The Top 5 Common Causes of Data Breaches in 2026

Last Updated: March 2026 | 18-minute read

Data breaches cost organizations an average of $4.88 million globally in 2025 — a 10% increase over the previous year and the highest figure ever recorded (IBM Cost of a Data Breach Report, 2025). U.S. organizations absorb an even harder hit at $10.22 million per incident. Yet despite growing attacker sophistication and decades of security investment, the most common causes of data breaches remain stubbornly consistent year after year.

The uncomfortable truth: most breaches are not the result of highly sophisticated, nation-state attacks that security teams couldn't have anticipated. They result from a small, well-understood set of failure modes — phishing, weak credentials, unpatched systems, human error, and misconfigured cloud environments — that organizations know about but haven't fully addressed.

In the first half of 2025 alone, an estimated 166 million individuals were affected by data compromises in the U.S., representing 55% of the full-year 2024 figure (Identity Theft Resource Center). The trend in 2026 shows no sign of slowing.

This guide breaks down the top 5 causes of data breaches in 2026, how each works in practice, what real-world breaches they've enabled, and — critically — what prevention looks like that actually holds up.

What Is a Data Breach?

A data breach occurs when unauthorized individuals gain access to sensitive, confidential, or protected data — whether through deliberate external attack, insider action, accidental exposure, or third-party failure. The compromised information typically includes personal identifiable information (PII), financial records, protected health information (PHI), intellectual property, or authentication credentials.

Data breaches are distinct from data leaks (where data is exposed accidentally without a malicious actor) and data theft (which specifically involves exfiltration). In practice, the three often overlap. What they share is consequence: regulatory fines and legal exposure, remediation costs, customer attrition, and reputational damage that can persist for years after the incident.

Types of Data Breaches

Understanding breach types helps organizations prioritize where to invest in protection. The major types include: credential theft (attackers steal or guess login credentials via phishing, brute force, or dark web purchases); ransomware and malware (malicious software encrypts or exfiltrates data); insider threats (employees intentionally or unintentionally expose data); cloud misconfiguration (incorrectly configured storage or permissions expose data publicly); third-party and supply chain breaches (a vendor or partner's systems are compromised, providing access to downstream customers); and physical breaches (devices, servers, or documents are physically stolen or accessed).

How Much Do Data Breaches Actually Cost?

The financial impact of a data breach extends far beyond immediate remediation. IBM's 2025 Cost of a Data Breach Report identifies four cost categories: detection and escalation, notification, post-breach response, and lost business. Lost business — including customer churn, revenue loss, and reputational damage — accounts for the largest share.

Key 2025 breach cost statistics:

Global average breach cost: $4.88 million (+10% YoY)
U.S. average breach cost: $10.22 million (highest globally for 14th consecutive year)
Healthcare average: $9.77 million (highest by industry)
Average time to identify and contain a breach: 258 days
Breaches taking more than 200 days to contain cost $1.0 million more than those contained faster
Organizations using security AI and automation saved $1.88 million per breach vs. those without

Source: IBM Cost of a Data Breach Report 2025

By initial attack vector, the average breach costs in 2025 were: Business email compromise ($5.01M), Malicious insider ($4.99M), Phishing ($4.88M), Stolen or compromised credentials ($4.81M), Social engineering ($4.63M), and Cloud misconfiguration ($4.10M).

Top 5 Common Causes of Data Breaches in 2026

1. Phishing and Social Engineering

Phishing is the single most common entry point for data breaches globally. At its core, it exploits the most reliable vulnerability in any organization's security stack: people. Attackers send deceptive communications — via email, SMS (smishing), voice calls (vishing), or even collaboration tools like Slack and Teams — impersonating trusted entities to extract credentials, deploy malware, or initiate fraudulent transfers.

Social engineering is the broader category. Where phishing casts a wide net, social engineering is often more targeted and surgical — manipulating human psychology, authority bias, urgency, and trust to bypass technical controls that no firewall could stop.

How It Has Evolved in 2026

AI has fundamentally changed the phishing threat landscape. Phishing emails that once gave themselves away through poor grammar and generic formatting are now indistinguishable from legitimate communications. Generative AI allows attackers to produce highly personalized messages at scale — scraped from LinkedIn profiles, public filings, and social media to make spear-phishing terrifyingly convincing.

