3 Steps to Mitigate the Growing Risk of Non-Production Environment Breaches

The risks of non-production environment data breaches are rising. While costly data breaches are nothing new in the enterprise world, the problem continues to worsen. According to the Perforce Delphix 2025 State of Data Compliance and Security Report, 60% of surveyed organizations have experienced data breaches or theft in non-production environments — an 11% increase from 2024.

In this blog, we'll break down what's making non-production environments so vulnerable, what happened in a 2022 LastPass incident, and steps you can take to secure sensitive data today.

Why Is the Non-Production Environment Risk So Severe?

In 2025, Harini Shankar, Director of Technology at Financial Industry Regulatory Authority (one of the top data privacy regulations in financial services) wrote about data privacy risks in non-production in IAPP, highlighting the following:

Shankar found that multicloud architectures create the need for robust test automation, but this "can introduce significant data privacy and additional compliance risks," particularly when real production data is involved. 

Multiple teams and third-party vendors are involved in distributed test environments, which "increases the risk of unauthorized data access and sharing." Without stringent security controls, sensitive data can be exposed, leading to potential breaches.

The LastPass Hacks: A Prime Non-Production Risk Example

An alarming trend for enterprises, hackers are targeting non-production environments. LastPass is one example of a business that’s endured this type of breach, with two linked breaches of development environments in 2022. The severity of the company’s breach serves as a warning to businesses to secure their non-production environments so that they can avoid similar breaches.

Both LastPass data breaches transpired in the latter half of 2022, and the hacker leveraged information from the first hack to conduct the second. The first breach transpired in August, when an undisclosed hacker breached a development environment and stole source code and technical information, LastPass reported in a blog post.

The hacker was also able to steal unencrypted and encrypted vault data including personally identifiable information (PII) such as names, addresses, and telephone numbers. Over the next two months, the hacker conducted reconnaissance of a cloud storage environment separate from LastPass’s production environment, according to a statement from LastPass.

The hacker finally struck LastPass again in November 2022. In this attack, the hacker used information obtained from the first attack as well as a third-party breach to target the home computer of a LastPass senior DevOps engineer who had the high-level security authentication to use decryption keys needed to access the cloud storage service, per LastPass and ZDNet. This engineer was just one of four DevOps engineers who had this level of authentication. The hack allowed the attackers to gain access to the DevOps engineer’s corporate vault, which contained, “encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups,” per LastPass.

The Bigger Picture: Non-Production Environments Are Increasingly Vulnerable

The LastPass hack is notable in its level of sophistication, the relation of both attacks to each other, as well as the degree to which the attacker exploited LastPass’s non-production environments. But the LastPass breach is just the latest in an ongoing trend in which hackers are targeting enterprises’ non-production environments, rather than end user-facing production environments.

One of the first prominent breaches of a non-production environment transpired in 2016, when bad actors exploited Uber’s software development environments to break into the rideshare giant’s cloud storage, where they stole a significant amount of consumer data. In 2021, a hacker leveraged an unprotected router to gain access to T-Mobile’s production, staging, and development servers, which compromised over 48 million social security numbers and other details.

This trend is worrying for three reasons. First, the security of non-production environments is often an afterthought for most enterprise security teams, who tend to focus more heavily on protecting customer-facing production environments. Second, in our experience, non-production environments constitute up to 80% of an enterprise’s attack surface area in terms of endpoints, privileged user accounts, and data. So, not only are non-production environments vulnerable — they’re a large target, too.

And lastly, IT organizations often create multiple, redundant copies of test data, allowing numerous copies of test data to float around these vulnerable non-production environments. With about 8–10 copies of test data floating around non-production environments for every production environment, these non-production environments have become treasure troves for hackers seeking to steal customer data.

3 Steps to Mitigating Data Risk in Non-Production Environments

LastPass has since taken a number of actions as part of its incident response and recovery activities, including upgrading its multi-factor authentication, decommissioning its development environment and constructing a new environment, and adding “additional logging and alerting capabilities to help detect any further unauthorized activity,” per its blog post.

But taking proactive measures to secure data is always better than taking reactive measures following a data compromise. In our experience in working with hundreds of large and regulated enterprises on securing their data in non-production environments, enterprises mitigate the risks by taking the following actions:

1. Maintain an Immutable Baseline and Mitigate Vulnerability Due to Data Changes 

Hackers are often just as expert at penetration as they are at covering their tracks. Since social engineering (not brute force) is the main way that attackers compromise and gain access to systems, it’s crucially important that hackers be prevented from covering their tracks.

Having an immutable copy of a dataset and associated configuration means that surgical redaction and subtraction can be rapidly identified and corrected, and that hackers are much less able to alter files (especially configuration and log files) to cover their tracks.

