In May 2024, Ticketmaster confirmed a breach that exposed the personal data of over 560 million customers. The attack vector? Stolen credentials used to access a third-party cloud database. It wasn't some exotic zero-day exploit. It was a login and password that fell into the wrong hands. If you're asking what causes a data breach, that incident tells you almost everything you need to know — the root causes are usually simpler, and more preventable, than people expect.
I've spent years analyzing breach reports, advising organizations on incident response, and watching the same patterns repeat. The Verizon 2024 Data Breach Investigations Report confirmed what I keep seeing in the field: the human element is involved in 68% of breaches. That number hasn't budged much in years. The technology changes. The root causes don't.
This post breaks down the seven most common causes of data breaches in 2025, with real-world examples and specific steps you can take right now. No theory. No vague advice. Just what actually gets organizations compromised.
1. Phishing and Social Engineering: Still the #1 Entry Point
Every year, I expect phishing to decline as a primary attack vector. Every year, it doesn't. The FBI's Internet Crime Complaint Center (IC3) reported that phishing was the most-reported cybercrime type in its 2023 annual report, with nearly 300,000 complaints. And those are just the ones that got reported.
Here's what actually happens: a threat actor sends a convincing email — often spoofing a vendor, a CEO, or an IT department. An employee clicks a link, enters credentials on a fake login page, and the attacker now has a valid username and password. No alarm goes off. No firewall triggers. They just walk in the front door.
Modern phishing campaigns use AI-generated text that's nearly indistinguishable from legitimate communications. Business email compromise (BEC) attacks specifically target finance teams and executives, often requesting wire transfers or sensitive records.
What You Can Do About Phishing
Awareness training is the single most cost-effective defense. But it has to be ongoing and realistic. A one-time slide deck in onboarding won't cut it. Your employees need phishing awareness training designed for organizations — the kind that includes phishing simulations and teaches people to recognize real-world lures, not obvious fakes from 2010.
Pair training with technical controls: email filtering, DMARC enforcement, and flagging external senders in your email client. But never rely on technology alone. The human layer is the one that gets targeted, so it's the one you need to harden.
2. Credential Theft and Weak Passwords
Stolen credentials are involved in a staggering number of breaches. The Verizon DBIR consistently finds that credential theft — through phishing, brute-force attacks, or credential stuffing from previous breaches — is the top action variety in hacking-related incidents.
Here's the uncomfortable truth: your employees are reusing passwords. A 2024 study by SpyCloud found that 61% of data breaches involved credentials that had been previously exposed in other breaches. Once a password shows up in a dark web dump, every account using that same password is at risk.
Fixing the Password Problem
Multi-factor authentication (MFA) is non-negotiable. If you haven't deployed MFA across all externally facing systems and privileged accounts, stop reading this and go do it. It's the single control that neutralizes the vast majority of credential theft attacks.
Beyond MFA, push for passkeys or hardware security keys where possible. Enforce password managers. And monitor for your organization's credentials on dark web marketplaces — services exist that will alert you when employee credentials appear in new dumps.
3. Unpatched Software and Known Vulnerabilities
The 2023 MOVEit Transfer vulnerability (CVE-2023-34362) led to breaches at over 2,600 organizations, including government agencies, universities, and major corporations. The Cl0p ransomware gang exploited a known SQL injection flaw. Patches were available. Many organizations simply didn't apply them fast enough.
This is what causes a data breach more often than people want to admit: known vulnerabilities sitting unpatched for weeks or months. Threat actors don't need zero-days when there's a long list of disclosed CVEs with working exploits.
Practical Patch Management
Prioritize by exploitability, not just CVSS score. CISA maintains its Known Exploited Vulnerabilities (KEV) catalog — if a vulnerability appears there, it's being actively used in attacks. Treat KEV entries as emergencies.
Automate where you can. Endpoint management tools can push OS and application patches without waiting for a manual approval chain. For critical systems where you can't auto-patch, have a documented SLA — 72 hours for critical vulnerabilities, maximum.
4. Cloud Misconfigurations
In my experience, cloud misconfigurations cause some of the most embarrassing and preventable breaches. Publicly exposed S3 buckets, overly permissive IAM roles, and databases with no authentication — I've seen all of these in production environments at organizations that should know better.
The 2019 Capital One breach — where a misconfigured web application firewall led to the exposure of 100 million customer records — remains the textbook example. But smaller versions of this happen every week to organizations that never make the news.
Locking Down Your Cloud
Use cloud security posture management (CSPM) tools to continuously scan for misconfigurations. Enable logging on everything — AWS CloudTrail, Azure Activity Log, GCP Cloud Audit Logs. You can't detect what you don't log.
Apply zero trust principles to your cloud architecture. No resource should be publicly accessible by default. Every access request should be authenticated, authorized, and encrypted. And run regular configuration audits — not annually, but monthly at minimum.
