What Is Shadow Data? Examples, Risks and How to Detect It

Introduction

Cloud-first travel platforms handle massive volumes of customer data every day, from booking details to payment information. With petabytes of data spread across hundreds of  cloud accounts, the stakes couldn’t be higher: customer trust, regulatory pressure (PCI DSS, GDPR), and business reputation are always on the line.

‍

This is the story of how a global travel platform took action to ensure the highest level of customer data protection and set out to gain complete visibility and full control of its data estate, securing petabytes of sensitive information across 600+ cloud accounts in just 30 days.

At a Glance: Securing Petabytes at Scale

The Challenge

• 100s of PBs of sensitive customer data
  
• 600+ cloud accounts, 150K+ data stores
  
• Manual tagging, blind spots, reactive DLP
  
• Compliance risks (PCI DSS, GDPR)
  
  

The Solution

• Sentra’s agentless DSPM platform
  
• Automated discovery & AI-driven classification
  
• Real-time data mapping and compliance alignment
  
• Partnership-driven support and fast deployment
  
  

The Results

• Full visibility across petabytes of data in 30 days
  
• Streamlined governance across 600+ cloud accounts
  
• Dramatic reduction in  false positives & alert fatigue
  
• Stronger compliance with PCI DSS & GDPR
  
• Data security transformed into a strategic advantage
  
  

The Challenge: Data Visibility at Scale

The travel tech company’s cloud footprint had grown rapidly, now its security practices needed to be brought up to speed. Relying on legacy Data Loss Prevention (DLP) tools left the security team in a reactive posture. Alerts were triggered only after data had already left the environment. In the high velocity world of digital travel, “too late” is not an acceptable outcome.

‍

Manual tagging compounded the problem. It was slow, resource-intensive, inconsistent across teams, and prone to human error. With more than 600 cloud accounts and hundreds of petabytes of data in motion, the organization sought a reliable way to answer the most fundamental security questions:

‍

• What sensitive data do we have?
  
• Where is it stored?
  
• Who has access to it?

Answers to these three foundational questions would enable them to lock down exposure risk, misconfigurations, and regulatory noncompliance for sensitive customer information, including payment card data and personal identifiers.

Sentra Data Security: Scalable, Accurate, Agentless

After evaluating a wide mix of DLP and DSPM vendors, the company selected Sentra for its ability to deliver scale, accuracy, and scan efficiency.

‍

• Agentless discovery allowed rapid deployment across the entire multi-cloud environment without adding operational friction.
  
• AI-driven classification replaced error-prone manual tagging, enabling sensitive data to be labeled consistently and accurately.
  
• Regulatory mapping ensured risks were tied directly to frameworks such as PCI DSS and GDPR, making compliance reviews easier and faster.
  
• Smart scanning lowered cloud compute costs and provided more timely results.
  
  

Just as importantly, Sentra’s customer success and engineering teams worked closely with the company. Rapid support and the ability to deliver custom features strengthened the partnership and accelerated adoption.

Implementation: Tackling Complexity Head-On

Securing hundreds of petabytes across over 600 cloud accounts, over 150K data stores, and 25K data storage locations was no small feat. The implementation involved coordination with six internal stakeholder teams.

Sentra’s engineering team collaborated directly with the customer to fine-tune scanning for high-memory formats and optimize scanning cycles. This ensured that even as the environment expanded, sensitive data could still be discovered, classified, and secured in near real time.

‍

Despite the scope and complexity, deployment was completed on schedule. Within weeks, the company moved from chasing alerts to uncovering exposures proactively. Manual tagging errors were eliminated, and governance workflows became more consistent across business units.

Real Business Impact: From Reactive to Proactive

The shift in outcomes was dramatic. Within months, the security team achieved the visibility they sought. Instead of reacting to alerts, they were proactively discovering risks and preventing incidents before they escalated.

‍

Key results included:

• Discovery of sensitive data that had previously gone unnoticed
  
• Streamlined governance across 600+ cloud accounts
  
• Automated classification that reduced false positives and alert fatigue
  
• Improved compliance posture with PCI DSS and GDPR
  
  

As one security engineering manager put it:

‍

“The Sentra speed and support really stood out. We were able to quickly transform our approach from reactive alerts to proactive discovery. We’re not just detecting potential risks anymore; we’re gaining a comprehensive inventory of our data landscape across hundreds of petabytes, enabling us to truly protect our most critical assets.”

Sentra for Travel Tech: Setting the Pace

For travel technology companies, customer trust and agility are everything. Every transaction, every booking, every passenger record carries sensitive information that must be protected. At this scale, manual processes and reactive tools simply cannot keep up.

