What Actually Causes Data Breaches: A 50-Case Root Cause Analysis (2020–2026)

    July 9, 2026 / Published by: Admin

    The average data breach now costs $4.44 million. In the United States, it’s $10.22 million. In ASEAN, costs jumped 14% in a single year to $3.67 million per incident. Since 2020, Indonesian organizations have accumulated 1.14 billion compromised records against an internet user population of 229 million. The average Indonesian citizen’s personal data has been exposed multiple times over.

    These numbers get cited in board decks, vendor pitches, and compliance reports. But they answer the wrong question. The question that matters is simpler: what actually causes data breaches?

    We analyzed 50 major data breaches across Indonesia and global markets from 2020 to 2026. The results challenged several assumptions we held going in.

    Summary
    • Malicious attacks are the most frequent cause of data breaches (52%), but human error exposes the most records (66.1%). The most common cause is not the most damaging.
    • Indonesia faces a different threat profile: 70% of breaches are direct malicious attacks, nearly double the global rate. Third-party supply chain compromises dominate globally (36.7%) but are absent from the Indonesian dataset.
    • The specific failures are simple. Default passwords on critical systems. Cloud databases deployed without authentication. Third-party vendor credentials left unprotected. They are maintenance failures.
    • Slow detection is expensive. Every day of undetected access costs approximately $11,400. Breaches that take longer than 200 days to contain cost significantly more than those resolved faster.

    The Dataset

    This analysis is built on a curated dataset of 50 high-profile privacy incidents and data breaches recorded between 2020 and 2026. Of the 50 cases, 20 are from Indonesia (public and private sector), while 30 represent global incidents across North America, Europe, Asia-Pacific, and South America.

    Each incident was classified by its primary root cause into one of four categories:

    • Malicious Attack: Direct, intentional actions by threat actors: targeted ransomware, advanced persistent threats, credential harvesting, database exfiltration.
    • Third-Party Vulnerability: Compromises originating outside the primary organization’s perimeter: supply chain attacks, compromised SaaS integrations, leaked credentials from external contractors.
    • Human Error: Administrative oversights, configuration mistakes, or user actions: open database directories, misconfigured cloud storage, phishing susceptibility.
    • System Glitch: Non-malicious technical failures: software bugs, unauthenticated API endpoints, unpatched vulnerabilities.

    The dataset is not IBM’s data, not Verizon’s DBIR, not any single vendor’s report. It’s a curated sample designed to compare what’s actually happening in Indonesia against global patterns.

    The Big Picture: Frequency vs. Records

    The most frequent cause of data breaches is not the most damaging. This is the finding that changes how you should think about risk.

    Root-Cause Incident Frequency (50 Cases)

    Malicious Attack          | [26 cases]  ██████████████████████████ (52.0%)
    Third-Party Vulnerability | [11 cases]  ███████████ (22.0%)
    Human Error               | [7 cases]   ███████ (14.0%)
    System Glitch             | [6 cases]   ██████ (12.0%)

    Malicious attacks account for more than half of all breaches in the dataset. Ransomware, credential theft, targeted exfiltration. These are the incidents that make headlines.

    But when you look at what was actually exposed, the picture flips.

    Total Compromised Records by Root Cause (6.78 Billion Total)

    Human Error               | [4.48 Billion] ██████████████████████████ (66.1%)
    Malicious Attack          | [1.14 Billion] ███████ (16.8%)
    Third-Party Vulnerability | [0.62 Billion] ████ (9.2%)
    System Glitch             | [0.54 Billion] ███ (7.9%)

    Human error causes 14% of breaches but exposes 66.1% of all compromised records. That’s 4.48 billion records, driven by a small number of catastrophic configuration failures where unprotected cloud databases sat open on the public internet.

    Root CauseCases% of CasesRecords Exposed% of Records
    Malicious Attack2652.0%1.14B16.8%
    Third-Party Vulnerability1122.0%623M9.2%
    Human Error714.0%4.48B66.1%
    System Glitch612.0%537M7.9%
    Total50100%6.78B100%

    The takeaway: most breaches you read about are malicious attacks. But the breaches that expose the most data? Those are usually a misconfigured database or an unprotected cloud storage bucket, simple administrative failures on systems containing billions of records.

    Indonesia vs. the World

    When the 50-case dataset is split by geography, the root-cause distribution diverges sharply between Indonesia and global markets.

