Data breach: What security teams need to know

This guide explains what a data breach is, how breaches unfold across modern enterprise environments, and what security teams, from SOC analysts and incident responders to CISOs and security architects, can do to detect, contain, and prevent them. It covers attack vectors, breach costs by industry, behavioral detection indicators, compliance notification timelines, and operational lessons from recent incidents including Change Healthcare, AT&T, and National Public Data.

What is a data breach?

A data breach is any security incident in which unauthorized parties gain access to confidential, protected, or sensitive information. This includes personal data such as names and Social Security numbers, financial data including credit card and bank account details, and business-critical information like trade secrets and intellectual property. Unlike accidental exposure, a breach involves confirmed unauthorized access, typically by threat actors seeking to steal, sell, or leverage compromised data for financial gain, espionage, or extortion.

Not every security event qualifies. The distinction between breach, leak, and incident determines which regulatory clock starts ticking, and whether a 72-hour notification window applies.

A data breach involves confirmed unauthorized access to sensitive data by malicious actors. Threat actors deliberately penetrated systems, accessed or exfiltrated data, and caused confirmed exposure.

A data leak describes unintentional exposure without malicious actor involvement, a misconfigured cloud storage bucket exposing customer records is a leak; no adversary necessarily discovered or exploited it.

A security incident encompasses any event that potentially compromises information security, including failed attack attempts, policy violations, and anomalous activity. Not every incident constitutes a breach, but every breach begins as an incident.

Under GDPR, only confirmed breaches trigger the 72-hour notification requirement to supervisory authorities. Organizations that misclassify leaks as breaches, or the reverse, face compounding regulatory penalties and reputational damage.

How do data breaches happen?

Most intentional data breaches follow the same sequence, reconnaissance, compromise, lateral movement, staging, exfiltration, and attackers rarely skip steps. Three root causes drive the majority of incidents: innocent employee mistakes, malicious insiders with authorized access, and external attackers operating independently or as part of organized criminal groups.

Across those root causes, the progression from initial access to full impact follows five consistent phases, each representing a distinct detection opportunity and a distinct failure point if visibility is absent.

1. Reconnaissance: Threat actors identify target organizations, map employees, technologies, and potential entry points through open-source research and network scanning.
2. Initial compromise: Attackers gain their first foothold, through phishing, credential theft, vulnerability exploitation, or supply chain compromise. The Change Healthcare breach began here, with attackers obtaining Citrix credentials that lacked multi-factor authentication.
3. Lateral movement: Once inside, attackers traverse the network seeking high-value targets. Lateral movement techniques include credential harvesting, exploitation of trust relationships between systems, and pivoting across cloud and on-premises environments that share federated identity.
4. Data collection and staging: Attackers aggregate target data and prepare it for exfiltration. This phase often involves extended dwell time as threat actors methodically access sensitive repositories.‍
5. Exfiltration and impact: Data leaves the organization, often followed by ransomware deployment, extortion demands, or public disclosure. The 241-day average detection time (IBM 2025) means many organizations discover breaches only at this final phase, after data has already moved.

Common data breach attack vectors

Credential theft alone accounts for 61% of confirmed breaches, but five other vectors contribute meaningfully to the incident population, each with distinct prevalence rates and different detection requirements.

Sources: IBM Cost of a Data Breach 2025; Verizon DBIR 2025; SailPoint 2025

Third-party compromises create asymmetric risk. While representing less than 5% of initial attack vectors, supply chain breaches affected 47% of all victims in 2025 (Verizon DBIR 2025). The Snowflake platform incident illustrates the mechanism: attackers compromised customer environments through stolen credentials, affecting AT&T, Ticketmaster, Neiman Marcus, and others simultaneously. A single vendor weak point cascaded into breaches affecting hundreds of millions of individuals.

In 2025, 16% of breaches involved attackers using AI tools — LLM-generated phishing that defeats language-based filters, polymorphic malware that rewrites itself to evade signatures, and automated reconnaissance at scales that previously required nation-state infrastructure (IBM 2025). That number was effectively zero three years ago.

The cost of a data breach

The USD 4.44 million global average breach cost understates the financial exposure for most enterprise organizations. US organizations pay more than twice the global average. Costs arise from four categories: lost business, detection and escalation, post-breach response, and regulatory notification, and they compound through legal settlements that arrive months or years after the incident. Healthcare has held the highest average breach cost of any industry for 14 consecutive years, with industrial and energy sectors both trending upward in 2025.

