identity protection services.

Indirect costs involve the allocation of resources, such as employees’ time and effort to notify victims and investigate the breach. Indirect costs also include the loss of goodwill and customer churn.


IBM X-Force® Command Cyber Tactical Operations Center

A first-of-its-kind training, simulation and security operations center on wheels, the C-TOC provides the industry’s first mobile cyber range and watch floor, with 23 tons of cyber capabilities on wheels, wherever they are needed. 

Watch the video

See the infographic


Effectively defend against and respond to a data breach

An effective approach to data breaches should consider the top-level risks, assess preventative measures and prepare responses should safeguards fail.

Malicious attacks: Cyber attacks use malicious software (malware) to cause a data breach. Application security and automated testing can help detect malware vulnerabilities and unauthorized changes in configurations and data. Should an attack be sustained, automation and orchestration technologies can use pre-determined workflows to restore an entire business process, application, database or system.

Insider threats: Collusion, negligence, ignorance or inadvertent acts committed within an organization constitute insider threats. IBM SecurityIntelligence reports: “Insider breaches are among the costliest and hardest to detect.” Data security, identity and access management, and security intelligence can help:

  • Data security can prevent unauthorized or suspicious activities by discovering and classifying sensitive data and analyzing normal and abnormal user behavior.
  • Identity and access management verifies and authenticates credentials to control access, monitor sensitive data and analyze activity. If confidential information is being inappropriately accessed, it can block and/or quarantine the associated IDs.
  • Security intelligence analyzes user behavior against log events, network flows, vulnerabilities and business context. It brings the most immediate and dangerous threats to the surface and guides remediation efforts.

Web and mobile applications: As seen with the Facebook and OPM breaches, external web applications can create exposures. In fact, research, including that conducted by IBM X-Force, reveals that web and mobile applications are the most vulnerable points of attack.⁽⁹⁾ Combatting them involves testing software and applications across the development lifecycle.

In addition to their apps, mobile devices themselves can pose a threat. Many organizations support BYOD — bring your own device — an IT policy where employees use personal mobile devices to access enterprise data and systems. Enterprise Mobility Management (EMM) solutions can help develop and enforce secure BYOD policies, such as identity management and authentication procedures. Endpoint management, incorporating AI technologies, can also help. It discerns security anomalies in vast amounts of data and surfaces and remediates malware incidents or recommends actions from a centralized dashboard.

 Cloud computing: Cloud environments are distributed and dynamic, and thus can be more susceptible to unauthorized access, data exposure, cyber attack and other threats. The same practices used to secure on-premises environments — identity management, network security, application security, data protection and monitoring — can be tuned to cloud environments.⁽¹⁰⁾

For example, microservices — mini-applications that run inside of containers or packages of software in cloud environments — can be easily isolated to support network security practices. Or, as with traditional data encryption techniques, bring your own key (BYOK) policies enable organizations to manage encryption keys across all data storage and services in the cloud.

Third parties: Business partners, suppliers and services providers like accounting or human resources services can increase the threat of a data breach through substandard security practices. Retailer, Target, for example agreed to pay $18.5 million to 47 states and the District of Columbia⁽¹¹⁾ because of a breach reportedly linked to its air conditioning vendor.⁽¹²⁾

It is critical to vet third parties based on the security standards of the client organization. Protection can also be gained — by both parties — through clear contractual understanding of liability. Access for third parties can also be specifically controlled in terms of systems and data, and third-party accounts should be immediately disabled at the end of their term.


How force multipliers can transform cybersecurity

Artificial intelligence (AI), orchestration, automation, cloud security and open collaboration are pointing to a more secure future. These “force multipliers” combine to create a powerful defense and form the basis of an effective security strategy.

Read the report


Case Studies

RGS Nordic

Mobile devices streamline workflows — but requirements like the General Data Protection Regulation (GDPR) make it important to stay in control. RGS Nordic uses IBM MaaS360® with Watson™ to gain 100 percent visibility of its devices in Denmark.

Read the story



Machine learning and AI-based capabilities of application scanning software, enable lottery and gaming solutions provider IGT to rule out “false positive” issues. It can focus on specific code and meet development targets while mitigating risks.

Learn more about IGT and app security


Wimbledon 2017

Balancing tradition with innovation, cognitive security technology and constant vigilance from IBM helped protect the Wimbledon brand. The score? Sixty times faster threat investigations to love breaches for the Wimbledon 2017 website.

Read more



Find the latest security analysis and insight from top IT security experts and leaders.

Visit the site


Cyber Resilience Services

Mitigate the impact of cyber disruption with an orchestrated resilience approach that helps identify risks, protect applications and data, and rapidly recover IT.

Read more


Business Resiliency Services

business continuity and disaster recovery services to support business across environments — public cloud, private cloud and on-premises data center environments.

Read more 


Data Backup and Protection Services

Enhance data protection, mitigate information risk and ensure access to critical information with backup as-a-service and cloud backup services.

Read more 


IBM Security Connect

A cloud-based platform that enables security data gathering from across existing tools and products. Choose security capabilities or unified solutions from IBM Security and partners.

Read more


X-Force Red Penetration Testing

A security testing program that focuses on rapid testing of any target, management of vulnerability data and analytics to help rate risk. Document requirements and receive recommendations for the appropriate testing profile for targets.

Read more




1. 2018 Cost of a Data Breach Study: Global Overview, IBM Security, Poneman Institute LLC, July 2018

2. ibid., p.8

3. Facebook Breach Exposed Data of Millions of Users, Allen St. John, Consumer Reports, October 12, 2018

4. Facebook Security Breach Exposes Accounts of 50 Million Users, Mike Isaac, Sheera Frenkel, New York Times, September 28, 2018

5. Equifax, Wikipedia, November 17, 2018

6. Equifax Announces Cybersecurity Incident Involving Consumer Information, Equifax Press Release, September 7, 2017

7. Cyber attack hits 4 million current. Former U.S. federal workers, Doina Chiacu, Matt Spetalnick, Reuters, June 4, 2015

8. Inside the Cyber Attack That Shocked the US Government, Brendan I. Koerner, WIRED, October 23, 2016

9. IBM Application Security, IBM Corporation

10. What is different about cloud security, Red Hat

11. Target to Pay $18.5 Million to 47 States in Security Breach Settlement, Rachel Abrams, New York Times, May 23, 2017

12. The Top 5 Data Breach Vulnerabilities, Eric Basu, Forbes, November 5, 2015