Another week, another massive new corporate security breach that exposes your personal data. Names, email addresses, passwords, Social Security numbers, dates of birth, credit card numbers, banking data, passport numbers, phone numbers, home addresses, driver’s license numbers, medical records—they all get swept up by shadowy, amorphous hackers for fraud, identity theft, and worse. Sometimes the affected company will send you an email suggesting that you change a password or credit card number, but for the most part, these incidents are invisible—until they aren’t.
Think of data breaches as coming in two flavors: breaches of institutions that people choose to entrust with their data—like retailers and banks—and breaches of entities that acquired user data secondarily—like credit bureaus and marketing firms. Unfortunately, you can’t keep your information perfectly safe: It is often impossible to avoid sharing data, especially with organizations like governments and health insurers. Furthermore, in cases where a company or institution gives your information to an additional party, you’ve often agreed to sharing more data than you realize by clicking “I accept” on a dense user agreement.
Many of these incidents don’t necessarily even involve hackers. Data “exposures” occur when information that should have been locked down was accessible, but it’s unclear if anyone actually stole it.
Even after a data breach has occurred, though, and an unauthorized actor definitely has your data, you won’t necessarily see an immediate negative impact. Hackers who steal a trove of login credentials, for example, may quietly use them for under-the-radar crime sprees instead of selling or publishing the data. As a result, the repercussions of a breach can be very delayed, sometimes not fully manifesting for years.