As digitization continues, various types of information —including personal information, trade secrets, confidential national intelligence, etc. —exists in digital format, namely, as data. Data is also essential for the functions of computers or computer systems, because they perform their functions by processing data. Therefore, data itself can be a highly attractive target of malicious cyber operations conducted during armed conflicts. Focusing on the principle of distinction, as one of the cardinal principles of the law of armed conflict, this study attempts to examine whether civilian data can be protected from malicious cyber operations performed in armed conflicts. With a view to focusing on cyber operations targeting data, this article defines ‘data breach’ as a type of cyber operations which breach confidentiality, integrity or availability of data. The principle of distinction prohibits attacks directed on civilians and civilian objects. Accordingly, this article seeks to examine (i) whether data itself can be regarded as ‘objects’; and (ii) data breaches can constitute ‘attacks’ under the law of armed conflict. Under the current interpretation on ‘object’, it should be visible and tangible, This interpretation means that inherently intangible data cannot enjoy the status of objects under the law of armed conflict. As to the interpretation of ‘attacks’, which is defined as acts of violence against the adversary in the article 49 of the AP I, this study takes effects-based approach which is currently the most supported approach. According to this approach, only if data breaches result in physical effects(e.g. death or injury of people or damage to objects), the breaches are likely considered as attacks. However, data breaches can cause serious harm on civilians’ life without physical damage. Accordingly, under the existing interpretation on the concepts of ‘objects’ and ‘attacks’, civilian data cannot be protected by the principle of distinction. The more increases the dependence on cyberspace, the more necessary is the protection of civilian data in armed conflicts. The protection of civilian data is also necessary in order to assure the principle of humanity, as a driving force of the law of armed conflict. Accordingly, taking into account data, the interpretation of main concepts of the law of armed conflict should be reexamined. If it cannot be solved by reinterpretation on the main concepts, new norms should be developed for the protection of civilian data.