Data Breach: What It Is, How It Happens, and How to Avoid It
From 700 TB stolen to 10 million customers exposed: what a data breach really is and how not to become the next headline in 2026.
by Cleverson Gouvêa
A data breach happens when information that should be private — names, emails, passwords, bank details — falls into the wrong hands. In 2026, this is no longer an exception: between September 2025 and January 2026, an average of 47 breaches were reported per month worldwide, from healthcare giants to streaming platforms. This guide explains what it is, how it happens, and how to protect yourself.
TL;DR
- A data breach is any unauthorized access or exposure of confidential information — whether by attack, error, or carelessness.
- The global average cost in 2025 was US$ 4.44 million per incident (IBM report).
- In Brazil, the LGPD requires notifying the ANPD and data subjects within 72 hours.
- AI has changed the game: it accelerates defense but also fuels more convincing attacks.
- Most breaches are preventable with MFA, least privilege, and a tested response plan.
What is a data breach?
A data breach is any event in which confidential information is accessed, copied, exposed, or disclosed without authorization. It can involve customer data, employee data, or the company's own internal operations. The origin varies widely: an attack on a web application, malware, scraping of poorly protected data, or social engineering.
The central point is the breach of confidentiality. It doesn't matter if the data was stolen by a criminal or exposed by a configuration error — if someone who shouldn't have seen it had access, there was a breach. This distinction is important because many companies only call it a "breach" when an attacker is involved, ignoring that a database accidentally left open in the cloud is equally serious.
Breach, incident, and attack: the differences
These three terms are often treated as synonyms, but they are not:
- Security incident: any event that threatens the confidentiality, integrity, or availability of data. It is the broadest term.
- Attack: the offensive action of a malicious agent — ransomware, phishing, exploitation of a flaw.
- Data breach: the result where data effectively leaves the organization's control.
Not every incident becomes a breach, and not every breach starts with a sophisticated attack. Many arise from a storage bucket left public or a credential forgotten in a repository.
What types of data leak most frequently
Not all data has the same value to a criminal. The most targeted, because they allow direct fraud or blackmail, are:
- Identification data: full name, CPF, ID number, and date of birth — the basis for opening fake accounts in the victim's name.
- Access credentials: emails and passwords, especially when reused across multiple services.
- Financial data: card numbers, bank information, and transaction history.
- Health data: medical records and test results, among the most sensitive and also the most expensive on the black market.
- Corporate data: contracts, intellectual property, and strategic information.
The more sensitive the exposed set, the greater the legal and reputational impact of the breach — and the greater the interest of those who resell this information on closed forums.
How a data breach happens
Most cases are not the result of a "genius hacker." They follow repeated patterns, and knowing these entry points already reduces much of the risk. The most common causes are:
- Stolen or weak credentials — reused passwords and logins without multi-factor authentication remain the number one vector.
- Phishing and social engineering — messages that trick employees into handing over access or clicking malicious links.
- Flaws in APIs and web applications — endpoints without proper authentication. This was the case with ServiceNow in June 2026, when a vulnerable API allowed querying customer instance data.
- Incorrect cloud configuration — databases and buckets accidentally exposed publicly.
- Supply chain attacks — compromising a supplier to reach hundreds of victims at once, as in the wave of NPM packages infected by the Shai-Hulud worm.
- Insiders — employees or former employees with unauthorized access, whether intentional or not.
The threats that dominated 2026
Groups like ShinyHunters and the Qilin ransomware specialized in exfiltrating data and demanding ransom under threat of publication. The model shifted from just "locking the system" to "leak if you don't pay" — the so-called double extortion. Leaking developer credentials also became routine, as shown by the episode where a malicious VS Code extension exposed 3,800 repositories on GitHub.
The real cost of a data breach
According to IBM's Cost of a Data Breach 2025 report, the global average cost of a data breach was US$ 4.44 million — a 9% decrease from US$ 4.88 million in 2024, the first reduction in five years. The main reason was faster detection and containment with the support of artificial intelligence.
| Factor | Cost Impact |
|---|---|
| Global average per incident | US$ 4.44 million |
| Healthcare sector (highest) | US$ 7.42 million |
| Intensive use of AI in defense | savings of US$ 1.9 million |
| Attacks involving AI | present in 16% of cases |
But the dollar amount is only part of the bill. There are regulatory fines, loss of customer trust, lawsuits, and the invisible cost of team time — on average, it takes months to fully contain a serious incident. For a small or medium-sized business, a single breach can mean the difference between continuing operations and closing its doors.
These numbers help size up the problem, but the real impact for each company depends on how long the incident goes unnoticed. The earlier the detection, the smaller the bill — and that's precisely where continuous monitoring and automation make a practical difference in the outcome.
Data breaches in 2026: the cases that defined the year
The year accumulated large-scale episodes that show size and sector protect no one:
- Telus: the ShinyHunters group claimed to have stolen 700 TB of data from the Canadian operator.
