One of the biggest obstacles for organisations is understanding where critical data resides and how it is currently protected. Apart from the production environment, copies of important or sensitive data is also stored in back-ups, data warehouses and test environments. These environments may be less protected than the production environment. Data risk is a growing risk for companies and a great opportunity for hackers. Recently, a well-known travel agency was hacked and almost 1 million customer records were exposed. Although, the production environment was secure, the test environment which was less secure was also accessible from the internet which facilitated unauthorised access to sensitive customer data. Data Risk Management should therefore focus on the data, as recommended by the international security standard ISO27001:2013.