HomeLearnBoKEvents & Case StudiesLeak / Unauthorized Disclosure
Back to Hub
Last Reviewed: 2026-06-24
Reviewer: ITMG® Security Advisory
BoK Reference Sheet
Core Event taxonomy

Leak / Unauthorized Disclosure

A leak is the unauthorized disclosure of sensitive information by a trusted insider. Leaks may be intentional, careless, coerced, or enabled by weak access, handling, training, and monitoring controls.

Based on real event: classified information disclosure through an online platform.

Incident Case Analysis & Real-World Context

Case basis: Based on real event. A U.S. Air National Guard member with access to classified systems retained and transmitted hundreds of pages of classified national defense information through an online social media platform. The case illustrates how a user with legitimate access can move sensitive information from a controlled environment into informal digital communities where the organization loses control of distribution, context, and downstream exposure.

Why This Event Pattern Matters

Leak cases matter because disclosure can happen through ordinary channels: messaging platforms, social media, screenshots, photographs, printed documents, personal accounts, or conversations. The central insider-risk issue is not only whether the user had access, but whether the organization had appropriate need-to-know controls, handling rules, monitoring, reporting, supervision, and escalation.

Common Event Scenarios & Progression Path

Trusted access to sensitive information.

Disclosure channel outside approved business or government handling process.

Potential evidence across access logs, print activity, file access, device activity, platform activity, and witness reports.

Possible anti-forensics or concealment behavior when the user realizes the disclosure may be detected.

IRCF™ Capability Alignment

Lessons from this event pattern directly map to the following canonical Insider Risk Capability Framework™ (IRCF™) components for organizational capability improvement:

Data ProtectionIAMMonitoringAnalysisInvestigationPersonnel AssuranceOversight and ComplianceRisk Management and Reporting

Insider Threat Matrix Alignment

Matrix mapping includes motive, means through legitimate access, preparation through search or collection, infringement through disclosure, and anti-forensics if the user deletes accounts, devices, messages, or other artifacts.

*The Insider Threat Matrix™ is an open framework maintained by Forscie Limited for computer-enabled insider threat investigations.

Controls & Safeguards to Leverage

Need-to-know access reviews for sensitive repositories and platforms.
Handling rules for classified, controlled, confidential, and regulated information.
Monitoring for unusual access, printing, photographing, downloading, or movement of sensitive material.
Escalation pathways for peers and supervisors who observe risky sharing behavior.
Evidence preservation processes that separate containment from investigation.

Relevant Program Metrics & KPIs

Metric
Sensitive access anomalies by user population.
Metric
Print, download, screenshot, or transfer events involving restricted data.
Metric
Time from detection to containment.
Metric
Training completion for sensitive-data populations.
Metric
Number of leak-related referrals by source and channel.

Legal, Privacy, and Ethical Cautions

Unauthorized disclosure cases may implicate employment obligations, whistleblower protections, classified-information law, privacy, trade-secret law, regulatory reporting, evidence preservation, and criminal referral. Do not characterize a disclosure as malicious or unlawful unless facts and legal review support that conclusion.

Source References & Investigation Fact-Verification

DOJ, District of Massachusetts, Former Air National Guardsman Sentenced to 15 Years in Prison for Unlawfully Disclosing Classified National Defense Information, Nov. 12, 2024. DCSA/CDSE case study on Jack Douglas Teixeira may be used as a supplemental government case-study source.

Operationalize This Learning

Need to evaluate whether this scenario is covered in your environment? Use RiskTKO® or request a Guided Exposure Assessment to evaluate your current control coverage, capability maturity, and exposure trends.