Ask a person whether some form of their personal information was stolen by hackers in recent years, and the answer is probably yes. That’s likely why Friday’s news that Marriott International had exposed the personal information of up to 500 million customers caused a ripple in the news cycle rather than a tidal wave and why the Monday night announcement from the question-asking site Quora that “some user data was compromised” from around 100 million user accounts caused even less than that.
Marriott’s data breach, which included sensitive information like passport numbers, credit cards, birth dates and mailing addresses, was one of the worst breaches in the digital age in both size and potential impact. Quora’s included private information, like direct messages, along with account information like emails and password information. They’re the latest instances of companies failing to safeguard the personal data of customers.
There are billions of bits of stolen personal data floating around and being traded on the dark web. Even if your information wasn’t stolen in the Quora or Marriott breaches, dozens of other hacks means your personal information is likely out there, as the New York Times recently illustrated in a handy interactive graphic.
“If you take the data from one breach by itself, that information is not necessarily going to give you much,” said Mikhail Sosonkin, a security researcher and hacker who works for the cybersecurity company Synack. Cross-reference various sets of stolen data, though, and bad actors can compile more comprehensive data sets piece by piece about people whose information has been repeatedly compromised, Sosonkin said.
The types of stolen information can vary—social security numbers (Equifax), security questions (Yahoo), credit card information (Target), passwords (Quora) and phone numbers (Uber) have all been exposed— but the response is largely the same. Companies apologize, and consumers are told, again, to be vigilant about monitoring their digital identities. While headlines about personal data breaches fade, the opposite can be said about the risk stolen personal data may pose after it’s been stolen. Instead, each hack that exposes personal data stands to heighten the impact of previous breaches.
“A black hat [hacker] out there collecting this information—they don’t care where it comes from,” Sosonkin said. “They are going to want to combine all of it together.”
Some data, like credit card numbers, expire over time. But other identity markers like passport numbers, social security numbers or home addresses are much harder to change, giving those data points a longer shelf life and making them more valuable to potential identity thieves.
“There isn’t some sort of time limit for when harm can happen from a breach like this,” said Christine Bannan, an attorney at the consumer group Electronic Privacy Information Center who focuses on consumer protection issues. “The value of information sometimes comes from linking it with other sources … so it’s hard to isolate it in time.”
That’s bad news for consumers, and it’s also bad for businesses. Companies hang on consumer data they’ve collected over the years because those data points might become more valuable over time. When companies lose it, they’re not just putting consumers at risk and jeopardizing their consumers’ trust, they are lowering the value of that data for themselves, too.
“Your data is gold, and it’s what makes [businesses] worth the valuation that they have,” Sosonkin said. “If they lose it, the company loses.”
A July 2018 report from IBM Security estimated that the average total cost of a minor data breach for businesses around the world—anywhere from 2,500 to around 100,000 records stolen or lost—is around $3.8 million, up more than 6 percent year over year. Megabreaches, in which more than 1 million records are lost or stolen, can cost companies anywhere from $40 million to $350 million depending on the scale of the breach, the same analysis estimated.
Mark Kuhr, the CTO and co-founder of Synack, said companies should adopt better security practices like continuous security monitoring, which aims to find vulnerabilities before they’re exploited. From a business perspective, he said, the cost of security measures and the overall lack of steep penalties means businesses are not incentivized to address the issue head-on.
“Consumers are getting pretty used to having their information compromised, so it’s sort of old hat,” Kuhr said. “What is the punishment for these businesses that take our data and then lose it? We need to take a holistic approach to all of these companies that are holding our data and start to figure out if there’s a better way from a policy or legislative approach.”
Bannan is an advocate for data minimization practices, in which companies do not store unnecessary data about consumers, and for regulations that will penalize companies that put consumers’ data at risk.
“Consumers can’t possibly know the data security practices of every company they ever interact with,” Bannan said, adding, “The biggest thing is that we don’t have any general privacy law in the U.S., so there really is very little legal responsibility of companies to protect consumer information and very little recourse for consumers when their data is compromised.”
Legislators are working on crafting federal privacy regulations, and some lawmakers are pushing to include substantive penalties for companies that lose personal data. Unfortunately, already leaked personal data will still be out there. That alone makes Sosonkin feel “kind of helpless,” he said, about what might happen to his personal information.
“If someone breaks into the bank, there are ways that individuals whose money was stolen can get it back,” he said. “There isn’t a mechanism like that in the data world.”