Source: IBM Cost of a Data Breach 2025

Detection timing determines cost magnitude more than almost any other single factor. Organizations using AI-powered security detect breaches 80 days faster and spend USD 1.9 million less on average (IBM 2025). Organizations with formal incident response plans save USD 1.2 million per breach. Those operating zero-trust architectures save USD 1.04 million. Breaches that remain undetected for more than 200 days cost significantly more than those contained within 100 days, making detection speed a direct financial variable, not an abstract security metric.

How to detect an active data breach

61% of breaches involve compromised credentials, attackers authenticating as legitimate users, performing actions that appear authorized, on systems that flag nothing unusual. Detection that waits for known-bad signatures misses these attacks entirely. EDR sees the endpoint. SIEM sees the log. Neither sees the attacker moving east-west between workloads.

Across those environments, seven behavioral anomalies reliably signal an active breach in progress, each representing a point where attacker movement diverges from legitimate patterns and becomes observable before data leaves the environment.

1. Unusual authentication patterns — Legitimate credentials accessing systems at atypical hours, from unfamiliar locations, or at volumes inconsistent with the account's established role. When attackers use stolen credentials to move as authorized users, identifying when a legitimate account has been taken over depends on behavioral analysis, not signature matching.
2. Lateral movement signals — Internal scanning, unexpected connections between systems that do not normally communicate, or service accounts accessing resources outside their operational scope.
3. Privilege escalation activity — Accounts gaining elevated permissions outside change-control windows, or without corresponding administrative requests on record. Detecting how attackers escalate access across hybrid environments requires continuous monitoring of identity behavior, not periodic audits.
4. Anomalous data access — Mass access to sensitive directories, unusual file enumeration, or data aggregation patterns that precede staging and exfiltration.
5. Command-and-control communication — Encrypted outbound traffic to unfamiliar external endpoints, DNS tunneling, or beaconing patterns with regular intervals that suggest automated check-in behavior.
6. Exfiltration staging indicators — Large compressed archives created in temporary directories, or data moving toward cloud storage or removable media in unusual volumes.
7. Defense evasion behavior — Attempts to disable logging, clear event logs, uninstall security tools, or modify audit policies.

 Endpoint detection and response monitors managed endpoints but cannot observe east-west movement across the network or detect threats on unmanaged devices, IoT systems, and cloud workloads where agents cannot be deployed. SIEMs reconstruct incidents from logs after activity has occurred, requiring time, manual correlation, and assumptions about what matters. Network detection and response fills the visibility gap by analyzing traffic patterns across the entire environment in real time, including encrypted traffic, lateral movement between systems, and identity behavior that never touches an agent-equipped endpoint.

The 241-day average breach detection window reflects how long defenders operate with incomplete visibility before activity becomes observable through existing tools. Behavioral detection closes that window by identifying attacker progression while it is still happening, not after data has left.

How to prevent and respond to a data breach

Breach prevention reduces the probability of initial compromise and limits attacker movement after access is obtained. Incident response limits the damage once a breach is confirmed. Both are required — prevention without response planning assumes perfect defenses; response planning without prevention accepts unnecessary exposure.

The controls with the most consistent evidence base address credential abuse, third-party exposure, and the human factors that enable initial compromise — each with documented cost impact from IBM 2025 research.

•  Implement multi-factor authentication for all access points, particularly remote access and privileged accounts. The Change Healthcare breach demonstrates how a single MFA gap enables catastrophic, systemic compromise. Understanding how attackers bypass authentication controls — through techniques including MFA fatigue and token theft — informs where enforcement gaps carry the highest risk.
• Deploy zero-trust architecture that verifies every access request regardless of source location. Zero trust reduces breach costs by USD 1.04 million on average (IBM 2025).
• Conduct regular security awareness training addressing phishing, credential security, and social engineering. Human factors contribute to the majority of initial compromises across all vectors.
• Extend security requirements to third-party vendors with contractual obligations, security assessments, and continuous monitoring of vendor posture. Third-party breaches cost USD 4.91 million on average — the second-costliest initial access vector after zero-day exploits (IBM 2025).
• Implement AI governance policies addressing authorized AI tool usage and preventing shadow AI risks that added USD 670,000 to average breach costs in organizations experiencing AI-related breaches (IBM 2025).
• Maintain offline encrypted backups isolated from production networks. Ransomware cannot encrypt what it cannot reach.
• Conduct regular credential audits and rotation to limit the window of exposure from compromised or stale credentials.
• Maintain patch management discipline — the Marquis Software breach originated through a known SonicWall vulnerability that organizations had time to address before exploitation occurred.