‍

By adopting Sentra’s cloud-native DSPM platform, this global travel leader gained real-time visibility into its vast, fast-moving data estate. Booking and flight details, payment card data, and personal identifiers could now be classified automatically and governed consistently without slowing the pace of innovation.

What had once been a compliance bottleneck became a strategic advantage.

Bottom Line: Data Security is a Competitive Edge

The journey of this global travel platform illustrates what’s possible when scale, automation, and accuracy come together. In just 30 days, the company moved from dangerous blind spots to full visibility and control over petabytes of sensitive data.

‍

But this is about more than one company’s success story. In the AI-powered economy, where data volumes are exploding and regulatory demands are intensifying, innovation speed without security is a liability. The leaders of the next decade will be those who can combine agility with trusted data security.

‍

Sentra’s DSPM platform gives organizations the ability to:

‍

• Discover and classify sensitive data automatically
  
• Map risks directly to compliance frameworks
  
• Move from reactive alerts to proactive governance
  
• Scale confidently across complex, cloud-first environments
  
  

This is about more than just compliance. For consumer industries like travel and hospitality, retail, financial services, and any enterprise that runs on data, it’s about protecting customer trust, unlocking innovation, and gaining a true competitive edge.

‍

Discover how Sentra can help your organization secure its cloud data estate at scale.

<blogcta-big>

NYDFS Steps Up Enforcement

The New York State Department of Financial Services (NYDFS) has long been one of the most influential regulators in the financial sector, but over the past two years, it’s made one thing crystal clear: cybersecurity is no longer a back-office IT concern, it’s a regulatory priority.

‍

In response to growing threats, increasing reliance on third-party services, and persistent operational risks, NYDFS has tightened its expectations around how financial institutions protect sensitive data. And it’s backing that stance with real financial consequences.

‍

Just ask PayPal or OneMain Financial, two major firms hit with multimillion-dollar penalties for cybersecurity lapses. These weren’t headline-grabbing breaches or ransomware attacks, they were the result of basic control failures, delayed reporting, and repeated gaps in governance.

‍

What do a $2M fine for PayPal and a $4.25M penalty for OneMain have in common?

‍
Weak cybersecurity practices, and a regulator that’s no longer willing to wait for companies to catch up.

The Recent Crackdowns: PayPal and OneMain

a. PayPal – $2M Civil Penalty (January 2025)

‍

In January 2025, NYDFS announced a $2 million penalty against PayPal for violations of its cybersecurity regulations under Part 500. The enforcement focused on failures to report a cybersecurity event in a timely manner and gaps in maintaining certain required controls.

‍

The incident involved unauthorized access to over 34,000 user accounts, exposing sensitive personal data including tax IDs and financial information. NYDFS emphasized that PayPal’s delayed reporting and lack of specific security measures put both consumers and the broader financial ecosystem at risk.

‍

What it signals: No company - not even a digital-native fintech giant is immune from enforcement. The bar is rising, and NYDFS is expecting organizations to report, respond, and remediate swiftly and transparently.

‍

b. OneMain Financial – $4.25M Fine (May 2023)

‍

In May 2023, NYDFS fined OneMain Financial $4.25 million after discovering systemic cybersecurity deficiencies, including improperly stored passwords, insufficient multi-factor authentication, and inadequate third-party risk management.

‍

Even more concerning: many of these issues were identified in earlier audits and hadn’t been fully addressed. NYDFS made it clear that repeated inaction wouldn’t be tolerated.

‍

What it signals: It’s not just about responding to one-off incidents — regulators are watching for long-term security maturity. Ongoing hygiene, policy enforcement, and consistent control testing are now table stakes.

What’s Changing: NYDFS 2.0 (Part 500 Amendments)

These enforcement actions aren’t just about past violations, they’re a preview of what’s to come.

‍

With the rollout of the NYDFS Second Amendment to Part 500, also known as NYDFS 2.0, covered entities, especially those classified as Class A companies are facing a new set of enforceable expectations.

‍

Key new requirements include:

• Annual independent audits of cybersecurity programs
  
• Mandatory multi-factor authentication (MFA) for all systems
  
• Stronger access control policies, including role-based access
  
• Board-level or senior executive oversight of cybersecurity governance
  

Full enforcement kicks in on November 1, 2025. At that point, these aren’t just checkboxes, they’re compliance requirements with real financial and reputational risk for falling short.

‍

The message is clear: NYDFS is no longer satisfied with written policies and best-effort intentions. It's expecting demonstrated outcomes, measurable control, and leadership accountability.

