What Causes a Data Breach: 7 Real Threats in 2021

In July 2020, Twitter disclosed that attackers had compromised 130 high-profile accounts — including those of Barack Obama, Elon Musk, and Apple — through a social engineering attack targeting employees with access to internal tools. The breach didn't involve some exotic zero-day exploit. It started with phone calls to Twitter staff. If you've ever wondered what causes a data breach, that incident is a masterclass: the answer is almost never a single cause, and it's rarely the one you expect.

I've spent years analyzing breach reports, advising organizations on incident response, and watching the same patterns repeat. The 2020 Verizon Data Breach Investigations Report found that 86% of breaches were financially motivated, and the majority involved some form of human error or social engineering. Understanding the real causes — not the Hollywood version — is the first step to actually protecting your organization.

What Causes a Data Breach? It's Rarely Just One Thing

A data breach is unauthorized access to confidential information — customer records, credentials, financial data, intellectual property. But the root causes are layered. A stolen password leads to lateral movement, which leads to data exfiltration. A misconfigured S3 bucket sits exposed for months before someone notices.

The Verizon DBIR consistently identifies a handful of recurring causes. Let's walk through each one with real examples and practical guidance you can act on this week.

According to the 2020 Verizon DBIR, phishing was present in 22% of confirmed breaches. That number climbs higher when you include broader social engineering tactics like pretexting and business email compromise (BEC).

The Twitter breach I mentioned? Pure social engineering. The FBI's 2019 IC3 Report documented $1.7 billion in losses from BEC alone. That's not a typo — billion with a B.

What This Looks Like in Practice

A threat actor sends a convincing email that appears to come from your CEO, requesting an urgent wire transfer. Or an employee clicks a link to a fake Microsoft 365 login page and hands over their credentials. The attacker now has a legitimate foothold inside your network.

Phishing simulation programs are one of the most effective defenses here. Running regular, realistic simulations trains employees to recognize these attacks before they click. If you're looking to build this capability, our phishing awareness training for organizations provides scenario-based exercises designed for exactly this purpose.

2. Credential Theft and Weak Passwords

Stolen or weak credentials are involved in over 80% of hacking-related breaches, according to Verizon's data. Credential stuffing attacks — where attackers use username/password combinations leaked from one breach to break into other accounts — are alarmingly effective because people reuse passwords constantly.

The 2019 breach of nearly 773 million email addresses in the "Collection #1" data dump gave attackers a massive library of credentials to try across every service imaginable.

Why Multi-Factor Authentication Isn't Optional

Multi-factor authentication (MFA) stops the vast majority of credential theft attacks dead. Even if an attacker has your password, they can't get in without the second factor. Yet I still encounter organizations in 2021 that haven't deployed MFA on critical systems — email, VPN, cloud admin panels.

If you do one thing after reading this post, turn on MFA everywhere. Start with email and remote access. It's the single highest-ROI security control you can implement.

3. Ransomware: From Nuisance to Existential Threat

Ransomware attacks doubled in frequency in 2020, according to the Verizon DBIR. What's changed is the playbook. Threat actors no longer just encrypt your files and demand payment. They now exfiltrate data first, then threaten to publish it if you don't pay — a tactic called double extortion.

The Garmin attack in July 2020 reportedly shut down the company's services for days. Universal Health Services, one of the largest healthcare systems in the U.S., suffered a Ryuk ransomware attack in September 2020 that impacted 400 facilities. These aren't abstract threats. They're operational catastrophes.

How Ransomware Gets In

Most ransomware infections start with one of two things: a phishing email or an exposed Remote Desktop Protocol (RDP) port. The fix is straightforward — train employees to spot phishing, lock down RDP, segment your network, and maintain tested offline backups.

4. Misconfigured Cloud Services

The rush to cloud migration has created a massive attack surface. Misconfigured AWS S3 buckets, unsecured Elasticsearch databases, and overly permissive Azure Active Directory settings have caused some of the largest data exposures in recent years.

In 2020, researchers at Comparitech found that unsecured databases are discovered by attackers within hours of being exposed to the internet. Hours — not days, not weeks.

Cloud providers like AWS and Microsoft Azure operate on a shared responsibility model. They secure the infrastructure; you secure your configuration and data. Many organizations don't fully understand this distinction. They assume the cloud provider handles everything, and that assumption leads directly to breaches.

Audit your cloud configurations quarterly at minimum. Use tools like AWS Config or Azure Security Center to flag misconfigurations before an attacker does.

