<roman xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><b>Background:</b></roman> Data breaches happen when an unauthorized party gains access to personally identifiable information. They are becoming more common and impactful, raising serious concerns for individuals as well as companies. <roman xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><b>Literature review:</b></roman> Although there is considerable literature on users’ mental models in security and privacy, there has been limited study of mental models related to data breaches. <roman xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><b>Research questions:</b></roman> 1. How do users understand data breaches? 2. What are their perceptions of the causes, responsibilities, and consequences, as well as possible prevention and appropriate follow up? <roman xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><b>Methodology:</b></roman> We explored end-user understanding of internet data breaches by conducting a study with 35 participants. They were asked to draw their understanding of data breaches and answer some open-ended and closed-ended questions afterwards. <roman xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><b>Results/discussion:</b></roman> Although their drawings varied in detail and complexity, we identified four patterns in the participants’ drawings: they illustrated abstractions of attacks to gain administrator access, end-user access, backdoor access, or access using database server vulnerabilities. We found that participants had a basic model of how an internet data breach happens, but with significant uncertainties regarding system vulnerabilities, causes, consequences, prevention methods, and follow-up steps after a breach. <roman xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><b>Conclusions:</b></roman> In all, end-user mental models of internet data breaches are basic and show gaps that emphasize the need for improved communication to increase users’ awareness and help them hold companies accountable.