Gartner Blog Network

More On Internal Data Loss Incidents

by Anton Chuvakin  |  December 31, 2012  |  5 Comments

"If a tree falls in a forest and no one is around to hear it, does it make a sound?” – If a piece of sensitive data is exposed to the intranet/LAN, is that a security incident?

Here are some versions of an answer I’ve heard (all fictionalized, of course):

  • “No, what on Earth are you talking about? We share everything inside the firewall.”
  • “No – since we would never know that it happened anyway.”
  • “Yeah, kind of– but it is low-priority incident, the one we get to … whenever we get to it”
  • “It depends on the data, some data seen outside its intended secure enclave immediately triggers an incident.”
  • “Yes, of course -  with 50,000 employees you cannot have any concept of a perimeter.”
  • “Yes, because our internal is really external – due to a large number of partner, customer, vendor, etc personnel on our network.”

However, the situation is much worse than that. I am this close to thinking that today at a large company with expansive and effectively uncontrolled network access (wireless, VPN, BYOD, etc), an internal breach is going to become an external breach before  you can say “DBIRSmile 

Here is why: a lot of the organizations open up all sorts of internal resources to all sorts of outsiders and then poorly govern access to said resources. A recent research piece on SharePoint contained this shocking number:  “nearly a third of these internal-facing SharePoint sites are now being opened up to people outside of the enterprise, such as partners and customers for external collaboration.” The authors further note, in a style reminiscent of a winning The Understatement of The Year contest entry,  “This changes the overall risk profile of SharePoint.”

In this scenario, an internal exposure magically becomes a data breach. In light of this, some organizations undertook massive (=covering hundreds of thousands of internal file repositories and millions of files) efforts to discover, corral and attribute (to data owners) sensitive data and then institute a blend of processes and ongoing technical monitoring (via DLP) for internal exposures, in addition to explicit exfiltration and “loss.”

Finally, here is a great example (discovered here) of an internal incident leading to formal breach disclosure:


(full notification is at

So, here is to change in the New Year: accept an idea that an internal sensitive data exposure may, in fact, be a security incident, even before the attackers get to this data and steal it!

Related posts:

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: data  dlp  security  

Tags: data-security  dlp  security  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Thoughts on More On Internal Data Loss Incidents

  1. Ray says:

    Yeah, “fictionalized”. Let’s go with that. 🙂

  2. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← More On Internal Data Loss Incidents […]

  3. […] More On Internal Data Loss Incidents […]

  4. Oliver says:

    Yes it is a security incident, which we follow up as soon as we detect them.
    As we are a IT Service Provider, we want to be sure that our data is protected in the same way and same policies are applied as with our customer data. If you’re not dealing properly with your internal data, how do you want to earn the trust of your customers that you do it right.

  5. Oliver, thanks for the comment. Happy to hear about your approach! Sadly, there are always rumors of service providers who don’t disclose internal and cross-customer breaches in the fear of losing customers

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.