The Broader Message: Enforcement Is the New Default

NYDFS isn’t the only regulator stepping up, but it’s arguably the most proactive, and most willing to act. These recent fines signal a broader shift across the industry: compliance is no longer about having good intentions or written policies. Regulators are now focused on evidence of execution, real controls, timely reporting, and provable outcomes.

‍

In other words, enforcement is the new default. This shift reframes cybersecurity from a purely technical issue to a board-level governance challenge. It's not enough for IT or security teams to manage risk in isolation. Executive leadership, legal, and compliance functions all need to be aligned — and accountable.

If your organization is treating cybersecurity as just a tech responsibility, you’re behind.

What Organizations Should Do Now

The message from regulators is clear, and now is the time to act.

‍

Here are four practical steps your team can take to stay ahead:

‍

• Audit your current posture against NYDFS Part 500. Focus especially on:
  
  • Incident reporting timelines
    
  • MFA coverage
    
  • Access controls
    
  • Third-party risk assessments
    
    
• Prioritize visibility across your environment
  You can’t protect what you can’t see. Ensure you have continuous insight into where sensitive data lives, who can access it, and how it moves across cloud, SaaS, and on-prem systems.
  
  
• Document everything
  Have clear records of your policies, security controls, vendor assessments, incident response processes, and risk decisions. If you had to prove your compliance tomorrow, could you?
  
  
• Benchmark your controls against recent enforcement
  If PayPal and OneMain were fined for these issues, ask yourself:
  ‍How would our program hold up under similar scrutiny?
  
  

Final Thoughts: Read the Signals Now, Not After a Fine

The writing is on the wall - NYDFS is raising the bar, and other regulators are likely to follow. This is your opportunity to get ahead of the curve, rather than scrambling after the fact.

‍

Take these fines as what they are: a warning shot and a roadmap. Organizations that prepare now - with tighter controls, better visibility, and cross-functional ownership won’t just avoid penalties. They’ll be more resilient, more trusted, and better equipped to lead in a high-risk landscape.

‍

If you’re not sure where to start, use these enforcement cases as a prompt for an internal review. And if you want to go deeper, we’ve put together a compliance checklist that can help you assess where you stand.

‍

Better to find the gaps now before NYDFS does.

<blogcta-big>

‍

The evolving digital landscape for cloud-first companies presents unprecedented challenges for chief information security officers (CISOs). The rapid adoption of AI-powered systems and the explosive growth of cloud-based deployments have expanded the attack surface, introducing novel risks and threats.

According to IBM's 2024 "Cost of a Data Breach Report," the average cost of a cloud data breach soared to $4.88 million - prompting a crucial question: Is your organization prepared to secure its expanding digital footprint? 

Regulatory frameworks and data privacy standards are in a constant state of flux, requiring CISOs to stay agile and proactive in their approach to compliance and risk management.

‍

This article explores the top challenges facing CISOs today, illustrated by real-world incidents, and offers actionable solutions for them. By understanding these pressing concerns, organizations can stay proactive and secure their environments effectively.

Top Modern Challenges Faced by CISOs

Modern CISO concerns stem from a combination of technical complexity, workforce behavior, and external threats. Below, we explore these challenges in detail.

1. AI and Large Language Model (LLM) Data Protection Challenges

AI tools like large language models (LLMs) have become integral to modern organizations; however, they have also introduced significant risks to data security. In 2024, for example, Microsoft's AI system, Copilot, was manipulated to exfiltrate private data and automate spear-phishing attacks, revealing vulnerabilities in AI-powered systems.

‍

Furthermore, insider threats have increased as employees misuse AI tools to leak sensitive data. For instance, the AI malware Imprompter exploited LLMs to facilitate data exfiltration, causing data loss and reputational harm. 

Robust governance frameworks that restrict unauthorized AI system access and implementation of real-time activity monitoring are essential to mitigate such risks.

2. Unstructured Data Management

Unstructured data (e.g., text, images, audio, and video files) is increasingly stored across cloud platforms, making it difficult to secure. Take the high-profile breach in 2022 involving Turkish Pegasus Airlines. It compromised 6.5 TB of unstructured data stored in an AWS S3 bucket, ultimately leading to 23 million files being exposed. 

‍

This incident highlighted the dangers of poorly managed unstructured data, which can lead to severe reputational damage and potential regulatory penalties. Addressing this challenge requires automated classification and encryption tools to secure data at scale. In addition, real-time classification and encryption ensure sensitive information remains protected in diverse, dynamic environments.

3. Encryption and Data Labeling

Encryption and data labeling are vital for protecting sensitive information, yet many organizations struggle to implement them effectively. 

