If you’ve used the internet for more than five years, your personal information is already on the open web somewhere. Your email, password hashes, phone number, address, possibly your Social Security number. Equifax, Marriott, Yahoo, T-Mobile, AT&T, Anthem, Capital One โ the list of major breaches isn’t a series of unlucky accidents. It’s a baseline operating condition of the digital economy.
The honest framing isn’t “if a company gets breached,” but “when, and how badly.” Personal defense has to start there.
The economics push companies toward “good enough” security
Security spending is a cost center, not a revenue line. Boards approve cybersecurity budgets based on perceived liability, not perfection. The math most large firms run looks something like: we’ll spend X on prevention, accept some probability of a breach, and budget Y for the eventual settlement, credit monitoring, and PR cleanup. Penalties under U.S. law have historically been small relative to the company’s size. Equifax paid roughly $700 million for a breach exposing 147 million people โ about $4.75 a head. That’s not a deterrent. It’s a line item. Until liability changes, “acceptable risk” will continue to mean “your data, occasionally.”
Aggregation makes every breach worse than it looks
A single breach is rarely the whole problem. The real damage comes from aggregation. Attackers correlate leaks across breaches: an email from one dump, a password from another, a phone number from a third, a maiden name from a fourth. With four to six fields, an attacker can pass most knowledge-based authentication checks. This is why old breaches matter even after you’ve changed passwords. Your address, date of birth, and SSN don’t expire. The dataset you’re worried about isn’t the most recent leak; it’s the running merge of everything that’s leaked since 2010.
“Credit monitoring” is mostly theater
After a breach, companies routinely offer affected users a year or two of free credit monitoring. The product is reactive โ it tells you after a fraudulent account opens. It does little to prevent the opening itself. Far more effective is a credit freeze, which is free at all three bureaus and stops new accounts from being opened in your name without you actively unfreezing. Yet credit freezes are quietly underused, partly because they require slightly more friction. Companies offering monitoring know this. The optics solve the lawsuit; the freeze solves the problem.
What individuals can actually do
Use a password manager so each site has a unique credential โ credential stuffing is the highest-volume attack vector. Turn on two-factor authentication, ideally via an authenticator app rather than SMS. Freeze your credit at all three bureaus. Treat any unsolicited “verify your account” email or call as hostile until proven otherwise. None of this prevents breaches, but it dramatically reduces the value of your data when it leaks.
The bottom line
Treat data breaches the way you treat weather, not crime. They will happen. Build the household equivalent of waterproofing โ defenses that work whether or not any specific company gets hit.
Leave a Reply