AI-generated spear phishing: Personalized attacks targeting specific individuals with contextually accurate content (naming their manager, referencing recent company announcements, mimicking internal communication styles)
Deepfake vishing: Voice phishing (vishing) attacks surged 442% between the first and second half of 2024 (CrowdStrike), with attackers cloning executive voices to authorize fraudulent wire transfers or credential resets
Business Email Compromise (BEC): BEC attacks caused an estimated $2.9 billion in losses in 2023 (FBI IC3), and the attack surface has only grown
Adversary-in-the-Middle (AiTM) phishing: Attacks that intercept real-time authentication sessions to bypass MFA — a technique that has undermined organizations that thought MFA alone was sufficient

Phishing was the initial attack vector in 16% of all 2025 data breaches, with an average incident cost of $4.88 million (IBM).

Real-world examples:

Magellan Health (2020): A sophisticated phishing attack tricked employees into sharing login credentials, exposing sensitive patient data across the organization.
MGM Resorts (2023): Attackers used a 10-minute LinkedIn search and a single phone call to social engineer MGM's IT help desk into resetting credentials — causing an estimated $100 million in damages.
Scattered Spider (2023–2024): This group orchestrated phishing and vishing campaigns against dozens of major enterprises, leveraging social engineering alone to gain initial access.

Prevention measures:

Deploy AI-based email security that detects behavioral anomalies, not just known signatures
Run regular, realistic simulated phishing campaigns — use results to inform targeted training, not just metrics
Enforce phishing-resistant MFA (FIDO2/hardware keys) rather than SMS-based codes, which AiTM attacks can bypass
Establish a strict out-of-band verification protocol for any unusual access requests or financial instructions
Train employees to recognize authority bias manipulation — especially urgent requests from "the CEO" or "IT"
Enable DMARC, DKIM, and SPF on all email domains to reduce spoofing

2. Weak, Stolen, or Reused Credentials

Credential abuse was the initial access vector in 22% of non-error, non-misuse breaches in 2025 (Verizon DBIR). The reason is simple: attackers don't need to break in when they can simply log in. Weak passwords, credential reuse across personal and work accounts, unchanged default credentials, and accounts left active after an employee's departure all create trivially exploitable attack surfaces.

The scale of credential exposure on the dark web is staggering. The RockYou2024 leak in 2024 exposed nearly 10 billion unique passwords — the largest credential dump ever recorded. Credential stuffing tools can automatically test these against corporate login portals, SaaS applications, and VPNs at machine speed.

Primary credential attack methods:

Credential stuffing: Automated testing of username/password pairs from previous breaches against new targets. Highly effective because most people reuse passwords.
Password spraying: Trying a small number of common passwords (like "Spring2024!") across many accounts to avoid lockout thresholds.
Brute force: Systematically trying all possible combinations, typically against accounts with no lockout policy.
Privilege escalation: Using a low-privilege compromised account as a beachhead to move laterally and escalate access — especially effective when least privilege is not enforced.
Orphaned account exploitation: Former employees whose accounts were never deprovisioned remain active and may be compromised without anyone noticing — a direct consequence of poor employee offboarding security practices.

Real-world example — Change Healthcare (2024): A compromised remote access portal with no MFA enabled allowed attackers to access UnitedHealth Group's Change Healthcare subsidiary — triggering the largest healthcare data breach in U.S. history, affecting 190 million individuals. There was no zero-day exploit — just a valid username and password.

Approximately 87% of organizations have sensitive data accessible to every employee (Varonis). Organizations that conduct regular access reviews and periodic user access reviews dramatically reduce this blast radius.

Prevention measures:

Enforce organization-wide MFA — and prioritize phishing-resistant MFA (hardware keys or passkeys) for privileged accounts
Mandate a password manager and prohibit password reuse across systems
Change all default credentials immediately on any new system, device, or application
Apply least-privilege access controls so that every compromised account has a minimized blast radius
Automate deprovisioning — ensure accounts are revoked at the moment of employee departure, not weeks later
Monitor credential exposure via dark web monitoring services that alert when your domain's credentials appear in known breaches
Implement Identity and Access Management (IAM) best practices including role-based access controls and privileged access management

3. Unpatched Software and System Vulnerabilities

Every unpatched vulnerability is an open door with a posted address. Threat actors actively scan the internet for known CVEs within hours of public disclosure. The window between a vulnerability being published and it being actively exploited in the wild has shrunk dramatically: median exploit time has dropped to under 5 days for critical vulnerabilities.

System intrusion accounted for 53% of data breaches in 2025, up sharply from 36% in 2024 (Verizon DBIR). This is the single largest category shift in recent breach data, reflecting the commoditization of exploit toolkits that make vulnerability exploitation accessible to less sophisticated attackers.

