By the numbers: How common are data breaches — and what can you do about them?
When Capital One announced in July that it had been hacked, millions of Americans joined the ranks of people who have had their personal information exposed.
The data breach, which was allegedly coordinated by a Seattle software-engineer-turned-hacker, affected more than 100 million credit card customers. Paige Thompson is accused of stealing about 140,000 Social Security numbers and 80,000 bank account numbers by hacking into one of the credit card company’s servers.
It was one of the largest thefts of bank data in American history. But as far as data breaches go, the Capital One incident is hardly an anomaly.
Over the past decade, the exposure of personal information has become a routine part of American consumerism. The Privacy Rights Clearinghouse, a nonprofit organization that tracks data breaches, estimates that there have been 9,044 public breaches since 2005. More than 10 billion records — including passwords, credit card numbers and even passports — have been exposed. There is no single federal law that mandates companies to notify affected customers.
As a result, a large swath of the public doesn’t trust institutions to keep their private information safe. A 2016 survey from the Pew Research Center found that a large portion of Americans is not very confident in the ability of companies and the government to protect their data.
That was the same year as some of the biggest data breaches of the decade, such as Yahoo and MySpace.
“These mega-breaches are getting so big and so common,” said Heidi Shey, principal analyst at Forrester, a market research company. “Once you get to that point, everyone is swept up in this in some way.”
How common really are data breaches? What kinds of records are most commonly made public? And how do experts even define what a data breach is? PolitiFact set out to get the facts.
Who is affected by data breaches?
The International Organization for Standardization, a body that sets commercial standards around the world, defines breaches as any “compromise of security” that leads to “loss, alteration, unauthorized disclosure of, or access to protected data.” In layman’s terms: data breaches occur when private information is exposed. That includes stuff like emails, addresses, credit card numbers and even fingerprints.
And breaches don’t only affect consumers.
The Privacy Rights Clearinghouse tracks data breaches affecting institutions ranging from private business and retail stores to nonprofits and the government. One of the most notable examples of the latter came in 2015 with the realization that, for at least two years, Chinese hackers had gained access to employee data from the U.S. Office of Personnel Management.
A 2016 congressional report summed up the damage:
“In what appears to be a coordinated campaign to collect information on government employees, attackers exfiltrated personnel files of 4.2 million former and current government employees and security clearance background investigation information on 21.5 million individuals.’ Additionally, fingerprint data of 5.6 million of these individuals was stolen.”
Even the military is susceptible to cyberattacks. In 2006, an Air Force official suspected that Chinese hackers had stolen between 10 and 20 terabytes of data from the Defense Department.
Who’s behind them?
Shey broke it down into three categories.
First are external actors. These are hackers or other malicious entities that try to steal information for personal, monetary or organizational gain. Data from the Privacy Rights Clearinghouse show that hacking is among the most common reasons for breaches.