5. Insider Threats: Malicious and Accidental
Not every breach comes from an external threat actor. The Verizon DBIR has consistently found that insiders account for a meaningful percentage of incidents. Some are malicious — a disgruntled employee exfiltrating customer data before leaving. But most are accidental — someone emails a spreadsheet to the wrong recipient or misconfigures a sharing permission.
The accidental insider threat is particularly dangerous because it's invisible to traditional security tools. There's no malware to detect. No anomalous login from a foreign IP. Just a well-meaning employee making a mistake.
Reducing Insider Risk
Implement the principle of least privilege aggressively. If a marketing coordinator doesn't need access to the customer database, revoke it. Review access permissions quarterly, especially after role changes.
Deploy data loss prevention (DLP) tools that flag sensitive data leaving the organization through email, cloud storage, or USB drives. And build a culture where reporting mistakes is safe. If employees fear punishment for accidental exposures, they'll hide them — and you'll find out from a journalist instead of your security team.
6. Third-Party and Supply Chain Compromises
The SolarWinds attack in 2020 showed the world what supply chain compromises look like at scale. But you don't need a nation-state adversary to experience this. In 2024, a breach at Change Healthcare — a subsidiary of UnitedHealth Group — disrupted healthcare payment processing nationwide and exposed the protected health information of potentially 100 million individuals.
Your organization's security posture is only as strong as the weakest vendor in your supply chain. Every third-party integration, every SaaS platform, every managed service provider is a potential entry point.
Managing Third-Party Risk
Require security questionnaires and evidence of SOC 2 or ISO 27001 compliance from critical vendors. Include breach notification requirements and audit rights in your contracts. And segment your network so that a compromised vendor connection doesn't give an attacker lateral movement across your entire environment.
Monitor your third-party attack surface. If a vendor gets breached, you need to know immediately — not when they send a form letter six weeks later.
7. Ransomware: The Breach That Locks You Out
Ransomware isn't just an availability threat — it's a data breach. Modern ransomware groups practice double extortion: they exfiltrate your data before encrypting it, then threaten to publish it if you don't pay. Groups like LockBit, BlackCat/ALPHV, and their successors have made this standard operating procedure.
The average cost of a data breach reached $4.88 million in 2024, according to IBM's Cost of a Data Breach Report. Ransomware-related breaches tend to cost even more, especially when you factor in operational downtime and regulatory penalties.
Ransomware Defense That Actually Works
Offline, tested backups are your last line of defense. If you can restore operations without paying, you've taken away the attacker's leverage. Test your backups quarterly — I've seen organizations discover their backups were corrupted only when they needed them most.
Endpoint detection and response (EDR) tools catch ransomware that signature-based antivirus misses. Restrict administrative privileges. Disable Remote Desktop Protocol (RDP) on any system that doesn't absolutely require it. And segment your network — ransomware spreads laterally, so containment is everything.
What Causes a Data Breach? The Short Answer
If someone asks you what causes a data breach, here's the answer in one sentence: most data breaches are caused by human error, stolen credentials, or unpatched vulnerabilities — often exploited through phishing or social engineering. The technology enabling the attacks evolves, but the root causes stay remarkably consistent year after year.
The good news? These causes are preventable. Not with a single product or a one-time audit, but with consistent effort across people, processes, and technology.
Building a Security-Aware Organization
Technical controls matter. Firewalls, EDR, MFA, encryption — all essential. But if your people can't recognize a phishing email, don't understand why password reuse is dangerous, or don't know how to handle sensitive data, you're leaving your biggest attack surface undefended.
That's why security awareness training has to be part of your baseline security posture. Not a checkbox exercise. Not something you do once and forget. It needs to be continuous, engaging, and tied to real threats your organization faces.
If you're building or rebuilding your training program, start with comprehensive cybersecurity awareness training that covers the full spectrum — from social engineering to ransomware to data handling. Layer on targeted phishing awareness training with realistic simulations so your employees practice identifying threats before a real one arrives.
Your Breach Prevention Checklist for 2025
- Deploy MFA on all external-facing and privileged accounts — no exceptions.
- Run phishing simulations monthly and track improvement over time.
- Patch critical vulnerabilities within 72 hours, using CISA's KEV catalog as your priority list.
- Audit cloud configurations monthly with automated CSPM tools.
- Enforce least privilege and review access quarterly.
- Vet third-party vendors for security compliance and include breach notification clauses in contracts.
- Test backups quarterly and keep at least one copy offline.
- Train continuously — security awareness isn't a one-time event.
Every breach I've investigated had a moment where it could have been prevented. A patch that should have been applied. A phishing email that should have been reported. A misconfiguration that should have been caught in review. The organizations that avoid breaches aren't lucky — they're disciplined. They invest in their people as much as their tools, and they treat security as a daily practice, not an annual audit.
Start there. The root causes aren't mysteries. They're choices.