The headlines are frightening: Massive Data Breach! Billions of Records Stolen! Millions of personal identities at Risk!
It seems that every month brings another data breach and another mad rush to protect our data fortunes against nefarious intruders.
Data breaches on the scale of Equifax, Yahoo, the IRS and others are a serious concern, but they tend to be overhyped by both the mainstream media, which is often misled by so-called security experts who profit from the fear they help fuel, and even some members of the trade press who should know better. (Read Why Small Businesses Need to Learn from High-Profile Data Breaches.)
By spreading unnecessary panic among the public, these scare tactics do more harm than good, causing people to spend money unnecessarily, potentially further compromising their identities in the bargain, and masking the real dangers that breaches pose.
Exposed Data Isn't Stolen Data
One of the most basic problems with the coverage of data breaches is the failure to clearly define the terms being used by the experts. The most pervasive example is the difference between data that is “stolen” or just “exposed.” (Read Data Breach Notification: The Legal and Regulatory Environment.)
In a recent report on Wired, tech writer Lily Hay Newman points out the obvious: exposed is data that is no longer protected and can be taken at any time, while stolen is, well, actually stolen. So even though a breach may expose millions, even billions, of IDs, only a small portion is likely to be stolen.
It’s like having all of your possessions exposed to theft during a break-in of your home, but fortunately the thieves only made off with your big screen TV and left your priceless collection of rare Conway Twitty albums safe and sound under the stereo.
What’s more, much of the data that is being exposed, even personal data, is already readily available to anyone with a credit card. Investigators have previously uncovered a trove of exposed personal records compiled by a San Francisco company called People Data Labs (PDL).
PDL is a data broker that makes a living selling the personal information of private citizens. If anyone had wanted any of that exposed data, it would probably cost them less to just buy it from PDL rather than mount a sophisticated hacking operation.
This leads us to another set of misnomers perpetuated by a naïve media industry and the sources they rely on to explain data breaches: the loose way in which terms like “records”, “accounts” and “files” are tied to headlines referring to millions and billions of exposures.
In summer of 2019, a Chinese company called Orvibo reported a breach that exposed upwards of 2 billion customer records, triggering the expected wave of headlines around the world. (Read Why Are Millennials Top Cybercrime Targets?)
But as MacKeeper pointed out at the time, the number of records exposed — again, not stolen, just exposed — does not correspond with the number of users affected.
A record is a single line of data in a database, so it stands to reason that users, particularly corporate users, would have multiple records on Orvibo’s database. And that means the number of exposed users is far fewer than 2 billion, and the number of users who had any actual data stolen is even less.
All of this points out the one salient fact that is often overlooked in this era of multi-billion data exposures: even with all of this data supposedly now on the loose, the incidence of identity theft is relatively low. In addition to the Equifax breach, the year 2017 also saw infamous Yahoo breach that affected 3 billion users, nearly half the world population.
Forgetting for the moment how Yahoo could not compete effectively in the social media market with 3 billion users under its wing, data from the Federal Trade Commission shows that there were only 3 million cases of financial fraud in 2018 and less than 15% was attributed to identity theft.
True, this was a nearly 20% jump from the previous year, which was most certainly caused by the spike in breaches the year before, but it is still less than half a million people out of a pool of more than 3 billion who were led to believe their data had been stolen. And it should be noted that data breaches are not the only way IDs can be stolen.
The most common cause, in fact, is the simple phishing scam (although the email targeted in the scam was likely obtained from stolen data).
In addition, the consequences of ID theft are not nearly as severe as they were a few years ago. The FTC data shows that the cost of the most prevalent form of ID theft, credit card fraud, has seen a dramatic decline in the past year due to chip readers and other measures. And in virtually every case, card holders are not held responsible for charges related to this kind of theft.
Even the Social Security Administration has streamlined the process of reporting and repairing existing SS numbers or assigning new ones when damages extend beyond simple fraud.
An Industry-Wide Problem
None of this is to say that data breaches or identity theft should be ignored, but the fact remains that the headlines surrounding any given breach vastly over-dramatize the true seriousness of the problem, and by and large the resulting problems encountered by consumers are usually borne by industry, not individuals.
In fact, sowing panic over these incidences often causes people to overreact, even to the point of increasing their risk of identity theft.
Following the Equifax breach, the L.A. Times ran an interesting story on the flood of applications to LifeLock and other protection services. These companies bundle a wide range of homegrown and third-party services, including the credit protection services by the three leading credit monitoring bureaus, including Equifax.
Ultimately, this not only led to a windfall for Equifax following its breach, but users ended up handing over personal information to the very company that allowed it to be exposed in the first place. And none of these protection services are designed to protect data or prevent theft but only to minimize the damage and help restore credit after a theft has occurred.
To be sure, any data breach is a serious matter because it reveals the holes that exist in the data infrastructure that is now vital to our modern way of life. But there is a big difference between rationally addressing a problem and spewing false or misleading headlines that frightens consumers into irrational acts.
The media’s responsibility is to report the truth in all its context, not to stoke fear to draw hits on a web page.