5. Insider Threats: The Risk You Can't Firewall Away

Not every breach comes from outside your organization. The 2020 Verizon DBIR found that 30% of breaches involved internal actors. Some are malicious — a disgruntled employee exfiltrating customer data before leaving. Many are accidental — someone emails a spreadsheet of Social Security numbers to the wrong recipient.

The Capital One breach in 2019, which exposed over 100 million customer records, was carried out by a former employee of the cloud hosting provider who exploited a misconfigured web application firewall. The line between insider and outsider is blurrier than you think.

Building a Culture That Reduces Insider Risk

Least-privilege access is essential. Employees should only have access to the data they need for their specific role. Combine that with activity monitoring and regular security awareness training, and you create an environment where accidental breaches decrease and malicious ones become harder to execute.

A strong foundation starts with comprehensive cybersecurity awareness training that covers data handling, access policies, and real-world scenarios your employees will actually face.

6. Unpatched Software and Known Vulnerabilities

The Equifax breach of 2017 — which exposed 147 million records and resulted in a $575 million FTC settlement — happened because of a known vulnerability in Apache Struts that had a patch available for two months before it was exploited. Two months. The patch existed. Nobody applied it.

This pattern repeats constantly. CISA's Known Exploited Vulnerabilities catalog exists specifically because organizations fail to patch what they already know is broken.

Patch Management That Actually Works

Automated patch management tools help, but they're not the whole answer. You need a process that includes:

A complete, current inventory of all software and systems
Risk-based prioritization — internet-facing systems and critical databases first
A defined SLA for applying patches (e.g., critical vulnerabilities within 48 hours)
Verification that patches were actually applied

If you can't patch quickly, compensating controls like network segmentation and web application firewalls buy you time — but they're not substitutes for patching.

7. Third-Party and Supply Chain Compromise

The SolarWinds attack, disclosed in December 2020, was a wake-up call for every organization on the planet. Threat actors compromised SolarWinds' Orion software update mechanism and pushed malicious code to approximately 18,000 organizations, including multiple U.S. government agencies.

This wasn't a case of poor security hygiene at the victim organizations. They did what they were supposed to do — they applied software updates from a trusted vendor. The vendor itself was compromised.

What You Can Do About Supply Chain Risk

You can't eliminate supply chain risk entirely. But you can reduce exposure:

Adopt a zero trust architecture — verify every connection, even from "trusted" internal software
Monitor network traffic for unusual outbound connections
Require vendors to demonstrate security practices (SOC 2 reports, penetration testing results)
Limit the network access and privileges granted to third-party software

The zero trust model assumes breach. It assumes that any component — internal or external — could be compromised at any time. In a post-SolarWinds world, that's not paranoia. It's realism.

What's the Single Biggest Cause of Data Breaches?

If I had to name one root cause, it's the human element. The 2020 Verizon DBIR found that the human element was involved in the vast majority of breaches — whether through phishing, credential reuse, misconfigurations, or simple mistakes. Technology fails because people fail to configure it, update it, or use it correctly.

That's not a criticism. It's an observation that drives strategy. You can deploy the best firewall on the market, but if an employee hands their credentials to a threat actor through a phishing email, none of it matters.

Building a Defense That Matches the Actual Threat

Here's what I recommend to every organization I work with, regardless of size:

Deploy MFA on everything. Email, VPN, cloud admin consoles, financial systems. No exceptions.
Run phishing simulations monthly. Not as punishment — as practice. Our phishing awareness training program makes this straightforward to implement.
Patch critical vulnerabilities within 48 hours. Build the process to make this possible.
Audit cloud configurations quarterly. Use automated tools to catch what humans miss.
Train every employee, not just IT. The finance team processing wire transfers is a higher-value target than your sysadmin. Broad-based security awareness training closes the gaps that technical controls can't.
Adopt zero trust principles. Verify identity and authorization for every access request, every time.
Have a tested incident response plan. Not a document collecting dust — a plan you've rehearsed in the last 90 days.

The $3.86 Million Question

IBM's 2020 Cost of a Data Breach Report put the average cost of a breach at $3.86 million. For healthcare organizations, that number was $7.13 million. And those figures don't capture the long-tail costs — customer churn, regulatory scrutiny, and the years of rebuilding trust.

Understanding what causes a data breach isn't an academic exercise. It's the foundation of every security decision you'll make this year. The causes haven't changed dramatically — phishing, weak credentials, unpatched systems, misconfigurations, and human error continue to dominate. What's changed is the scale of consequences.

The organizations that fare best aren't the ones with the biggest security budgets. They're the ones that address the basics relentlessly — patching, MFA, training, and configuration management — and build a culture where security is everyone's responsibility.

Start with the human element. That's where most breaches begin, and it's where the most effective defenses live.