An effective response follows a documented sequence — beginning with containment before any remediation occurs, and ending with post-incident review that updates both controls and detection rules.

1. Contain the breach and prevent further data loss while preserving forensic evidence for investigation.
2. Assess scope by identifying affected systems, data types, and the number of impacted individuals.
3. Notify stakeholders including legal counsel, executive leadership, affected customers, and regulatory authorities per applicable timelines.
4. Engage specialists including forensics teams and legal counsel with breach experience — and consider threat hunting services to identify additional compromise indicators that automated tools may have missed.
5. Remediate vulnerabilities that enabled the breach, addressing root causes rather than symptoms.
6. Document lessons learned and update security controls, detection rules, and response procedures before closing the incident.

Data breach notification and compliance requirements

EUR 5.6–5.9 billion in GDPR fines since 2018 were not primarily levied for failing to prevent breaches, many were issued for missed notification windows, misclassified incidents, and inadequate reporting (GDPR Enforcement Tracker 2025). The framework an organization is subject to determines which reporting clock starts the moment a breach is confirmed, and misclassifying a breach as a security incident can trigger a second, independent penalty on top of the original event.

Sources: GDPR Enforcement Tracker 2025; HHS; Foley & Lardner 2025

NIS2, enforceable since October 2024, introduces personal executive liability, a first in EU cybersecurity law, for organizations in 18 critical sectors including energy, transport, health, and finance. In the United States, California has moved to a 30-day notification requirement effective January 2026, and all 50 states plus the District of Columbia, Puerto Rico, and the Virgin Islands maintain independent notification laws. An organization operating across the US, EU, and UK often faces three simultaneous notification windows, and the shortest one sets the operational deadline.

The MITRE ATT&CK framework maps attacker techniques to specific IDs, giving detection teams a shared vocabulary for coverage gaps. Credential access and valid account abuse dominate the first half of the breach lifecycle, while collection and exfiltration techniques define the second, each tactic representing a distinct opportunity for detection before impact occurs.

Sources: MITRE ATT&CK; IBM Cost of a Data Breach 2025; Verizon DBIR 2025

Notable data breach examples

Three recent incidents illustrate the operational mechanics of modern breaches — and the detection failures that allowed each one to progress from initial compromise to full impact.

Change Healthcare breach (February 2024)

Change Healthcare fell to the ALPHV/BlackCat ransomware group in February 2024 after attackers exploited Citrix remote access credentials with no MFA protection. The attack, the largest healthcare data breach in history, affected 192.7 million individuals (HIPAA Journal), disrupted pharmacy operations nationwide for months, and forced UnitedHealth Group to pay a reported USD 22 million ransom.

Key details:

•  Initial access: Stolen Citrix credentials without MFA protection
• Attack progression: Credential-based entry followed by ransomware deployment
• Impact scope: 192.7 million patient records; nationwide pharmacy disruption
• Affected data: Patient records, insurance information, treatment histories

Lessons for security teams:

• MFA is non-negotiable for remote access systems, a single unprotected entry point created systemic risk across an interconnected healthcare ecosystem.
• Behavioral detection on identity activity would have flagged credential abuse before ransomware deployment reached production systems.

AT&T data breaches (March and July 2024)

AT&T experienced two separate breaches in 2024, resulting in a USD 177 million settlement. The March incident exposed customer data through a third-party platform compromise; the July incident involved a Snowflake-related breach affecting customer call records. Combined impact: 73 million-plus customers affected.

Key details:

• First incident (March 2024): Customer data exposed via third-party compromise
• Second incident (July 2024): Snowflake-related breach affecting customer call records
• Combined impact: 73 million-plus customers; class action settlement covering both incidents

Lessons for security teams:

• Third-party cloud platforms require security rigor equal to internal systems.
• Multiple incidents compound reputational and financial damage well beyond what either breach would have caused independently.
• Breach costs extend far beyond immediate remediation through legal settlements that arrive months after the incident closes.

