Data exposure

Data exposure refers to situations where sensitive data is unintentionally made accessible to unauthorized individuals or systems. While the term can refer to any unintentionally exposed information, it is predominantly used in the context of exposing sensitive data due to its critical implications.

Data exposure is a term that’s commonly used in the cybersecurity industry. In many cases, “data exposure” is used synonymously with “data leak”. For example, this academic article includes “data exposure” in its title but proceeds to discuss techniques for detecting data leaks.

Security professionals often use the term “data exposure” to describe risks from misconfigurations or inadequate security measures. It reflects a state of vulnerability rather than an active security event. In this context, “data exposure” refers to sensitive data being made available outside authorized systems, without evidence of actual unauthorized access to this data. If evidence of unauthorized access emerges, then the incident is “upgraded” to a “data leak”. In other words, data exposure may lead to a data leak if someone accesses or distributes the exposed data.

The term “data exposure,” or more specifically “sensitive data exposure,” was notably used as a security risk category in the OWASP Top Ten project. However, in 2021, this category was renamed to “Cryptographic failures”, reflecting a shift of focus towards issues in cryptography implementation, which are often the root cause of data exposure.

As to major data privacy laws, none of them explicitly define “data exposure”.