Moreover, data immutability provides extra protection against an attempt to destroy data permanently, as the data is out of reach for the hacker. Non-production environments are often a more favored attack vector since it is usually less protected than the production fortress.

2. Maintain Code and Data Velocity, Especially in Response to a Vulnerability

When responding to a breach, velocity matters. Many breaches are the result of software defects or incorrectly configured software, for which the fix depends on developers and testers (including security testers). Therefore, the speed (velocity) by which your development and quality teams can respond to and correct software is critical. 

But development slows as data must be conditioned to be useful, especially when testing new features. So, when we are made aware of a data vulnerability, the time it takes to retract data from service and the time it takes to get new data out the door are crucial in terms of exposure time and the time to restore service.  

Data figures prominently into code velocity as well. In response to a zero day attack or a critical code vulnerability, being able to rapidly deliver the right test dataset to test a security patch directly affects lead time for change and the time to restore service.

3. Mask Sensitive Data Used in Non-Production Environments 

The most powerful way to protect data is to make the data useful to the developer and tester but useless to the thief and hacker. The key phrase here is useful — data protection techniques such as nulling and redaction can’t accomplish this, because developers can’t test with null data, and they need access to all data values in order to run diagnostics as needed.

Development teams need a way to transform the data so that it has valid values that nevertheless don’t correspond to any real situation. Data masking, when done right, provides a no-compromises approach by irreversibly replacing the original, real data values with fictitious but realistic equivalents. 

Some solutions — like static data masking — can also maintain referential integrity of masked data across datasets that are distributed across different platforms, including both on-prem and public cloud platforms. This carries the added benefit of bringing test data into compliance with virtually all data privacy regulations by simply replacing regulated data with realistic substitutes. Our 2025 State of Data Compliance and Security Report found that 95% of surveyed global enterprises use static data masking.

Because it replaces existing data with fictitious yet realistic data, PII data masking eliminates the risk of personal data exposure in the event of a breach — while also preserving business value. When done right, masking alleviates the privacy fears of users and the business value fears of developers and IT professionals. 

How Enterprises Mitigate Risks in Non-Production Environments

IDC Study*

Organizations that mitigate data risks in non-production don't just ensure compliance — they move faster. A recent IDC study of Delphix customers found that teams using Delphix:

• Achieved 58% faster application development.
• Protected 77.2% more environments.
• Realized a 408% ROI with payback in under six months.

*Source: "IDC Business Value White Paper, sponsored by Delphix, by Perforce, The Business Value of Delphix, #US52560824, December 2024"

UniSuper Secures Sensitive Data in Non‑Production Environments

UniSuper needed to secure sensitive data without slowing down testing. By using Delphix, they improved security compliance AND reduced refresh times from 6 hours to <60 minutes.

Molina Healthcare Reduces Risk of HIPAA Non-Compliance

Molina Healthcare needed to ensure their sensitive data in lower environments was secure and HIPAA-compliant. By using Delphix, they deliver secure, masked data in under 10 minutes, plus they saved $6-10M in storage costs over three years.

California State University Ensures Large-Scale Data Risk Mitigation

California State University needed to reduce data risk in non-production environments at a massive scale. By using Delphix, they automated 2,000+ data requests per month and integrated masked data into their pipelines. 

Eliminate Security Risks with Perforce Delphix Data Masking

Data breaches in non-production environments are on the rise, putting businesses' sensitive data at risk. High-profile cases like the LastPass breach highlight the critical need for robust data security measures. With Perforce Delphix, your organization can stay ahead of cyberthreats and ensure compliance with privacy regulations like GDPR, CCPA, HIPAA, and PCI DSS. 

Mitigate Breaches and Strengthen Compliance

Non-production environments often constitute up to 80% of an enterprise’s attack surface, making them prime targets for hackers. However, Delphix data masking transforms sensitive data — such as names, email addresses, and payment information — into realistic yet fictitious equivalents. By doing so, it neutralizes the risk of exposing personally identifiable information (PII) while maintaining the integrity and usefulness of the data for development, testing, analytics, and AI initiatives.

Watch this quick demo from my colleague Bruce Liu to see how Delphix masking helps you mitigate security and compliance risks:

Combat Breaches with Speed and Quality

The rapid rise in cybercrime demands swift, proactive responses. Delphix combines data masking and data virtualization capabilities to deliver masked, compliant data to downstream environments in minutes, ensuring velocity without compromising safety. The platform’s ability to maintain referential integrity across distributed environments makes it vital for enterprises managing sensitive data across on-premises systems and public cloud platforms.

On average, Delphix customers reduce secure data provisioning times from days or weeks to minutes or hours — proving that stronger non‑production data protection does not have to come at the expense of delivery speed.