The ‘average’ data breach exposed 157,905 victims to identity theft! (Or was it just 501?)
Ask anyone to name a few actual data breaches and they’ll all cite the same few names. Only big breaches such as Anthem, Equifax, Marriott, or Yahoo are likely to come to mind, and always for the same reason: they generated the most news. If you try this experiment yourself, it’s very unlikely someone will mention any number of small breaches they were notified of. Yet with over a thousand data breaches occurring every year, here’s something even most of the experts don’t know: the overwhelming majority of data breaches impact just a handful of victims, yet they are no less dangerous than the big ones! This is a big problem, because most people don’t pay attention to the great majority of all breaches that impacted their personal data! As a result of this perception issue, risk of identity theft and fraud to individual identity-holders is increased.
I asked Breach Clarity’s partners at the ITRC to run some numbers for me, which confirmed my suspicions from reviewing lists of every day’s latest new data breaches (The ITRC has the most comprehensive list of publicly-reported data breaches in the US.). Over the last five years, the mean average breach exposed a whipping 157,905 consumer identities. 157K is a massive number, and the size of breaches at organizations such as Anthem, Marriott, and Yahoo cause such traditional methods of calculating ‘average’ to yield inflated results, giving the impression that the typical data breach is a big breach. But it turns out that the median–which is another equally legit method of calculating ‘average’, also often used in real estate property prices–is a much better indicator of the size of the typical breach, at just 501. 501 vs. 157,905…what wildly different ways of viewing how big we believe the ‘average’ breach is! Add this to the list of confusing reasons causing people to not take action–that just might prevent identity theft or fraud– after a data breach lands in someone’s email or physical mailbox.
Hold on though, because I have even worse news. Despite them generating little buzz, many smaller breaches actually bring more risk of identity theft, including potential opening of new financial accounts, medical identity theft, tax refund fraud, existing account fraud, account takeover, debit or credit card fraud, criminal identity theft, employment impersonation, and so much more. The logic is generally simple: big enterprises often have the more sophisticated capabilities in both database management and data security, in contrast to your neighborhood mom n’ pop shop that might just be storing every one of your identity credentials on an unencrypted Excel spreadsheet.
So what can we do about this problem? Opinion leaders (such as reporters, industry professionals, policy-makers, etc.) need to get the word out. Consumers need to hear that it makes no difference to their safety whether or not they heard about a particular data breach in the news.We need consumers to look beyond the headline names, in order to (also) pay attention to breaches that they only learn about through direct communication from the breached organization. Then armed with the name of the breach, enter it into Breach Clarity’s search window to learn what the top risks are, and what actions promise the strongest safety benefits.