Consumer data breaches have become so frequent, the anger and worry once associated with them has turned to apathy. So when Equifax revealed late Thursday that a breach exposed personal data, including social-security numbers, for 143 million Americans, public shock was diluted by resignation.
There are reasons for the increased prevalence and severity of these breaches. More data is being collected and stored, for one, as more people use more connected services. Corporate cybersecurity policy is lax, for another, and sensitive data isn’t sufficiently protected. Websites and apps, which are demanded by consumers as much as they serve the interests of corporations, expose paths to data that should be better firewalled. Software development has become easy and popular, making security an afterthought, and software engineering has failed to adopt the attitude of civil service that might treat security as a first-order design problem. And hacking and data theft have risen in popularity and benefit, both as an illicit business affair and as a new kind of cold warfare.
People have started to experience data loss and theft in a new way. Breaches have settled into a kind of modern malaise, akin to traffic or errands. They are so frequent and so massive that the whole process has become a routine.
Online data, like usernames and passwords, have been leaked and hacked with such frequency and in such great quantities (a hacker stole more than a billion Yahoo! email accounts in 2013), that savvy people treat their credentials as violated in advance. Breaches of more sensitive data, like bank, social-security, address, and health or employment records, have also become common. Home Depot, Target, Sony, Anthem, the U.S. Office of Personnel Management, and other recent violations felt shocking and violating at first, but over time that sensation has waned. With over half of the entire U.S. adult population potentially exposed by the Equifax breach, what’s left to do but shrug and sigh? I’ve got so many stacked-up subscriptions to credit-monitoring services from previous consumer breaches, adding another one would be superfluous.