The patch gap problem:

Quarterly patch cycles: Patching on a quarterly schedule was defensible in 2015. Critical vulnerabilities are now exploited within days. Organizations that don't patch outside of scheduled windows are routinely breached in the gap.
Legacy systems: Organizations running unsupported software face vulnerabilities for which no patch will ever be issued. Microsoft Office applications were the most commonly exploited software globally from 2021–2023 at 61% (Statista), largely due to legacy deployments.
Shadow IT and unmanaged assets: You cannot patch what you don't know you have. Shadow IT discovery is a prerequisite for effective patch management.
Vulnerability prioritization paralysis: Organizations with thousands of open CVEs often struggle to prioritize — leading to critical vulnerabilities going unaddressed while teams work through low-severity findings.

Real-world examples:

MOVEit Transfer (2023): A zero-day vulnerability in Progress Software's MOVEit file transfer tool was exploited by the Cl0p ransomware group to breach over 2,000 organizations globally — one of the largest supply-chain vulnerability exploits in history.
Log4Shell (2021): A critical vulnerability in Apache Log4j was exploited by hundreds of threat actor groups within days of disclosure. Organizations without complete software inventories took months to patch — and many were breached.

Prevention measures:

Shift from scheduled patch cycles to risk-based, continuous patching — critical CVEs should be addressed within 24–72 hours of disclosure
Maintain a complete, accurate asset inventory — including cloud-hosted assets, employee devices, and SaaS applications
Run continuous vulnerability scanning (not annual assessments) across all assets with automated severity scoring
Prioritize internet-facing systems and privileged infrastructure for patching first
Create a formal end-of-life (EOL) tracking process with defined migration timelines for unsupported products
Implement virtual patching (WAF rules, network segmentation) for vulnerabilities in legacy systems where a proper patch cannot be applied immediately
Subscribe to threat intelligence feeds that alert your team when CVEs affecting your specific tech stack are actively being exploited

4. Insider Threats and Human Error

Not all data breaches come from outside the perimeter. The human element — through intentional malice, accidental mistakes, or compromised accounts — appeared in 60% of all 2025 breaches (Verizon DBIR). Malicious insider attacks resulted in average breach costs of $4.99 million in 2025, and even unintentional insider error averaged $3.62 million per incident (IBM).

What makes insider threats particularly dangerous is that they bypass many perimeter controls. An employee with legitimate access doesn't trigger firewall alerts, doesn't need to exploit a vulnerability, and can move data through approved channels — making detection far harder and incident timelines far longer.

The three categories of insider threat:

Malicious Insider: Employee intentionally exfiltrates data, sabotages systems, or acts as a plant for an external threat actor. Common indicators: unusual after-hours access, large data downloads near resignation, accessing systems outside normal scope.
Negligent Insider: Employee makes an honest mistake — sending data to the wrong recipient, misconfiguring a system, falling for a phishing email, or violating data handling policies.
Compromised Insider: Employee's account is taken over by an external attacker, who then uses legitimate credentials to access systems undetected. Common indicators: anomalous login times or locations, unusual access patterns.

Misdelivery — sending sensitive information to the wrong recipient — accounts for 49% of human-caused breaches (Verizon). This can be as simple as email autocomplete selecting the wrong address or a misconfigured sharing link in Google Drive.

Real-world examples:

Tesla (2023): Two former Tesla employees leaked the personal data of over 75,000 current and former employees — including names, addresses, and Social Security numbers — to a German newspaper. The leak was traced to disgruntled insiders with access to HR systems.
Twitter/X (2022): An insider reportedly colluded with foreign intelligence operatives to access user data, highlighting how a single compromised employee with privileged access can create national-level security incidents.

For SaaS-heavy organizations, the insider threat detection challenge is compounded by the sheer number of applications in play. This is where access reviews and Identity Governance and Administration (IGA) become critical. Automated access reviews ensure that access rights are regularly validated against current role requirements — catching overprivileged accounts, orphaned access, and unauthorized permission changes before they become breach pathways.

Prevention measures:

Implement role-based access controls (RBAC) and enforce the principle of least privilege — users should only access what they need for their current role
Conduct regular, automated user access reviews — quarterly at minimum, real-time for high-privilege accounts
Monitor user behavior analytics (UBA) for anomalous patterns, especially around sensitive data access, large downloads, or after-hours activity
Automate employee onboarding and offboarding to prevent orphaned accounts — access should be revoked the moment an employee departs
Run ongoing security awareness training focused on realistic scenarios — not annual compliance checkboxes
Establish a Data Loss Prevention (DLP) policy with technical controls that detect and block sensitive data leaving authorized channels
Create a clear, confidential insider threat reporting mechanism for employees to report suspicious behavior

5. Misconfigured Cloud Storage and Third-Party Vendor Risks

As organizations have migrated infrastructure to cloud environments and expanded their SaaS stacks, they've created an attack surface that many security teams are still struggling to defend. Misconfigurations — improperly set permissions, publicly exposed storage buckets, default credentials on cloud services, and excessive access grants to third parties — are now one of the most common and most avoidable causes of data breaches.