IBM's 2024 “Cost of a Data Breach Report” reveals that companies that have implemented security AI and automation “extensively” have saved an average of $2.2 million compared to those without these technologies.

The EU’s General Data Protection Regulation (GDPR) highlights the importance of data labeling and classification, requiring organizations to handle personal data appropriately based on its sensitivity. These measures are essential for protecting sensitive information and complying with all relevant data protection regulations.

Companies can enforce data protection policies more effectively by adopting dynamic encryption technologies and leveraging platforms that support automated labeling.

4. Regulatory Compliance and Global Standards

The expanding intricacies of data privacy regulations, such as GDPR, CCPA, and HIPAA, pose significant challenges for CISOs. In 2024, Microsoft and Google faced lawsuits for the unauthorized use of personal data in AI training, underscoring the financial and reputational risks of non-compliance.

Companies must leverage compliance automation tools and centralized management systems to navigate these complexities and streamline regulatory adherence.

5. Explosive Data Growth

The exponential growth of data creates immense opportunities but also heightens security risks. 

As organizations generate and store more data, legacy security measures often fall short, exposing critical vulnerabilities. Advanced, cloud-native, and scalable platforms help organizations scale their data protection strategies alongside data growth, offering real-time monitoring and automated controls to mitigate risks effectively.

6. Insider Threats

Both intentional and accidental insider threats remain among the most difficult challenges for CISOs to address. 

In 2024, a North Korean IT worker, hired unknowingly by an American company, stole sensitive data and demanded a cryptocurrency ransom. This incident exposed vulnerabilities in remote hiring processes, resulting in severe operational and reputational consequences. 

‍

Combatting insider threats requires sophisticated behavior analytics and activity monitoring tools to detect and respond to anomalies early. Security platforms should provide enhanced visibility into user activity, enabling organizations to mitigate such risks and secure their data proactively.

7. Shadow Data

In the race to adopt new cloud and AI-powered tools, users are often generating, storing, and transmitting sensitive data in services that the security team never approved or even knew existed. This includes everything from unofficial file-sharing apps to unsanctioned SaaS platforms and ad hoc API integrations.

‍

The result is shadow IT, shadow SaaS, and ultimately, shadow data: sensitive or regulated information that lives outside the visibility of traditional security tools. Without knowing where this data resides or how it’s being accessed, CISOs cannot protect it. These unknown data flows introduce real compliance, privacy, and security risk.

It is critical to expose and classify this hidden data in real time, in order to give security teams the visibility they need to secure what was previously invisible.

Overcoming the Challenges: A CISO's Playbook in 6 Steps

CISOs can follow a structured, data-driven, step-by-step playbook to navigate the hurdles of modern cybersecurity and data protection. However, in today's dynamic data landscape, simply checking off boxes is no longer sufficient—leaders must understand how each critical data security measure interconnects, creating a unified, forward-thinking strategy.

‍

Before diving into these steps, it's important to note why they matter now more than ever: Emerging data technologies, rapidly evolving data regulations, and escalating insider threats demand an adaptable, holistic, and data-centric approach to security. By integrating these core elements with robust data analytics, CISOs can build an ecosystem that addresses current vulnerabilities and anticipates future data risks.

1. First, Develop a Scalable Security Strategy 

A strategic security roadmap should integrate seamlessly with organizational goals and data governance frameworks, guaranteeing that risk management, data integrity, and business priorities align. 

Accurately classifying and continuously monitoring data assets, even as they move throughout the organization, is a must to achieve sustainable scale. This solid data foundation empowers organizations to quickly pivot in response to emerging threats, keeping them agile and resilient.

‍

The next step is key, as the right mindset is a must.

2. Build a Security-First Culture

Equip employees with the knowledge and tools to secure data effectively; regular data-focused training sessions and awareness initiatives help reduce human error and mitigate insider threats before they become critical risks. By fostering a culture of shared data responsibility, CISOs transform every team member into a first line of defense. 

This approach ensures that everyone is on the same page toward prioritizing data security. 

3. Leverage Advanced Tools and Automation

Utilize state-of-the-art platforms for comprehensive data discovery, real-time monitoring, automation, and visibility. By automating routine security tasks and delivering instant data-driven insights, these features empower CISOs to stay on top of new threats and make decisions based on the latest data. 

Naturally, even the best tools and automation require a strategic, data-centric approach to yield optimal results.

4. Implement Zero-Trust Principles 

Implement a zero-trust approach that verifies every user, device, and data transaction, ensuring zero implicit trust within the environment. Understand who has access to what data, and implement least privilege access. Continuous identity and device validation boosts security for both external and internal threats. 

Positioning zero trust as a core principle tightens data access controls across the entire ecosystem, but organizations must remain vigilant to the most recent threats.

