Data Inventory

Data loss refers to the unauthorized, unintentional, or malicious disclosure, exposure, alteration, or destruction of sensitive organizational data caused by the actions of an insider. It encompasses incidents in which critical information—such as intellectual property, regulated personal data, or operationally sensitive content—is compromised due to insider behavior. This behavior may arise from deliberate exfiltration, negligent data handling, policy circumvention, or misuse of access privileges. Data loss can occur through manual actions (e.g., unauthorized file transfers or improper document handling) or through technical vectors (e.g., insecure APIs, misconfigured cloud services, or shadow IT systems).

A subject with access to sensitive organizational data possesses the ability to view, retrieve, or manipulate information that is internally critical to the functioning, competitiveness, or integrity of the organization. This may include proprietary intellectual property, financial forecasts, internal audit reports, legal proceedings, incident investigation records, M&A materials, or internal threat detection logic. Access to such data is typically granted to personnel in roles including but not limited to finance, legal, security, compliance, research and development, or executive support functions.

While this data may not include customer information, its sensitivity is often equal or greater—particularly when tied to strategic decision-making, regulatory posture, or institutional trust. Misuse of access to sensitive organizational data can result in reputational harm, regulatory breach, loss of competitive advantage, or compromise of security functions. Because this access is frequently held by high-trust individuals or senior personnel, abuses may be harder to detect and more consequential in impact.

Unmonitored access to such data—particularly when permissions are inherited, overly broad, or poorly reviewed—can significantly elevate a subject's risk profile. This access may also attract external interest, such as social engineering attempts or recruitment by adversarial entities, making the subject a potential vector for external compromise.

A subject with access to customer data holds the ability to view, retrieve, or manipulate personally identifiable information (PII), account details, transactional records, or support communications. This level of access is common in roles such as customer service, technical support, sales, marketing, and IT administration.

Access to customer data can become a means of insider activity when misused for purposes such as identity theft, fraud, data exfiltration, competitive intelligence, or unauthorized profiling. The sensitivity and volume of customer information available may significantly elevate the risk profile of the subject, especially when this access is unmonitored, overly broad, or lacks audit controls.

In some cases, subjects with customer data access may also be targeted by external threat actors for coercion or recruitment, given their ability to obtain regulated or high-value personal information. Organizations must consider how customer data is segmented, logged, and monitored to reduce exposure and detect misuse.

A subject misappropriates, discloses, or exploits proprietary information, trade secrets, creative works, or internally developed knowledge obtained through their role within the organization. This form of data loss typically involves the unauthorized transfer or use of intellectual assets—such as source code, engineering designs, research data, algorithms, product roadmaps, marketing strategies, or proprietary business processes—without the organization's consent.

Intellectual property theft can occur during employment or around the time of offboarding, and may involve methods such as unauthorized file transfers, use of personal storage devices, cloud synchronization, or improper sharing with third parties. The consequences can include competitive disadvantage, breach of contractual obligations, and significant legal and reputational harm.

A subject with access to payment environments or transactional data may deliberately or inadvertently leak sensitive payment card information. Payment Card Data Leakage refers to the unauthorized exposure, transmission, or exfiltration of data governed by the Payment Card Industry Data Security Standard (PCI DSS). This includes both Cardholder Data (CHD)—such as the Primary Account Number (PAN), cardholder name, expiration date, and service code—and Sensitive Authentication Data (SAD), which encompasses full track data, card verification values (e.g., CVV2, CVC2, CID), and PIN-related information.

Subjects with privileged, technical, or unsupervised access to point-of-sale systems, payment gateways, backend databases, or log repositories may mishandle or deliberately exfiltrate CHD or SAD. In some scenarios, insiders may exploit access to system-level data stores, intercept transactional payloads, or scrape logs that improperly store SAD in violation of PCI DSS mandates. This may include exporting payment data in plaintext, capturing full card data from logs, or replicating data to unmonitored environments for later retrieval.

Weak controls, such as the absence of data encryption, improper tokenization of PANs, misconfigured retention policies, or lack of field-level access restrictions, can facilitate misuse by insiders. In some cases, access may be shared or escalated informally, bypassing formal entitlement reviews or just-in-time provisioning protocols. These gaps in security can be manipulated by a subject seeking to leak or profit from payment card data.

Insiders may also use legitimate business tools—such as reporting platforms or data exports—to intentionally bypass obfuscation mechanisms or deliver raw payment data to unauthorized recipients. Additionally, compromised service accounts or insider-created backdoors can provide long-term persistence for continued exfiltration of sensitive data.

