I asked Breach Clarity’s partners at the ITRC to run some numbers for me, which confirmed my suspicions from reviewing lists of every day’s latest new data breaches (The ITRC has the most comprehensive list of publicly-reported data breaches in the US.). Over the last five years, the mean average breach exposed a whipping 157,905 consumer identities. 157K is a massive number, and the size of breaches at organizations such as Anthem, Marriott, and Yahoo cause such traditional methods of calculating ‘average’ to yield inflated results, giving the impression that the typical data breach is a big breach. But it turns out that the median–which is another equally legit method of calculating ‘average’, also often used in real estate property prices–is a much better indicator of the size of the typical breach, at just 501. 501 vs. 157,905…what wildly different ways of viewing how big we believe the ‘average’ breach is! Add this to the list of confusing reasons causing people to not take action–that just might prevent identity theft or fraud– after a data breach lands in someone’s email or physical mailbox.
Hold on though, because I have even worse news. Despite them generating little buzz, many smaller breaches actually bring more risk of identity theft, including potential opening of new financial accounts, medical identity theft, tax refund fraud, existing account fraud, account takeover, debit or credit card fraud, criminal identity theft, employment impersonation, and so much more. The logic is generally simple: big enterprises often have the more sophisticated capabilities in both database management and data security, in contrast to your neighborhood mom n’ pop shop that might just be storing every one of your identity credentials on an unencrypted Excel spreadsheet.
So what can we do about this problem? Opinion leaders (such as reporters, industry professionals, policy-makers, etc.) need to get the word out. Consumers need to hear that it makes no difference to their safety whether or not they heard about a particular data breach in the news.We need consumers to look beyond the headline names, in order to (also) pay attention to breaches that they only learn about through direct communication from the breached organization. Then armed with the name of the breach, enter it into Breach Clarity’s search window to learn what the top risks are, and what actions promise the strongest safety benefits.