It was one of the largest thefts of bank data in American history. But as far as data breaches go, the Capital One incident is hardly an anomaly.
Over the past decade, the exposure of personal information has become a routine part of American consumerism. The Privacy Rights Clearinghouse, a nonprofit organization that tracks data breaches, estimates that there have been 9,044 public breaches since 2005. More than 10 billion records — including passwords, credit card numbers and even passports — have been exposed. There is no single federal law that mandates companies to notify affected customers.
As a result, a large swath of the public doesn’t trust institutions to keep their private information safe. A 2016 survey from the Pew Research Center found that a large portion of Americans is not very confident in the ability of companies and the government to protect their data.
That was the same year as some of the biggest data breaches of the decade, such as Yahoo and MySpace.
"These mega-breaches are getting so big and so common," said Heidi Shey, principal analyst at Forrester, a market research company. "Once you get to that point, everyone is swept up in this in some way."
How common really are data breaches? What kinds of records are most commonly made public? And how do experts even define what a data breach is? PolitiFact set out to get the facts.
Who is affected by data breaches?
The International Organization for Standardization, a body that sets commercial standards around the world, defines breaches as any “compromise of security” that leads to “loss, alteration, unauthorized disclosure of, or access to protected data.” In layman’s terms: data breaches occur when private information is exposed. That includes stuff like emails, addresses, credit card numbers and even fingerprints.
And breaches don’t only affect consumers.
The Privacy Rights Clearinghouse tracks data breaches affecting institutions ranging from private business and retail stores to nonprofits and the government. One of the most notable examples of the latter came in 2015 with the realization that, for at least two years, Chinese hackers had gained access to employee data from the U.S. Office of Personnel Management.
A 2016 congressional report summed up the damage:
“In what appears to be a coordinated campaign to collect information on government employees, attackers exfiltrated personnel files of 4.2 million former and current government employees and security clearance background investigation information on 21.5 million individuals. Additionally, fingerprint data of 5.6 million of these individuals was stolen.”
Even the military is susceptible to cyberattacks. In 2006, an Air Force official suspected that Chinese hackers had stolen between 10 and 20 terabytes of data from the Defense Department.
Who’s behind them?
Shey broke it down into three categories.
First are external actors. These are hackers or other malicious entities that try to steal information for personal, monetary or organizational gain. Data from the Privacy Rights Clearinghouse show that hacking is among the most common reasons for breaches.
Data Breaches by Breach Type
Among the most sought-after records for hackers are health care documents, which can be used to forge insurance claims, ZDNet reported in June. Health care companies have seen an influx in cyberattacks in recent years.
The second source of data breaches are accidents. These occur when employees handle information they didn’t know they weren’t supposed to use, access or share. Such was the case in 2006, when AOL made public 20 million web searches from 657,000 Americans.
Finally, there are third parties. Companies often contract out key parts of their businesses and have little control over the security those vendors employ. That makes it easier for hackers to target them.
One example is the Target data breach of 2013, when payment and contact information belonging to up to 110 million people was exposed after hackers gained access through an HVAC vendor.
What are the biggest breaches?
It depends on whom you ask.
"We measure the size of the breach by the number of records exposed," said Emory Roane, policy counsel at the Privacy Rights Clearinghouse, in an email to PolitiFact. "That may not be the same thing as number of consumers impacted, but it’s the only metric we have."
By that standard, the Yahoo data breach of December 2016 was the largest in history. Verizon, which owns Yahoo, said in 2017 that the names, phone numbers and passwords of all 3 billion of its users were exposed to hackers — triple the company’s early estimates.
That incident came after another massive data breach at Yahoo in September 2016, when the personal information and passwords of more than 500 million users were stolen. Now Yahoo is paying out a class-action settlement to some affected customers.
Another incident cracking the top 10 is the Marriott data breach of 2018, when the personal information of more than 300 million Americans, including driver’s licenses and passports, was exposed. The breach was attributed to a Chinese intelligence group seeking information on American citizens.
A third notable data breach came in October 2016 with the exposure of more than 400 million accounts on Adult Friend Finder, a company that owns a variety of adult entertainment sites. Hackers collected 20 years of data on six databases, CSO Online reported, which included names, emails and passwords.
However, the total number of records of people affected isn’t the only way experts think about data breaches. Due to the increase in both the frequency and breadth of breaches over the past few years, Shey said Forrester has instead started to focus on what kinds of records have been exposed.
"There are things like birthdate and name that are harder to replace," she said. "If we look at something like Equifax, that was part of the reason that we were like, ‘Oh no, this is a massive thing.’ It wasn't about credit card numbers."