    Regional Root-Cause Comparison

    Root CauseIndonesiaGlobal
    Malicious Attack70.0% (14 cases)40.0% (12 cases)
    Third-Party Vulnerability0.0% (0 cases)36.7% (11 cases)
    Human Error20.0% (4 cases)10.0% (3 cases)
    System Glitch10.0% (2 cases)13.3% (4 cases)

    In Indonesia, 70% of documented breaches are direct malicious attacks, nearly double the global rate. Meanwhile, zero third-party supply chain compromises appear in the Indonesian subset, compared to 36.7% globally.

    Indonesian organizations are being directly targeted at a far higher rate than their global counterparts. Ransomware groups, hacktivists, and data thieves are hitting Indonesian government agencies, financial institutions, and critical infrastructure head-on instead of going through suppliers.

    The absence of third-party cases in the Indonesian data likely reflects a reporting gap, not an absence of risk. Supply chain vulnerabilities are real everywhere. But the signal is clear: Indonesian organizations face a different primary threat profile than their global counterparts. Plan accordingly.

    Sectoral Breakdown

    SectorCases% of DatasetPrimary Attack Vector
    Government & Public Sector1122.0%Ransomware & Unsecured Servers
    Healthcare & Life Sciences816.0%Compromised Legacy Databases
    Financial Services & Insurance714.0%Compromised Credentials & Vishing
    Telecommunications48.0%Platform Infiltration & API Flaws
    Transportation48.0%Third-Party Support Vulnerabilities
    Energy & Utilities36.0%Exposed Analytics Dashboards
    Technology36.0%OAuth Token Theft & Zero-Days
    Manufacturing24.0%Corporate Intelligence Ransomware
    Hospitality24.0%Unsecured Cloud Databases
    Miscellaneous612.0%Phishing & Cloud Misconfigurations

    Government, healthcare, and financial services account for over half of all cases. These sectors handle data that cannot be changed after a breach, such as national ID numbers, tax IDs, and medical histories. That’s what makes them permanent targets.

    Knowing which sectors are hit provides context. But it doesn’t tell you what actually fails. The next section breaks down each root cause with the specific cases that illustrate the pattern.

    Root Cause Deep Dives

    Malicious Attacks and Ransomware

    Malicious attacks represent the majority of incidents (52%), with ransomware groups increasingly adopting double-extortion strategies. Instead of simply encrypting files, modern threat actors exfiltrate sensitive data and threaten public release to pressure victims into paying.

    Case: PDNS 2, Indonesia’s National Data Center (June 2024)

    The Brain Cipher ransomware group (a LockBit 3.0 variant) attacked Indonesia’s Temporary National Data Center 2 in Surabaya. The result: 239 government ministries and institutions disrupted, public services halted, including airport immigration, university registrations, and government portals.

    The administrator password was Admin#1234.

    The attackers gained initial access, disabled Windows Defender, and encrypted systems across the network. It was not a sophisticated zero-day. It was a default credential on a critical government system.

    Case: Bank Syariah Indonesia (May 2023)

    LockBit 3.0 compromised BSI’s network, exfiltrated 1.5 terabytes of internal data including 15 million customer records, employee profiles, and transaction histories, and encrypted the systems. When negotiations failed, the data was published on the dark web.

    The lesson: encrypting data at rest is not optional. If database contents are stored in plaintext, encryption of the network perimeter doesn’t prevent data exfiltration.

    Third-Party and Supply Chain Vulnerabilities

    As organizations harden their internal perimeters, threat actors are increasingly targeting third-party partners, software dependencies, and SaaS integrations.

    Case: Stryker Corporation (March 2026)

    The pro-Iran hacktivist group Handala compromised a single Microsoft Intune administrative account and used Stryker’s own endpoint management platform to issue remote wipe commands to approximately 80,000 corporate devices.

    No malware was deployed. The attackers used legitimate administrative tools, the same ones Stryker’s IT team used, to erase devices at scale. The wipes occurred in a three-hour window (5:00–8:00 AM UTC on March 11, 2026), suggesting pre-positioned access and coordinated timing.

    Manufacturing and shipping operations were disrupted globally. A single compromised credential was sufficient to compromise a Fortune 500 manufacturer’s global operations.

    Case: Crunchyroll (March 2026)

    Attackers phished a support agent at Telus International, Crunchyroll’s third-party customer service vendor. The agent’s Okta Single Sign-On credentials were compromised. Okta SSO became a skeleton key. Once the attackers controlled the agent’s authenticated session, they pivoted into Zendesk, Slack, Jira Service Management, and Google Workspace without triggering additional authentication challenges.

    Within 24 hours: 100 gigabytes of customer data exfiltrated, including 6.8 million unique email addresses and credit card details. The $5 million ransom went unpaid. The data was published on the dark web.

