GDPR broadly defines a data breach as ensuring that organizations cannot minimize or ignore incidents that put individuals' information at risk. A breach may involve the accidental deletion of user data, a misconfigured server that leaves personal records publicly accessible, or unauthorized access by an employee. It can also involve deliberate cyberattacks such as phishing campaigns, ransomware infections, or database hacks.
The broad scope of this definition means that breaches are not confined to large corporations. Even a small e-commerce store running on a vulnerable content management system plugin could suffer an incident that qualifies under GDPR. For example, if the site's checkout system exposes a handful of customer addresses or credit card numbers, that incident constitutes a reportable breach because it places individuals at risk.
Recent history offers clear illustrations of how breaches unfold. In 2018, British Airways experienced a breach that compromised payment card details, booking information, and personal records of about 400,000 customers. Hackers had inserted malicious code into the airline’s website and app, siphoning sensitive information as users entered it. Although the airline eventually faced a reduced fine of £20 million, the incident was a wake-up call about the consequences of vulnerabilities in critical systems. Around the same time, Ticketmaster suffered a breach caused not by its own systems but by a third-party chatbot embedded on its website. Attackers exploited this third-party code to steal payment details of 9.4 million customers across Europe, leading to a fine of £1.25 million from the UK’s Information Commissioner’s Office.
These cases show that breaches can originate from internal weaknesses and external integrations. For website owners, this underlines that responsibility for data protection extends beyond the immediate boundaries of their servers and into the broader ecosystem of third-party tools and services they rely upon.