The Equifax breach doesn’t crack the top 10 largest data breaches in terms of records leaked, even though it affected more than 140 million consumers in 2017. But it exposed sensitive information like driver’s licenses and Social Security numbers in addition to names and birthdates.
Roane said the incident changed the dialogue about data breaches.
"This breach exposed extremely personal information, from a company that most people probably didn’t realize even had it," he said. "Ultimately we’re still reeling from Equifax, and its specter continues to be a motivating force behind any proposed data security regulations when they are brought up."
What’s the scale of the problem today?
It’s hard to know for sure. But publicly available data suggest that data breaches have risen over the past decade.
According to the past 13 years of records compiled by the Privacy Rights Clearinghouse, the number of individual breaches has steadily increased since 2005, the first year it started keeping track of them. However, that trend has flatlined and even dipped in recent years.
Meanwhile, the number of records that have been leaked via data breaches has seen a similar trend over the past decade. Privacy Rights Clearinghouse data show that the most individual records leaked to the public came in 2016 — the year of Yahoo’s massive, back-to-back breaches.
Why has there been an increase in the frequency and size of data breaches? Shey said it could be attributed to any number of factors.
"We have more people on the internet, more companies with what people would now recognize as sensitive information," she said. "The way we think about the value of data today is different than what we would think even 10 years ago. I think people are more aware now that this is stuff that people would like to steal, so now we have to protect it."
The exposure of sensitive data collected by companies has affected a broad swath of American consumers. A July interactive story from the New York Times illustrates this point.
Drawing from publicly available information about a slew of recent data breaches, the tool tells readers how many times their personal information has been exposed to hackers. My credit cards alone have been leaked at least 10 times over the past decade, according to the New York Times.
Asked how the Privacy Rights Clearinghouse knows how many people have been affected by breaches, Roane was blunt:
"Well, the answer is that we don’t. At all. If anything, I would expect that our own data is significantly off the mark, and is an under-accounting of the actual number of impacted consumers."
How are breaches reported?
On the federal level, there is no single law that notifies consumers affected by data breaches. It’s a different story when it comes to the state level.
"In the U.S., we don’t have a single federal statute that requires that a breached business notify its impacted consumers," Roane said. "Instead, Americans rely on a patchwork network of 50 individual state statutes."
The Federal Trade Commission Act gives the government broad authority to prohibit “unfair or deceptive acts or practices in or affecting commerce.” In practice, the FTC has implemented that authority through dozens of niche enforcement actions — some of which have received pushback from companies, limiting the agency’s jurisdiction.
According to the National Conference of State Legislatures, every U.S. state and territory has laws that require companies or government agencies to alert people to data breaches of their personal information. But not all those laws are created equal.
In a blog post published last December, the Privacy Rights Clearinghouse noted that not all states require institutions that suffer a data breach to give notice to attorneys general. Even fewer require the government to share the data from breaches publicly.
Many of the laws hinge on what qualifies as "personal information." Some states say it includes things like passports and medical information while others don’t.
Florida law mandates companies to notify customers no more than 30 days after they learn of a data breach. While that law doesn’t cover paper records or biometric information, it does include medical and passport information. It also requires companies to notify the attorney general, according to the Privacy Rights Clearinghouse.
The disparate laws make it nearly impossible to know the full extent to which data breaches have impacted American consumers and businesses.
"In order to get the most reliable data possible, we try to rely on data provided from a government source, and so we’re left putting together the puzzle with only a handful of edge and corner pieces, so to speak," Roane said.
How will I know if I’m affected?
All states have laws mandating the government or companies to notify people affected by data breaches. So if your private information is exposed, you will likely hear from those entities directly. But it may take a while.
Equifax waited six months to notify customers affected by its 2017 breach without explaining why. The massive Yahoo breach actually happened in 2013 — but the company said it didn’t pick up on it until three years later. And sometimes, law enforcement may ask companies to delay notification so they don’t spook hackers under investigation.
If and when you do get notified that your data has been compromised, the Privacy Rights Clearinghouse has a consumer guide for what to do. It includes tips like canceling your credit card numbers and changing your passwords.
But there are a few proactive measures you can take to safeguard your private data in the first place.
Consumer Reports, a nonprofit organization that does product testing, recommends five things every consumer should do to protect themselves. Those points, which include things like freezing your credit reports and using two-factor authentication to protect your logins, were also backed up by the experts PolitiFact spoke to.
“Treat your own personal data as something that’s valuable,” Shey said. “Just because a form is asking you for it doesn’t mean you have to give it.”