Target. Home Depot. Michaels. And now, this Sony mess. The year 2014 will certainly be known as the year of the mega-hack, the year personal privacy took its first really big hit, right?
Not so fast. We’ve been down this road before. A trip down memory lane will offer some perspective.
Sure, 2014 began with Target news (the hack was revealed in December 2013, but the story swelled in January and beyond). And 2014 will end with the continuing Sony saga, a plot no screenwriter would dare consider. Hackers have actually managed to derail the release of a major Hollywood movie and embarrass executives by publishing their emails.
In between, the hits kept coming. Albertson’s and SuperValu. Home Depot. Even Dairy Queen. So many breach disclosure notifications. So may Brian Krebs blog entries. So many offers of free credit monitoring. You’d be tempted to add them all up, but that’s an exercise in compounding rounding errors. Suffice to say well more than 100 million U.S. adults were hit by these hacks this year, even when you consider double-counting.
Somewhere in the back of your mind, however, you must be thinking: Haven’t we been here before?
You’d be right. Many times.
In 2007, when TJ Maxx revealed 46 million consumers’ data was stolen. Later, we learned the real number was closer to 100 million. And the criminal in that case, Albert Gonzalez, now serving a 20-year prison sentence, is said to have stolen 170 million account numbers in all.
In 2008, when credit card payment processor Heartland Payment Systems revealed criminals had stolen payment information on an estimated 130 million people.
In 2011, when Sony announced criminals had stolen sensitive information on 77 million customers, primarily through its PlayStation network. Also that year, email giant Epsilon — which powered communications for firms like Citigroup — revealed millions of consumers’ information had been stolen.
So yes, we have been here before.
For those trying to keep score, the folks at the Privacy Rights Clearinghouse, who painstakingly document data hacks, worked with Bloomberg to create a nifty graphic representing big hacks since 2009. By their accounting, thanks in large part to the large but relatively unknown Court Ventures leak, 2003 edges out 2009 as the worst data leak year ever. (NOTE: 2014 isn’t over yet).
But again, perspective. All data leaks are not created equal. Theft of a million email addresses is probably a lot less serious than theft of 10,000 credit reports. So simple tallies aren’t all that useful. Moreover, if 100 million consumers’ credit card numbers were really stolen and used effectively by criminals, either you or your significant other would almost certainly be victims of fraud this year. That’s not true because only a tiny fraction of compromised numbers are ultimately used successfully to steal something. Bank fraud controls, and the simple power of large numbers, dictates that.
So, was 2014 really the worst year ever for personal privacy? Probably not. It’s probably on par with 2009…2011…and for that matter, 2005, when theft of information from data broker ChoicePoint became the first high-profile personal information database hack to really alarm Americans.
The problems dates long before 2005, of course. That’s a significant year for privacy harm news only because it was the first year that California state law required companies that lost consumer data to disclose it publicly. So, like many health issues, observers are left with this question: Are privacy leaks really getting worse, or is the reporting better?
One thing is certain: There will be plenty more to report on in 2015.
More on Identity Theft:
- Identity Theft: What You Need to Know
- 3 Dumb Things You Can Do With Email
- How Credit Impacts Your Day-to-Day Life