National Public Data breach (April 2024)

The background check company National Public Data experienced a breach exposing 2.9 billion records including Social Security numbers, names, and addresses.

Root cause: plaintext credentials on a sister website enabled access to the primary database. The company subsequently filed for bankruptcy.

Key details:

• Root cause: Plaintext credentials on a connected property enabled access to the primary database
• Affected data: 2.9 billion records including Social Security numbers, names, and addresses
• Scale: One of the largest data exposures in history by record count
• Consequence: Bankruptcy filing following breach disclosure

Lessons for security teams:

• Credential hygiene must extend across all connected properties and domains, not only primary production systems.
• Data minimization reduces breach impact; unnecessary data collection creates unnecessary risk at scale.
• The existential financial consequence of large-scale PII exposure is not theoretical.

How Vectra AI approaches data breach detection

Vectra AI's approach to data breach detection centers on behavioral analysis across network, identity, and cloud domains, identifying attacker activity after initial access occurs, while movement is still happening, before data leaves the environment.

Attack Signal Intelligence

Vectra AI uses Attack Signal Intelligence to detect and prioritize threats based on attacker behaviors rather than known signatures. When attackers use valid credentials, as in 61% of breaches, signature-based tools see authorized access. Behavioral AI identifies that the same identity is performing reconnaissance, accessing systems outside its operational role, and staging data, even when each individual action appears legitimate in isolation. This distinction is what separates detection that catches breaches in progress from detection that discovers them through downstream impact.

Network Detection and Response (NDR)

By monitoring network traffic, cloud environments, and identity systems simultaneously, Vectra AI identifies breach indicators that traditional tools miss. NDR excels at detecting threats that bypass endpoint controls: lateral movement between unmanaged devices, encrypted command-and-control traffic, and identity abuse across on-premises and cloud environments. For the 61% of breaches driven by credential theft, where attackers appear to be legitimate users, network-level behavioral analysis provides the visibility layer that closes the gap between initial compromise and breach discovery.

Unified observability across the kill chain

Vectra AI detects attacker behavior at every stage of the five-phase breach lifecycle, from early reconnaissance through lateral movement, privilege escalation, and data staging. Security teams gain the opportunity to contain threats before exfiltration occurs rather than discovering them through downstream operational or regulatory impact.

For the 241 days most organizations remain blind to an active breach, the outcome is determined not by the attacker's sophistication but by whether defenders can observe the movement.

Conclusion

Data breaches are not random events. The patterns are consistent: compromised credentials drive initial access, lateral movement through legitimate workflows extends attacker dwell time, fragmented visibility delays detection, and third-party connections multiply impact downstream. Organizations that address these specific vectors through behavioral detection, identity security, and formal incident response planning consistently outperform those pursuing generic security improvements.

To assess your organization's current exposure, consider these diagnostic questions:

1.  Can your security team detect lateral movement and privilege escalation in real time across both managed and unmanaged devices — or only after the fact through log review?
2. Does your detection program identify credential abuse and identity anomalies, or does it rely on signatures that treat valid credentials as authorized access?
3. How long would it take your team to discover a breach initiated through a third-party platform using legitimate credentials?
4. Can you produce audit-ready evidence of your detection coverage and response actions within a 72-hour regulatory reporting window?
5. Do you have continuous visibility into how identities — human, service account, and non-human — are behaving across your network right now?

The organizations that close these gaps fastest spend less, recover faster, and face regulators with evidence, not explanations.

Sources and methodology

Statistics and breach figures on this page come from the following primary sources:

• IBM Cost of a Data Breach 2025 — global and US average breach costs, industry cost comparisons, detection time figures, and the financial impact of AI, zero trust, and incident response programs
• Verizon Data Breach Investigations Report 2025 — ransomware prevalence in system intrusions and third-party compromise rates
• SailPoint 2025 — credential involvement rates
• GDPR Enforcement Tracker 2025 — cumulative fine totals and individual sanction counts
• HIPAA Journal — Change Healthcare record count
• Foley & Lardner 2025 — US state notification law developments
• MITRE ATT&CK — technique IDs and tactic classifications

Named breach incidents are documented through publicly available reporting and organizational disclosures.