In 2023, MGM Resorts lost an estimated $100 million after a threat actor called a help desk, impersonated an employee found on LinkedIn, and talked their way into the network. No zero-day exploit. No nation-state tooling. Just a phone call. If you want to understand what causes a data breach, that incident is your starting point — because the answer is almost never what people expect.
I've spent years helping organizations dissect their security failures after the damage is done. The pattern is remarkably consistent. Breaches rarely come from some genius hacker in a hoodie. They come from predictable, preventable mistakes that compound until something breaks.
Here are the seven root causes I see over and over again.
1. Social Engineering: The #1 Cause Behind Most Data Breaches
The Verizon 2024 Data Breach Investigations Report found that the human element was involved in 68% of breaches. That stat has hovered in that range for years. Social engineering — phishing emails, pretexting phone calls, SMS-based attacks — remains the dominant initial access vector.
Here's what actually happens. An employee gets an email that looks like it's from Microsoft 365 asking them to re-authenticate. They enter their credentials. The attacker now has a valid session. From there, they move laterally, escalate privileges, and exfiltrate data. The whole chain starts with one manipulated human.
Phishing simulations are one of the most effective ways to reduce this risk. Our phishing awareness training for organizations walks teams through realistic attack scenarios so employees learn to spot the red flags before they hand over the keys.
2. Credential Theft and Weak Passwords
Stolen credentials are involved in a staggering number of breaches. Attackers buy them on dark web marketplaces, harvest them through phishing, or simply guess them through brute force and credential stuffing attacks.
The problem compounds when employees reuse passwords across personal and work accounts. One breach at an unrelated service can expose a password that unlocks your corporate VPN.
What Actually Fixes This
Multi-factor authentication (MFA) is non-negotiable in 2026. But not all MFA is equal — SMS-based codes are vulnerable to SIM swapping. Phishing-resistant MFA using FIDO2 security keys or passkeys is the standard you should be targeting. Combine that with a password manager policy, and you eliminate a massive percentage of credential theft risk.
3. Unpatched Software and Known Vulnerabilities
The 2017 Equifax breach that exposed 147 million records happened because of an Apache Struts vulnerability that had a patch available for two months before attackers exploited it. That was nearly a decade ago, and organizations are still making the same mistake.
CISA maintains a Known Exploited Vulnerabilities Catalog that tracks actively exploited flaws. If your patching cadence doesn't align with this list, you're leaving doors open that attackers are already walking through.
Patch management isn't glamorous. It's tedious, it breaks things, and it requires testing. But unpatched systems remain one of the top causes of data breaches because organizations keep deprioritizing maintenance in favor of new projects.
4. Misconfigured Cloud Services
Every year I see breaches caused by S3 buckets left public, databases exposed to the internet without authentication, or overly permissive IAM roles that give every developer admin access to production.
Cloud misconfigurations are dangerous because they're silent. There's no alarm when you accidentally make a storage bucket public. The data just sits there, accessible to anyone who knows where to look — and attackers are scanning for exactly these mistakes constantly.
Zero Trust Isn't Just a Buzzword
A zero trust architecture forces you to verify every access request regardless of where it originates. No implicit trust for internal networks, no standing privileges. When implemented properly, it catches the misconfiguration problem because even if a resource is exposed, access still requires authentication and authorization at every layer.
5. Insider Threats — Malicious and Accidental
Not every breach comes from an external threat actor. Employees, contractors, and partners with legitimate access cause a significant share of incidents. Sometimes it's intentional — a disgruntled employee exfiltrating customer data before quitting. More often, it's accidental — someone emails a spreadsheet with 10,000 Social Security numbers to the wrong distribution list.
The accidental insider threat is especially hard to defend against because the person doing it has every right to access the data. What they lack is the awareness to handle it properly.
This is exactly why ongoing security awareness training matters. Our cybersecurity awareness training program covers data handling, social engineering recognition, and the everyday decisions that prevent accidental exposure.
6. Third-Party and Supply Chain Compromises
The SolarWinds attack in 2020. The MOVEit Transfer exploitation in 2023. The pattern is clear: attackers increasingly target your vendors to get to you.
When a third-party software provider or managed service provider gets compromised, the attacker inherits the trust relationship that vendor has with all its customers. One breach becomes thousands.
You can't eliminate third-party risk, but you can manage it. Require security assessments of critical vendors. Limit the access and data you share with them. Monitor for anomalous behavior from vendor accounts. And include supply chain scenarios in your incident response planning.
7. Ransomware — The Symptom That Exposes Every Other Weakness
Ransomware deserves its own category, but here's the truth: ransomware is usually the final payload, not the root cause. The actual cause is one of the six items above — a phishing email, a stolen credential, an unpatched VPN appliance.
What makes ransomware devastating is that modern threat actors practice double extortion. They steal your data first, then encrypt your systems. Even if you have backups, they threaten to publish sensitive data unless you pay. The FBI's Internet Crime Complaint Center (IC3) has tracked billions in ransomware-related losses, and the actual numbers are certainly higher since many incidents go unreported.
Ransomware resilience requires addressing all the root causes on this list simultaneously. There is no single fix.
What Causes a Data Breach? A Quick Summary
If someone asks you what causes a data breach, here's the short answer: human error, poor access controls, and inadequate security hygiene — amplified by attackers who are patient, resourceful, and opportunistic. Specifically, the seven most common root causes are:
- Social engineering and phishing — the initial access method in most breaches
- Credential theft and weak passwords — fueled by password reuse and lack of MFA
- Unpatched vulnerabilities — known flaws left open for weeks or months
- Cloud misconfigurations — exposed data from default or overly permissive settings
- Insider threats — both malicious insiders and careless mistakes
- Third-party compromises — supply chain attacks that bypass your perimeter
- Ransomware — the destructive payload that exploits all the above
The $4.88M Lesson Most Organizations Learn Too Late
IBM's 2024 Cost of a Data Breach Report pegged the global average cost at $4.88 million. For U.S. organizations, the figure was significantly higher. Those numbers include detection, response, notification, lost business, and regulatory fines — but they don't capture the reputational damage that lingers for years.
The organizations that spend the least on breach recovery are the ones that invested before the incident. They trained their people. They enforced MFA. They patched aggressively. They practiced incident response.
Where to Start Right Now
You already know your organization has gaps. Every organization does. The question is whether you're closing them faster than attackers are finding them.
Start with your people. Technical controls matter, but they fail when an employee hands over credentials to a convincing phishing page. Build a culture where security awareness isn't an annual checkbox but an ongoing practice.
Explore our cybersecurity awareness training to give your team the foundational knowledge they need. Then layer on realistic phishing simulation exercises to test and reinforce that knowledge under pressure.
Breaches aren't inevitable. They're the predictable result of known weaknesses left unaddressed. Now you know the causes. What you do next is what matters.