    Case: Tata Electronics (June 2026)

    The ransomware group World Leaks exfiltrated 630 gigabytes from Tata Electronics in India by exploiting weak lateral access paths within the supplier’s network. Among the stolen files: Apple iPhone 18 Pro and iPhone 18 Pro Max logic board schematics, A20 Pro data sheets, C2 modem files. Documents from Tesla, TSMC, and Qualcomm were also compromised.

    The attackers didn’t use a zero-day. They moved laterally through the supplier’s network using existing access paths, targeting the supplier specifically for its position in multiple high-value technology supply chains.

    Supply chain attacks are growing, but they’re not what exposes the most records. The next category is.

    Human Error and Configuration Failures

    Human error is the single largest driver of exposed records. Not because individuals are careless, but because simple administrative controls are not implemented on systems containing billions of records.

    Case: National Public Data (December 2023)

    The breach exposed an estimated 272–899 million unique Social Security numbers. The threat actor, operating under the handle “USDoD,” initially attempted to sell the database for $3.5 million. When no buyer materialized, the data was leaked publicly.

    The root cause: plain-text administrator credentials left publicly accessible in an open directory on a sister platform. No encryption. No access control. No authentication.

    National Public Data officially stated only 1.3 million individuals were affected. Security researchers at SpyCloud Labs identified 272 million distinct SSNs. Troy Hunt (Have I Been Pwned) estimated up to 899 million unique SSNs based on extrapolation.

    Case: Real Estate Wealth Network (December 2023)

    1,523,776,691 records, 1.16 terabytes, of consumer financial profiles, property ownership data, and tax documents left open on the public internet. No password. No authentication controls. Discovered by vpnMentor researcher Jeremiah Fowler.

    The exposure persisted for approximately six months before discovery. The data included detailed records on millions of property owners, sellers, and investors, including celebrities, politicians, and ordinary homeowners.

    Case: eHAC Health Alert Card (July 2021)

    Indonesia’s Ministry of Health electronic Health Alert Card app exposed 1.3 million user records because its Elasticsearch database was deployed directly to the public internet without password protection.

    Case: Komdigi (January 2026)

    The Ministry of Communication and Digital Affairs left the personal files of job applicants accessible on an open Google Drive directory without access controls.

    System Glitches and Configuration Neglect

    System glitches, including unpatched vulnerabilities, misconfigured settings, and exposed test endpoints, provide easy entry points for automated exploitation. These incidents are driven by a failure to maintain visibility over digital assets.

    Case: PT PLN (August 2022)

    Indonesia’s state electricity company exposed 17 million customer records, including names, billing details, and meter numbers, because an internal analytics dashboard replica was left accessible to external access without authentication.

    Case: Bapenda Jombang (April 2026)

    A local government tax portal leaked taxpayer databases to the dark web through an unsecured portal. 100,000 records.

    Case: Komdigi (January 2026)

    Job applicant files left exposed in an open Google Drive directory. No access controls. No monitoring. Discovered externally.

    The pattern across both human error and system glitch categories is consistent: basic asset inventory, regular access reviews, and automated scanning would have caught these failures before they became breaches.

    The Cost of Slow Detection

    The financial impact of a data breach is determined by its lifecycle, how long it takes to identify and contain the threat.

    The average breach lifecycle is 241 days. But not all root causes are detected equally. Compromised credentials take an average of 254 days to resolve. Third-party supply chain compromises, like the Stryker and Crunchyroll cases above, take 267 days. The longer the dwell time, the higher the cost: every day of undetected access costs approximately $11,400.

    Average Breach Cost by Hosting Environment

    Hybrid / Multi-Cloud  | [$5.05 Million] ██████████████████████████ (276-day lifecycle)
    Private Cloud         | [$4.68 Million] ████████████████████████ (250-day lifecycle)
    Public Cloud          | [$4.18 Million] █████████████████████ (230-day lifecycle)
    On-Premises Systems   | [$4.01 Million] ████████████████████ (217-day lifecycle)

    Breaches involving data stored across multiple environments, such as hybrid cloud deployments, are the most expensive. Managing data across multiple environments makes security auditing and access control more complex, increasing the time required to detect and isolate an intrusion.

    What Reduces Breach Costs

    InvestmentAverage SavingsHow It Works
    Tested Incident Response Plan$2,660,000Reduces coordination delays and containment times
    Security AI and Automation$1,900,000Automates threat detection and isolates systems
    Zero Trust Architecture$1,760,000Prevents lateral movement within internal networks

    Organizations with mature security operations and automated threat-hunting capabilities are materially better positioned to minimize financial impact. The correlation is clear: breaches that take longer than 200 days to contain cost significantly more than those resolved faster, a penalty that runs into seven figures for slow detection.

