Great analogy, but not for the point you’re trying to make.
If your house plumbing is leaking there is water going out where it shouldn’t be. You’re saying it’s a leak just because there’s a tap out near the footpath that could be turned on by someone to use your water, even if not a single drop of water has ever come out of it.
With an unsecured server the data isn’t going where it shouldn’t be unless someone takes it. Without evidence of someone taking it, nothing was leaked.
If your house plumbing is leaking there is water going out where it shouldn’t be.
Yes. Correct. Personally Identifiable Information openly exposed on the internet is information going out where it shouldn’t be.
If your house is leaking, whether there’s someone out there with a cup doesn’t change whether your house is leaking or not. It only changes whether someone took your water ie. a breach
Data leak and data breach have specific definitions:
Data Leak vs Data Breach: What Is the Difference?
While many use the terms “data leak” and “data breach” interchangeably, there is a difference between the two. A data leak often comes from within the organization either by accident or intent, while a data breach occurs when confidential or otherwise protected information is accessed, stolen, or used by outsiders without authorization.
https://www.fortinet.com/resources/cyberglossary/data-leak
This is a data leak.
We don’t know yet if it’s a data breach. We might not know until active exploitation.
Given the lack of control on this data, and that it wasn’t fixed until the researchers told them about it, do you trust IDMerit to have the scrutiny on their logging to know if it was accessed externally? I don’t.
It’s not going out unless someone requests it though. Data from a database on an unsecured server doesn’t just find its way onto the Internet or hackers computers - they need to take it.
This is why I said it’s misleading. There’s no evidence of anything being taken. It was there for the taking, but if it wasn’t taken then no one’s details were compromised.
It is misleading to say it was leaked because there’s no evidence that anyone saw it.
If no ones data was stolen, was there a leak?
It was unsecured, but it was not leaked unless someone accessed it. To try and pretend that there’s no difference is pure idiocy.
If your house plumbing is leaking, its not a leak to you unless you see it? How do you know it hasn’t been accessed?
Thankfully we don’t need to rely on your definition of a data leak: https://www.fortinet.com/resources/cyberglossary/data-leak
This is sensitive data that’s accidentally been exposed on the internet. That is a leak. You are misinformed on what a data leak is.
Great analogy, but not for the point you’re trying to make.
If your house plumbing is leaking there is water going out where it shouldn’t be. You’re saying it’s a leak just because there’s a tap out near the footpath that could be turned on by someone to use your water, even if not a single drop of water has ever come out of it.
With an unsecured server the data isn’t going where it shouldn’t be unless someone takes it. Without evidence of someone taking it, nothing was leaked.
Yes. Correct. Personally Identifiable Information openly exposed on the internet is information going out where it shouldn’t be.
If your house is leaking, whether there’s someone out there with a cup doesn’t change whether your house is leaking or not. It only changes whether someone took your water ie. a breach
Data leak and data breach have specific definitions:
https://www.microsoft.com/en-us/security/business/security-101/what-is-a-data-leak
https://www.oaic.gov.au/privacy/your-privacy-rights/data-breaches/what-is-a-data-breach
https://www.ibm.com/think/topics/data-leakage
https://www.trendmicro.com/en/what-is/data-breach/data-leak.html
This is a data leak. We don’t know yet if it’s a data breach. We might not know until active exploitation.
Given the lack of control on this data, and that it wasn’t fixed until the researchers told them about it, do you trust IDMerit to have the scrutiny on their logging to know if it was accessed externally? I don’t.
It’s not going out unless someone requests it though. Data from a database on an unsecured server doesn’t just find its way onto the Internet or hackers computers - they need to take it.
This is why I said it’s misleading. There’s no evidence of anything being taken. It was there for the taking, but if it wasn’t taken then no one’s details were compromised.