You can't go a week anymore without hearing another news report on the theme “Another bank, business or organization got hacked; millions of customers' confidential financial data at risk.” As a result, chances are good that at some point recently you've also heard (or even said) the exasperated joke: “You know, it would be quicker and easier to just tell me who hasn'tbeen breached lately.”
Yet Bloomberg BusinessNews, after looking at data-breach records maintained by the Privacy Rights Clearinghouse, suggests that the joke doesn't really work:
At a time when it may seem like there are few safe places to shop, the threat may not be as out-of-control as it appears. … eight of the ten biggest public U.S. retailers, when ranked by revenue, have not disclosed major consumer breaches this decade. And we're not counting those instances when a few hundred customers were affected or a crook accessed a customer's account using a password stolen from another site.
It's true that, of the 10 largest retailers in America, only two of them – Target and Home Depot – have reported mass breaches.
Yet from the perspective of an ordinary card-using American with typical mainstream shopping habits, it doesn't really matter: the number of actual businesses breached might be a minority, yet the number of Americans whose credit card or other financial data was compromised in a breach is probably a majority.
Not just retailers
Then, too, there's the fact that retailers and restaurants aren't the only way Americans are put at risk; there's also banks, hospitals and medical centers, motor vehicle departments and other state- or federal-level government bureaucracies, and mass data brokers like Experian, all of whom have (inadvertently) managed to put Americans' personal data in the hands of identity thieves at some point in the past couple years.
Bloomberg does realize this, and also pointed out that “there is an important caveat here: Just because a company hasn't announced a breach doesn't mean it hasn't been hacked.”
Indeed, and when companies do announce breaches, they usually only do so after an independent security researcher or blogger has already discovered and announced it; for the most part, a disturbingly long time passes between “moment a company realizes it's been breached” and “moment company lets its customers know they're at risk.”
For example, in May 2014, when we first told you that PayPal and eBay had been hacked, we also told you this: “The break-in was detected about two weeks ago, the company said.”
When we reported the AT&T hacking in June 2014, the article had this subtitle: “Hacked two months ago, discovered one month ago, now announced.”
Or the August 2014 database breach at SuperValu grocery and liquor stores: “Breach discovered four weeks ago, announced yesterday.”
Still at risk
And even companies officially on the “not-breached” list – such as Walmart, which topped Bloomberg's list of the 10 largest American retailers – might still have plenty of individual customers at risk anyway.
Earlier this month, for example, we reported that, ever since September 2013, ConsumerAffairs has received frequent complaints from people all over the country, reporting that their Walmart MoneyCards were hacked and the accounts drained at a Target store in New York City or its suburbs. Granted, the (still-unknown) guilty parties probably didn't “hack into the database” – if they did, you'd expect to hear complaints from millions of cardholders, not merely a dozen or so – but this offers scant comfort to those people whose money was stolen.
You've surely heard the old saying that a chain is only as strong as its weakest link. A similar maxim applies to information security today: your information is only as secure as the least-secure cash register or database handling it.
So if you've used your credit card to pay at 100 different places recently, and 99% of them haven't been hacked — it doesn't matter, because that remaining 1% compromised your card as much as if you'd personally posted your information in some Russian hackers' forum.