Over 83% of organizations experienced at least one cloud security incident in 2026 (CloudEagle). The average enterprise runs over 130 SaaS applications — many provisioned by business units without IT involvement, creating sprawling shadow IT that security teams can't see or govern.

The most dangerous cloud misconfiguration types:

Publicly accessible storage buckets: AWS S3, Azure Blob Storage, and Google Cloud Storage buckets configured with public read access expose their entire contents to anyone on the internet — no authentication required.
Excessive IAM permissions: Over-permissive cloud IAM roles and "admin by default" configurations give attackers immediate lateral movement capability if they gain any foothold.
Missing encryption: Data at rest and in transit without encryption exposes records in the event of any unauthorized access.
Open security group rules: Cloud infrastructure with overly broad inbound firewall rules creates direct exposure to the internet.
Shadow IT and unauthorized SaaS: Employees spinning up SaaS tools outside of IT governance create assets the security team has no visibility into — and therefore cannot protect.

Third-party and supply chain risk

Third-party involvement was a factor in 15% of 2025 data breaches (Verizon DBIR), up from 9% in 2024. The MOVEit attack alone touched 2,000+ organizations through a single vendor's vulnerability. Vendor risk management is no longer a "nice to have" — it's a core security function.

Real-world examples:

Adidas (2026): A data breach traced to a third-party customer service provider exposed customer contact data across multiple markets — a supply chain failure with no direct involvement from Adidas's own systems.
Ledger (2020): The hardware wallet company's database was breached through a third-party payment partner, exposing the personal data of over 270,000 customers.
Okta (2023): A support system breach gave attackers access to session tokens allowing unauthorized access to Okta customers including MGM and Caesars. One vendor, thousands of potential downstream targets.

Effective third-party risk management requires more than an annual security questionnaire. Mitigating SaaS vendor risks requires a structured, systematic approach with ongoing monitoring and contractual security obligations.

Prevention measures:

Conduct continuous cloud security posture management (CSPM) — automated tools can scan for misconfigurations in real time, not just during annual audits
Discover and govern shadow IT: use a shadow IT discovery tool to identify unauthorized applications and bring them under security governance
Apply least-privilege access to all cloud IAM roles and service accounts
Implement strict third-party access controls: vendors should receive time-limited, scoped access — not standing administrative permissions
Run formal vendor risk assessments before onboarding, with contractual security requirements and periodic reassessment
Monitor third-party activity within your systems and maintain audit logs for all vendor access events
Adopt a Zero Trust security model that treats third-party access with the same scrutiny as external attacks
Implement a SaaS vendor management process that tracks all vendor relationships, access levels, and contractual obligations in one place

Warning Signs Your Organization Is at Risk

Most organizations don't discover a breach until significant damage has already been done. But the conditions that make breaches likely are usually visible long before an incident occurs. Watch for these organizational warning signs:

No MFA on remote access, VPN, or SaaS applications — risk: credential theft and phishing
Employees have access far beyond their current role requirements — risk: insider threat and credential abuse
IT has no complete inventory of all applications and cloud assets — risk: unpatched vulnerabilities and shadow IT
Offboarding relies on manual ticket submissions — risk: orphaned accounts and insider threat
No vendor access review process exists — risk: third-party and supply chain breach
Security awareness training runs once a year as a checkbox exercise — risk: phishing and human error
Cloud infrastructure has not been audited for misconfigurations in 6+ months — risk: cloud misconfiguration
Critical systems are running end-of-life software — risk: unpatched vulnerabilities
Access rights are never reviewed after initial provisioning — risk: privilege creep and insider threat

How to Build a Breach-Resistant Organization in 2026

The five causes above share a common thread: they are all preventable with the right combination of governance, automation, and visibility. Organizations that use security AI and automation to identify and contain breaches do so 80 days faster and save nearly $1.88 million compared to those with no automation (IBM).

1. Identity-first security. Since the majority of breaches involve credential abuse, phishing, or insider action — all of which are identity problems — identity governance is the most high-leverage investment available. This means enforcing least privilege, automating access reviews, and ensuring that access rights accurately reflect current role requirements at all times. Explore how Gartner's 2025 IAM report frames the future of identity governance.

2. Continuous visibility. You cannot protect what you cannot see. This applies to cloud assets, SaaS applications, third-party connections, and user access rights. Real-time visibility is no longer aspirational — it's operationally necessary.

