Recent analysis highlights alarming fraud and cyber-attack risks stemming from leaked files, underscoring their prevalence in organizational data breaches. Financial documents were found in 93% of breaches, raising significant concerns for businesses, employees, and customers alike.
In a comprehensive investigation of over 141 million leaked files across nearly 1,300 breached datasets, data intelligence platform Lab 1 revealed that a vast majority of breaches contained sensitive financial, human resources, and customer information. This data was embedded within various formats, including emails, spreadsheets, code files, and unstructured documents like PDFs.
Leveraging AI agents to meticulously analyze each exposed file, Lab 1’s inaugural Anatomy of a Breach Report indicates that sensitive financial documents were present in almost every breach, constituting 41% of the total files examined.
The report details that bank statements, which pose risks for identity fraud, appeared in 49% of the analyzed incidents. Additionally, International Bank Account Numbers (IBANs), which can facilitate mandate scams and payment redirection, were found in 36% of breached datasets.
Moreover, customer and corporate personally identifiable information (PII) was exposed across nearly all examined breaches. Notably, human resources data, often containing employee PII such as payroll and resumes, was found in 82% of incidents. Furthermore, two-thirds (67%) of breaches involved communications and records associated with customer service interactions.
Emails emerged as the most frequently exposed type of sensitive information, being compromised in 86% of breaches, at an average rate of 54 email addresses per incident. This situation escalates the risk of phishing and impersonation, giving adversaries the ability to utilize social engineering AI models or conduct highly targeted attacks.
Particularly affecting American citizens, the analysis identified U.S. Social Security Numbers in 51% of breaches, commonly exploited in identity theft and benefits fraud, and stringently governed under U.S. law.
Insights from the analysis also indicate new attack vectors for cybercriminals. Over 79% of breached datasets included system logs, vital for understanding system behavior, user activity, and configurations, which attackers can use to navigate networks and locate vulnerabilities.
Furthermore, cryptographic keys (SSH and RSA) were present in 18% of incidents, enabling attackers to bypass authentication measures and access secure systems. Indicators related to cloud and infrastructure, such as AWS S3 paths and virtual hosts, were noted in 40% of breaches, allowing for potential data extraction or the discovery of unsecured cloud storage.
Code files appeared in 87% of incidents and accounted for 17% of all exposed files, potentially undermining the integrity and trustworthiness of the software supply chain due to introduced vulnerabilities.
Recommended Reading
Lab 1’s detailed analysis reveals that the impact radius of organizations implicated in these breaches is vast, with a median of 482 distinct organizations exposed per breach. Many of these entities have indirect relations to the breached organization and remain oblivious to their exposure risk.
The extent of a breach’s impact can vary significantly across organizations and sectors, with the incident identified by Lab 1 having a staggering reach of over 1.73 million impacted organizations.
“With cybercriminals now acting like data scientists to extract critical insights that fuel their attacks, ignoring unstructured data is not an option,” stated Robin Brattel, co-founder and CEO of Lab 1. “Organizations must act swiftly to understand what information has been leaked, how it can be exploited, and who may be affected.”
This analysis not only reveals the extensive vulnerabilities that exist but also offers a window into the potential tactics and techniques employed by actors during these breaches, aligning with the MITRE ATT&CK framework’s focus on adversary behavior.