- Under Armour: approximately 72 million accounts exposed.
- Kyushu Electric Power: data of more than 10 million customers affected.
- Novo Nordisk: patient information from clinical trials copied externally without authorization.
- TVING: the streaming platform confirmed a breach of IDs, names, dates of birth, phone numbers, emails, and passwords.
- Match Group, Fiserv, Cushman & Wakefield, and the French national bank account registry also made the list.
Healthcare, energy, finance, and entertainment were equally targeted. The message is direct: no operation is off the radar, and the more sensitive data you hold, the more attractive the target.
What the LGPD requires when there is a breach
In Brazil, a personal data breach triggers the LGPD (General Data Protection Law) and oversight by the ANPD (National Data Protection Authority). Knowing the obligations prevents a technical problem from also becoming a legal one.
- Notification deadline: the consolidated interpretation requires notifying the ANPD and affected data subjects within 72 hours (3 business days) from knowledge of the incident. Qualified small businesses have an extended deadline of 30 days.
- Duty to communicate (Art. 48): omitting, delaying, or incompletely notifying is, in itself, an infraction — regardless of the severity of the breach.
- Content of the notification: nature of the data, data subjects involved, technical measures adopted, and risks to those affected.
- Regulatory agenda 2025–2026: the ANPD plans new rules on artificial intelligence and biometric data. The regulatory net is tightening.
Ignoring these steps is the most expensive mistake a company can make after an incident: it turns a manageable damage into fines and a reputational crisis.
AI: the new weapon on both sides of the breach
Artificial intelligence has changed the dynamics of data breaches — for better and for worse.
On the defense side, the IBM report shows that organizations that intensively use AI and automation save an average of US$ 1.9 million per incident, mainly because they detect and contain the attack much faster. Detection systems that learn anomalous patterns identify suspicious access in minutes, not weeks.
On the attack side, AI has become a tool for intruders: it appeared in 16% of breaches analyzed, fueling more convincing phishing campaigns and deepfakes used in fraud. And there is an alert that every company adopting AI needs to hear: 97% of incidents involving AI occurred in organizations without adequate access controls, and 63% had no AI governance policy at all.
The lesson is uncomfortable but necessary: adopting AI without governance doesn't just accelerate productivity — it creates a new attack surface. Defining who accesses which models and which data is as important as choosing the tool. Connecting an AI assistant to internal databases without logging what it can read is, in practice, opening another door for a future data breach — only this time from inside the house.
How to prevent a data breach in your company
There is no absolute security, but the vast majority of breaches are preventable with basic hygiene and discipline:
- Enable MFA (multi-factor authentication) everywhere. By itself, it stops most attacks based on stolen credentials.
- Apply the principle of least privilege: each person accesses only what they need for their work.
- Use encryption for data at rest and in transit.
- Update and monitor your APIs: expose as little as possible and authenticate every call.
- Train your team against phishing periodically, not once a year.
- Map your suppliers and require good security practices throughout the chain.
- Have an incident response plan tested before you need it.
It's worth noting that prevention is not a project with an end date, but a continuous process. Tools change, employees come and go, and each new integration opens a door that didn't exist before. Reviewing access every quarter, maintaining backups isolated from the main network, and actively monitoring logs costs much less than containing a data breach once it's already underway.
The first steps after a breach
If the worst happens, the speed and order of actions reduce the damage:
- Contain: isolate affected systems and revoke compromised access immediately.
- Investigate: find out what leaked, when, and through which path.
- Notify: communicate with the ANPD and data subjects within the legal deadline.
- Communicate transparently: silence amplifies reputational damage more than the failure itself.
- Fix the root cause: address what allowed the incident so it doesn't happen again.
Conclusion: data is responsibility, not just an asset
Understanding what a data breach is is the first step; treating it as a business priority is what separates resilient companies from those that become headlines. In 2026, with AI accelerating both attacks and defenses, and the LGPD demanding responses within 72 hours, protecting data is no longer the exclusive task of the IT team.
At Agathas Web, we build applications and infrastructures with security in mind from the ground up. If your operation handles sensitive data, it's worth reviewing access, APIs, and the response plan now — before an incident forces that conversation at the worst possible time.
Related posts
New Siri with Gemini: What Changes at WWDC 2026
Apple's new Siri arrived at WWDC 2026 running a 1.2 trillion parameter Google Gemini model. See what's fact and what changes.
Gears of War: E-Day: Release Date, Price, and Open Beta 2026
The most anticipated Xbox prequel has confirmed dates, editions, and beta. See everything about Emergence Day before you play.
T-Mobile Dynamic CX: AI on the Network for the 2026 World Cup
T-Mobile US turned on an AI that predicts crowds and adjusts the network before the bottleneck. Understand Dynamic CX and the lesson for your business.