    Detection speed matters. And it’s about to get harder, because AI is accelerating attacks faster than most defenses can adapt.

    The AI Threat Multiplier

    AI has changed the game for both attackers and defenders. Attackers use it to scale personalized phishing and deepfake impersonation. Defenders use it to accelerate detection and reduce breach costs.

    AI as an Offensive Tool

    Crafting a convincing phishing email used to take hours of research. Generative AI reduced that development time from 16 hours to 5 minutes. Attackers can now deploy highly personalized spear-phishing campaigns at scale.

    In Indonesia, deepfake incidents increased 1,400% year-over-year from 2024 to 2025 (Cyberkarta, January 2026). Deepfake audio is being used in voice phishing campaigns to impersonate bank officials and tax authorities. Industry reports estimate success rates for AI-driven social engineering between 54% and 60%, meaning traditional security awareness training alone is no longer sufficient.

    The January 2026 Coretax impersonation campaign, which targeted 67 million Indonesian taxpayers through multi-channel phishing, WhatsApp conversations, and voice calls, is the exact attack pattern that AI-generated deepfakes will make cheaper and more convincing at scale.

    The Defensive AI Payoff

    Organizations that deploy AI and security automation tools cut average breach costs by $1.9 million compared to non-adopters ($3.62 million versus $5.52 million). AI-driven monitoring systems reduce the breach lifecycle by 80 days compared to manual security operations (201 days versus 281 days).

    Shadow AI: The Governance Gap

    Approximately 20% of breaches in recent industry analysis involved Shadow AI, the unauthorized use of generative AI tools by employees. Employees pasted proprietary source code, patient records, or financial data into public AI platforms.

    Breaches involving Shadow AI add an average premium of $670,000 to total breach costs. Only 37% of organizations have the security controls to detect and block unauthorized data uploads to external AI tools. In Indonesia, the DPA — once operational — will have authority to enforce data processing requirements that Shadow AI violates by design. Organizations pasting customer NIK data or tax IDs into public AI platforms are creating enforcement liability under UU PDP Article 67.

    The Regulatory Gap

    Indonesia’s Personal Data Protection Law (UU PDP, Law No. 27 of 2022) imposes significant responsibilities: explicit consent for data processing, mandatory DPIAs for high-risk systems, and dedicated Data Protection Officers.

    The penalties are real: administrative fines up to 2% of annual revenue, criminal sentences up to five years for unauthorized sale or purchase of personal data (Article 67(1)), and up to six years for falsification (Article 68).

    But enforcement has a problem. The independent Personal Data Protection Authority (DPA) was not operational through 2025 and early 2026. The Constitutional Court case challenging this delay (Permohonan Nomor 153/PUU-XXIV/2026) was ruled inadmissible on June 17, 2026.

    In response, the government made public a draft Presidential Regulation in late February 2026 to formally establish the DPA. The draft is currently awaiting presidential approval. Under this regulation, the DPA is structured as an independent agency reporting directly to the President.

    The enforcement window is closing. When the DPA becomes operational, the excuse of “we didn’t know who enforces this” disappears. The organizations that treat UU PDP compliance as urgent today, not as a future obligation, will face full enforcement consequences when the regulator starts issuing penalties.

    If your organization needs to assess its privacy compliance readiness, the regulatory window is narrowing faster than most teams expect. For a deeper look at what UU PDP requires, see our guide to implementing Indonesia’s Personal Data Protection Law.

    What You Should Do

    Based on the findings from this 50-case analysis, five priorities stand out. These are general best practices drawn from the data. Specific implementation depends on your organization’s size, sector, and existing security posture.

    1. Phishing-Resistant Identity and Access Management

    The Crunchyroll breach started with a single phishing email sent to a support agent at Telus International. The agent’s Okta SSO credentials were compromised, and those credentials became a skeleton key across Zendesk, Slack, Jira, and Google Workspace. 6.8 million customer records followed.

    Indonesia’s National Data Center was compromised because the admin password was Admin#1234. The Coretax campaign tricked 67 million taxpayers through voice calls and WhatsApp into sideloading malware.

    To avoid this, deploy phishing-resistant MFA based on FIDO2/WebAuthn standards, such as hardware security keys or push with mandatory number-matching. SMS OTP and push notifications without verification would not have stopped any of these three breaches.

    Administrative sessions need conditional access policies that evaluate device health, compliance posture, and geographic location in real time. High-risk actions, such as mass device updates, directory exports, and security configuration changes, should require two people to approve before they execute.

    2. Zero Trust Architecture

    Stryker’s own Intune platform was used to wipe 80,000 devices across 60+ countries. The attackers deployed no malware. They compromised a single administrative account and turned Stryker’s endpoint management infrastructure against itself.

