What does a data compromise look like?
A data compromise often shows up as strange user activity. Here's how to define a data breach and how, with the right tools, IT teams can spot and stop breaches early.
Updated December 19, 2024)
When you hear about a breach, it rarely starts with missing records. You usually learn about it through an outside source — like unhappy customers who notice stolen credit card data used right after they purchase from you. The incident response team knows something went wrong, but it's rarely obvious exactly when, where, or how the breach happened. There's no giant hole in a server that says, "Here's where we broke in."
To identify a data compromise, you have to first define it. Then, learn how to recognize it.
A data compromise happens when someone gets access to, changes, or destroys data without permission. Attackers can be external actors who break into systems or insiders who misuse their access. Any time anyone exposes or tampers with data in a way that harms its confidentiality, integrity, or availability, you have a compromise. A data compromise can lead to stolen identities, financial losses, legal and regulatory penalties, and serious harm to your organization's reputation.
This question isn't simple. Detecting a compromise demands detective work. You need to look at almost everything that happened on your network. Usually, you start with the stolen or leaked data and work backwards to find the source of the breach.
Compromises usually show up as unusual user activity in 6 different forms:
Admittance: External threat actors must find a way into the network. Phishing attacks and malware remain popular tactics to get inside.
Access: Threat actors need access before they can do any damage. They need to move around your network, systems, and data. They often compromise or misuse credentials to logon and access systems, apps, and databases. To reduce this threat, the goal is to make stolen credentials less useful. Many do this by implementing MFA, or by combining MFA with passwordless authentication (using Windows Hello for Business, for example). Regardless, monitoring access to your network is a good starting point to detect a compromise.
Applications: External attackers don't normally use the same apps your users do. Attackers lean on scripting tools, PowerShell, hacking programs, and administrative tools to gain control, stay hidden, and keep access.
Actions: Insider threat actors may use the same apps they always do, but their behavior changes. Insider compromise looks more like irregular access and use of the network itself (like logging on at 11 p.m. on a Saturday night), using extra app features to access lots of sensitive data, or making data transfers by printing or emailing large files to personal accounts.
Amounts: Most attacks, internal or external, aim to steal data. Watch for spikes in how much data users access, copy, transfer to USB, upload to cloud storage, etc. If it's unusual for their role or normal behavior, it may signal a compromise.
Alignment: Attackers don't want to get caught, so they try to hide their dastardly deeds under the guise of normal network and user activity. For example, they might copy files over HTTP since it's often allowed through the firewall. This mismatch between activity and protocol is a common red flag, since it only happens with a few exceptions like running a remote web meeting over HTTP.
To spot unusual behavior in your network, learn more about the key indicators of compromise.
Most of the time, IT only looks into odd user activity if:
It's part of an existing investigation, often months or years after the breach, or
They use proactive monitoring and auditing to spot compromises as they happen.
If your team falls into the first group, you face a tough job trying to audit systems, applications, and data access long after the fact. In many cases, there isn't even an access audit trail to check.
By putting proactive measures in place—like real-time activity monitoring, passwordless authentication, and auditing—you give your team the power to catch and block threats early. You also create an audit trail that helps you see exactly what happened if an attacker succeeds.