Data Breach Investigations and Notifications

A lot of folks are familiar with the annual Verizon Data Breach Investigations Report. While it may seem illuminating to some folks and help guide decisions on what to focus in on we think it's helpful to dive deeper into the problem itself. The DBIR suffers from a common incorrect thought that "hacking just happens" and is an act of God versus a deliberate human decision that is made.

While a lot of folks in the tech industry are quick to point out that many of the companies that get headlines for data breaches are "older" non-tech companies, in recent weeks we've seen companies like Github have over 3800 internal repositories ex-fil'd and CISA, the government agency that supposedly is looking after the United States cybersecurity posture, leaking massive amounts of secrets and passwords in plain text. The former are supposedly composed of tenured engineers and the latter are supposed to be elite security contractors - what is going on?

As of this writing Massachusetts is reporting over 808 data breaches in 2026 alone and 2198 in 2025.

This report is damn near 80 pages and it is only 2026 reports!!

Maine is reporting over 300. Why the difference? The rules differ from state to state but essentially it usually boils down to the number of residents in each state that are potentially affected.

DBIR Call Outs

Notably the Verizon Data Breach Investigations Report mentions "system intrusion" 64 times. They also mention that servers are a majority of the system intrusions, which is obviously not surprising.

In their own words, "This is where all the web applications, mail services, file servers and all that magical layer of information is generated. If someone has ever told you “the system is down,” rest assured that some Servers had their Availability impacted".

Both the pattern of "system intrusion" and the asset of "server" top every vertical and every region they break the report up into. That is to say - server-side system intrustion is a big deal. They should just rename the DBIR the Server System Intrusion Report because that's what it is.

Different Types

Not all data breaches are the same. One way to classify them is the type of data that is leaked out. PII or personally identifiable information is much more problematic vs internal data that might cause a company internal issues as the PII invites lawsuits and other problems since it immediately affects external people.

Social security numbers, medical records, financial accounts, driver licenses and credit cards are all considered PII. Medical records can be classified further into ePHI or electronic protected health information. HIPAA deals with compliance around this type of data and newer rules introduced as of May 2026 ensure things like mandatory penetration testing and extends liability to "business associates" which can be vendors like MSPs or MSSPs.

Data breaches are surprisingly way more common than many people seem to think.

It's important to note that not all data breaches are the result of hacking - some are merely someone losing a usb stick or accidently exposing some database view.

Not All Data Breaches are Windows Based

In fact - many are not. Linux is now the new windows. I don't mean this as a pejorative. I mean it in terms of where business software is deployed. I know many of the readers are recoiling at this statement but that's reality. The vast majority of business software is happening on linux servers and a lot of the traditional end-user software is less desktop based and more SAAS based (which also lives on linux servers).

This is a good thing though as it means that we can quickly and effectively turn these into unikernels. Even if you have a piece of windows software - if it is working as a non-gui server-like application in many cases we can still port that to a unikernel. For example, many JVM and .Net applications can easily be ported over.

Not all breaches are the result of "external system hacking" - some are "insider wrongdoing" and some are "inadvertent disclosure", or "loss or theft of device" for instance, however, a lot of them are cause of hacking.

It's not too common to know how an intrusion or a breach occured when it is under the guise of 'external system hacking', so unfortunately we can't really group these events by CWE or anything, but you can understand the basics sometimes:

For instance this NetLine data breach states: "On or about April 21, 2026, NetLine became aware of suspicious activity related to a public facing webserver. In response, NetLine took steps to secure the server and conduct a comprehensive investigation. The investigation determined an unknown actor queried certain databases on the server without authorization on April 20, 2026".

Without more information you can probably surmise that was sql injection or some missing authorization.

Stronger Defense Against Higher Frequency of Data Breaches

Data breaches are unfortunately becoming increasingly common and the screws are starting to tighten evermore on the compliance side. Unikernels can't stop all data breaches, even ones that involve hacking, but they certainly can provide a strong first line of defense and they can prevent a small mistake from turning into an unmitigated disaster.