3. Assume compromise. Design your access architecture on the assumption that credentials will eventually be compromised. Zero Trust network principles, phishing-resistant MFA, and continuous access verification ensure that a single compromised account cannot become a catastrophic breach. The Zero Trust security model provides a practical framework for this.

4. Treat third-party access as an extension of your perimeter. Vendor relationships create real security exposure. Monitor third-party activity with the same rigor you'd apply to internal users, and build a formal vendor risk program — not just a security questionnaire during onboarding.

5. Close the human gap with process automation. Many of the most costly breaches trace back not to sophisticated attacks but to process failures — accounts not deprovisioned, patches not applied, configurations not reviewed. Enterprise access management platforms automate provisioning and deprovisioning; CSPM tools automate configuration auditing.

Zluri's IGA platform helps organizations address several root causes directly — from automated access provisioning and deprovisioning, to continuous access reviews, SaaS discovery, and shadow IT elimination. Learn how Zluri can help your organization reduce breach risk.

Frequently Asked Questions

What is the most common cause of a data breach?

The most common cause of a data breach in 2025–2026 is compromised credentials — including stolen, weak, or reused passwords — which serve as the initial access vector in 22% of breaches (Verizon DBIR). Phishing is the most common delivery mechanism for credential theft, making the two causes deeply interconnected. Together, they account for the majority of breach incidents globally.

What industry has the most data breaches?

Healthcare consistently records the highest average breach cost at $9.77 million per incident (IBM, 2025). By volume of incidents, financial services, manufacturing, and professional services also rank among the most frequently targeted sectors — driven by the high value and sensitivity of the data they hold.

How long does it take to detect a data breach?

The average time to identify and contain a data breach was 258 days in 2025 (IBM). Breaches involving stolen credentials took longer — averaging 292 days — while organizations with AI-enabled detection tools significantly reduced this timeline. Faster detection is directly correlated with lower breach costs: breaches contained in under 200 days cost approximately $1 million less.

What is the difference between a data breach and a data leak?

A data breach involves an unauthorized external actor gaining access to protected data through malicious action. A data leak refers to the accidental exposure of sensitive data — such as a misconfigured cloud storage bucket or a document shared with incorrect permissions — without a malicious actor necessarily being involved. In practice, exposed data carries the same regulatory and reputational consequences regardless of how it happened.

How does insider threat differ from a regular cyberattack?

Insider threats originate from individuals who already have legitimate access to an organization's systems — current or former employees, contractors, or business partners. Unlike external attacks, insider threats can bypass perimeter security controls because the actor is already inside. Detection requires behavioral analytics and access monitoring rather than traditional intrusion detection.

How does Zluri help prevent data breaches?

Zluri's Identity Governance and Administration (IGA) platform addresses several root causes of data breaches directly. By automating access provisioning and deprovisioning, Zluri eliminates orphaned accounts that are a major source of credential exposure. Continuous access reviews ensure that employees only have access appropriate to their current role — enforcing least privilege at scale. Zluri's SaaS discovery capabilities surface shadow IT and unauthorized applications, giving IT teams visibility into the full access surface.

What should you do immediately after a data breach?

Immediate response priorities include: (1) Contain the breach by isolating affected systems and revoking compromised credentials; (2) Assess the scope — what data was accessed and what the likely attack vector was; (3) Notify relevant stakeholders including legal counsel and executive leadership; (4) Meet regulatory notification obligations (GDPR requires 72-hour notification to supervisory authorities; HIPAA has its own breach notification requirements); (5) Preserve evidence and begin forensic investigation; (6) Communicate transparently with affected individuals. Post-incident, conduct a root cause analysis and implement structural controls to prevent recurrence.

Conclusion

The top 5 common causes of data breaches in 2026 — phishing and social engineering, weak or stolen credentials, unpatched software vulnerabilities, insider threats and human error, and cloud misconfigurations and third-party risk — are well understood. What separates organizations that get breached from those that don't is rarely awareness: it's execution.

Consistent access controls, automated governance, continuous visibility, and a culture of security hygiene can close the gap between knowing the risks and actually managing them. The organizations that suffer the most damaging breaches are almost never those blindsided by novel attack methods. They're the ones that knew about their orphaned accounts, their unpatched systems, and their overprivileged users — and didn't get around to fixing them before an attacker did.

Build the systems. Run the reviews. Govern the access. The breaches that don't make headlines are the ones that were prevented by disciplined security operations — and that's exactly the kind of organization worth building.

Book a demo today and see how Zluri helps your organization stay ahead of every one of these breach vectors.