Data loss involving CHD or SAD often trigger mandatory breach disclosures, regulatory scrutiny, and severe financial penalties. They also pose reputational risks, particularly when data loss undermines consumer trust or payment processing agreements. In high-volume environments, even small-scale leaks can result in widespread exposure of customer data and fraud.

PHI Leakage refers to the unauthorized, accidental, or malicious exposure, disclosure, or loss of Protected Health Information (PHI) by a healthcare provider, health plan, healthcare clearinghouse (collectively, "covered entities"), or their business associates. Under the Health Insurance Portability and Accountability Act (HIPAA) in the United States, PHI is defined as any information that pertains to an individual’s physical or mental health, healthcare services, or payment for those services that can be used to identify the individual. This includes medical records, treatment history, diagnosis, test results, and payment details.

HIPAA imposes strict regulations on how PHI must be handled, stored, and transmitted to ensure that individuals' health information remains confidential and secure. The Privacy Rule within HIPAA outlines standards for the protection of PHI, while the Security Rule mandates safeguards for electronic PHI (ePHI), including access controls, encryption, and audit controls. Any unauthorized access, improper sharing, or accidental exposure of PHI constitutes a breach under HIPAA, which can result in significant civil and criminal penalties, depending on the severity and nature of the violation.

In addition to HIPAA, other countries have established similar protections for PHI. For example, the General Data Protection Regulation (GDPR) in the European Union protects personal health data as part of its broader data protection laws. Similarly, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) governs the collection, use, and disclosure of personal health information by private-sector organizations. Australia also has regulations under the Privacy Act 1988 and the Health Records Act 2001, which enforce stringent rules for the handling of health-related personal data.

This infringement occurs when an insider—whether maliciously or through negligence—exposes PHI in violation of privacy laws, organizational policies, or security protocols. Such breaches can involve unauthorized access to health records, improper sharing of medical information, or accidental exposure of sensitive health data. These breaches may result in severe legal, financial, and reputational consequences for the healthcare organization, including penalties, lawsuits, and loss of trust.

Examples of Infringement:

• A healthcare worker intentionally accesses a patient's medical records without authorization for personal reasons, such as to obtain information on a celebrity or acquaintance.
• An employee negligently sends patient health data to the wrong recipient via email, exposing sensitive health information.
• An insider bypasses security controls to access and exfiltrate medical records for malicious use, such as identity theft or selling PHI on the dark web.

PII (Personally Identifiable Information) leakage refers to the unauthorized disclosure, exposure, or mishandling of information that can be used to identify an individual, such as names, addresses, phone numbers, national identification numbers, financial data, or biometric records. In the context of insider threat, PII leakage may occur through negligence, misconfiguration, policy violations, or malicious intent.

Insiders may leak PII by sending unencrypted spreadsheets via email, exporting user records from customer databases, misusing access to HR systems, or storing sensitive personal data in unsecured locations (e.g., shared drives or cloud storage without proper access controls). In some cases, PII may be leaked unintentionally through logs, collaboration platforms, or default settings that fail to mask sensitive fields.

The consequences of PII leakage can be severe—impacting individuals through identity theft or financial fraud, and exposing organizations to legal penalties, reputational harm, and regulatory sanctions under frameworks such as GDPR, CCPA, or HIPAA.

Examples of Infringement:

• An employee downloads and shares a list of customer contact details without authorization.
• PII is inadvertently exposed in error logs or email footers shared externally.
• HR data containing employee National Insurance or Social Security numbers is copied to a personal cloud storage account.

The intentional or negligent disclosure of internal data, documents, or communications to members of the press or external media outlets—resulting in the loss of confidentiality, reputational harm, or operational compromise.

Media leaks represent a unique form of data loss. Unlike data exfiltration for financial gain or competitive advantage, this form of loss often involves symbolic targeting, reputational damage, or pressure tactics. Subjects may seek to embarrass the organization, expose internal misconduct, or spark public or political consequences. Leaks may be anonymous, pseudonymous, or openly attributed.

This behavior is sometimes rationalized by the subject as whistleblowing, though it often occurs outside authorized internal reporting channels and in violation of confidentiality agreements, regulatory constraints, or national security laws.

Media leaks blur the line between insider threat and whistleblowing. While some disclosures may raise legitimate ethical concerns, organizations must distinguish between protected disclosures under law (e.g., protected whistle-blower status) and unauthorized leaks that expose sensitive, regulated, or classified information.

These events often generate external investigative pressure (from regulators, media, or lawmakers) and may undermine internal trust—requiring not just forensic containment, but narrative and reputational management.