5. Evaluate and Update Cybersecurity Frameworks

Regularly assess security policies, procedures, and data management tools to ensure alignment with the latest trends and regulatory requirements. Keep a current data inventory, and monitor all changes. Ongoing reviews maintain relevance and effectiveness, preventing outdated defenses from becoming liabilities.

For optimal data security, cross-functional collaboration is key.

6. Encourage Cross-Departmental Collaboration

Work closely with other teams, including IT, legal, compliance, and data governance, to ensure a unified and practical approach to data security challenges. Cooperation among stakeholders accelerates decision-making, streamlines incident response, and underscores the importance of security as a shared enterprise objective.

‍

By adopting this data-centric playbook, CISOs can strengthen their organization's security posture, respond to threats quickly, and reduce the likelihood and impact of breaches. Platforms such as Sentra provide robust, data-driven tools and capabilities to execute this strategy effectively, enabling CISOs to confidently handle complex cybersecurity landscapes.  When these steps intertwine, the result is a robust defense that adapts to the ever-shifting digital landscape - empowering leaders to stay one step ahead.

The Sentra Edge

Sentra is an advanced data security platform that offers the strategic insights and automated capabilities modern CISOs need to navigate evolving threats without compromising agility or compliance. Sentra integrates seamlessly with existing processes, empowering security leaders to build holistic programs that anticipate new risks, reinforce best practices, and protect data in real time.

‍

Below are several key areas where Sentra's approach aligns with the thought leadership necessary to stay ahead of modern cybersecurity challenges.

Secure Structured Data

Structured data - in tables, databases, and other organized repositories, forms the backbone of an organization’s critical assets. At Sentra, we prioritize structured data management first and foremost, ensuring automation drives our security strategy. While securing structured data might seem straightforward, rapid data proliferation can quickly overwhelm manual safeguards, exposing your data. By automating data movement tracking, continuous risk and security posture assessments, and real-time alerts for policy violations, organizations can offload these burdensome yet essential tasks. 

‍

This automation-first approach not only strengthens data security but also ensures compliance and operational efficiency in today’s fast-paced digital landscape.

Secure Unstructured Data

Securing text, images, video, and other unstructured data is often challenging in cloud environments. Unstructured data is particularly vulnerable when organizations lack automated classification and encryption, creating blind spots that bad actors can exploit.

In response, Sentra underscores the importance of continuous data discovery, labeling, and protection—enabling CISOs to maintain visibility over their dynamic cloud assets and reduce the risk of inadvertent exposure.

Navigate Complex Regulations

Modern data protection laws, such as GDPR and CCPA, demand rigorous compliance structures that can strain security teams. Sentra's approach highlights centralized governance and real-time reporting, helping CISOs align with ever-shifting global standards.

By automating repetitive compliance tasks, organizations can focus more energy on strategic security initiatives, ensuring they remain nimble even as regulations evolve.

Tackle Insider Threats

Insider threats—accidental and malicious—remain one of the most challenging hurdles for CISOs. Sentra advocates a multi-layered strategy that combines behavior analytics, anomaly detection, and dynamic data labeling; this offers proactive visibility into user actions, enabling security leaders to detect and neutralize insider risks early. 

Such a holistic posture helps mitigate breaches before they escalate and preserves organizational trust.

Be Prepared for Future Risks

AI-driven attacks and large language model (LLM) vulnerabilities are no longer theoretical—they are rapidly emerging threats that demand forward-thinking responses. Sentra's focus on robust data control mechanisms and continuous monitoring means CISOs have the tools they need to safeguard sensitive information, whether it's accessed by human users or AI systems. 

‍

This outlook helps security teams adapt quickly to the next wave of challenges. By emphasizing strategic insights, proactive measures, and ongoing adaptation, Sentra exemplifies an industry-leading approach that empowers CISOs to navigate complex data security landscapes without losing sight of broader organizational objectives.

Conclusion

As new threat vectors emerge and organizations face mounting pressures to protect their data, the role of CISO will become even more critical. Addressing modern challenges requires a proactive and strategic approach, incorporating robust security frameworks, cutting-edge tools, and a culture of vigilance.

‍

Sentra's platform is a comprehensive data security solution designed to empower CISOs with the tools they need to navigate this complex landscape. By addressing key hurdles such as AI risks, structured and unstructured data management, and compliance, Sentra enables companies to stay on top of evolving risks and safeguard their operations. The modern CISO role is more demanding than ever, but the right tools make all the difference. Discover how Sentra's cloud-native approach empowers you to conquer pressing security challenges.

‍

<blogcta-big>

‍