    Tata Electronics lost 630 gigabytes of Apple and Tesla schematics because attackers moved laterally through a supplier network using existing access paths. Bank Syariah Indonesia lost 1.5 terabytes of customer data because the database was stored in plaintext, and network encryption did nothing to prevent exfiltration.

    To avoid this, design your network so a single compromised account cannot reach everything. Segment user endpoints from core databases and development from production. Encrypt data at rest, especially national identity numbers, financial details, and medical records.

    Lastly, audit legacy authentication protocols and unpatched APIs on a fixed schedule, and disable anything that no longer serves a business function.

    3. Third-Party Vendor Isolation

    36.7% of global breaches in this dataset involved third-party vendors. Zero Indonesian cases did, likely because the risk is underreported rather than absent. The global pattern is clear. Crunchyroll’s entry point was a phished agent at Telus International.

    Stryker’s weapon was a compromised Intune account, a centralized vendor-administered management platform. Tata Electronics’ path was lateral movement through a supplier network positioned across multiple high-value technology supply chains.

    To avoid this, start by inventorying every external tool, API, and partner access path your organization depends on, then lock each one down to the minimum access it actually needs. Contractor portals and remote support paths should sit on monitored jump hosts or behind Zero Trust Network Access policies so a compromised vendor credential doesn’t become a direct line into your production environment.

    And put security expectations, incident reporting timelines, and audit rights in vendor contracts now, before a breach forces that conversation.

    4. Resilient Data Backups

    PDNS 2 and Bank Syariah Indonesia were both hit by ransomware. Both had their data encrypted. Brain Cipher locked systems across 239 government ministries and institutions.

    LockBit 3.0 exfiltrated 1.5 terabytes from BSI and published it when negotiations failed. In both cases, the encryption itself was not the catastrophe. The catastrophe was that recovery depended on systems the attacker already controlled.

    To avoid this, keep at least three copies of critical data on two different media types, with one copy off-site or in an air-gapped, immutable environment. Modern ransomware groups actively hunt for and delete backups, so network-attached storage alone isn’t enough.

    And don’t forget to test your ability to restore from those backups monthly under realistic conditions, because a backup you’ve never verified is not a backup.

    5. AI Governance

    No case in this dataset was caused by Shadow AI. But this is the threat that’s arriving next. IBM reports that 20% of breaches now involve employees pasting sensitive data, source code, patient records, or financial details into public AI platforms, adding an average of $670,000 to breach costs. Only 37% of organizations have controls to detect it.

    In Indonesia, the DPA, once operational, will enforce data processing requirements that Shadow AI violates by design. Pasting customer NIK or tax IDs into public AI tools creates enforcement liability under UU PDP Article 67.

    To avoid this, define which AI tools are approved for corporate use and what data is never allowed to leave your environment. Deploy DLP agents on endpoints so unauthorized transfers to external AI platforms get caught before they happen.

    And integrate AI-driven detection into your SOC so behavior-based phishing and compromised accounts surface early, not after the data is already gone.

    Methodology & Sources

    This analysis is based on a curated dataset of 50 data breaches (2020–2026), classified by primary root cause. The dataset includes 20 Indonesian incidents and 30 global incidents, selected from public sources including:

    • IBM Cost of a Data Breach Report 2025: breach lifecycle, cost mitigators, hosting environment analysis
    • BSSN (Badan Siber dan Sandi Negara): Indonesia network anomaly statistics
    • ITRC 2025 Data Breach Report: US breach frequency and root cause data
    • CYFIRMA Indonesia Threat Landscape: regional threat actor profiles
    • Krebs on Security, BleepingComputer, Have I Been Pwned: individual breach verification
    • Indonesian Constitutional Court decisions: regulatory status verification
    • Primary news sources: Reuters, Jakarta Globe, ANTARA, Kompas, ManageEngine

    The root-cause classification and Indonesia-vs-global comparison are original analytical work based on this curated sample. The dataset is not a comprehensive registry. It is a structured sample designed to identify patterns in breach causation across the two geographies.


    Reference: Empirical Analysis of 50 Global and Indonesian Data Breaches (2020–2026): Systemic Vulnerabilities, Root-Cause Mechanics, and Regulatory Realities by Adaptist Consulting.


    This research was conducted by Adaptist Consulting, July 2026. For questions about methodology or to discuss how these findings apply to your organization’s security posture, contact us.

    Profil Adaptist Consulting

    Adaptist Consulting is a technology and compliance firm dedicated to helping organizations build secure, data-driven, and compliant business ecosystems.