According to AT&T's A CEO Guide to Navigating the Threat Landscape report, approximately, 50 percent of data breaches are first detected by the breached company's employees. What about the other 50 percent? Those notifications are more-or-less evenly distributed across law enforcement, customers and service providers.
What the report does not measure (because it's impossible) is how often companies ignore breach notifications from third parties that are not under the employ of the company. Yes, you read that right - some companies ignore breach notifications if they are not from employees, customers, law enforcement, or hired service providers. The reason for this lies in a loophole in virtually all privacy regulations - they do not address third-party notifications, so companies are free to ignore them.