When is a database breach not a breach at all? When that breach doesn’t expose regulated information, such as Social Security numbers or credit card numbers. But if your organization is a victim of a seemingly inconsequential hit that exposes e-mail addresses or passwords, that can be reset, it could mean more problems for you than you think. These breaches are not only a cultural red flag, but also a signal that the company is ripe for future serious breaches. The impact may be felt for months following the breach, as registration numbers fall off.”]
Source: https://www.darkreading.com/attacks-breaches/-low-impact-breaches-can-signal-more-badness-to-come