A company and it's customers are both victims when it gets hacked, but when it has millions of customers the external cost of poor security is so great the bad outcomes seem inevitable.
However, there would be less harm from these kinds of breaches if consumers were not obliged to prove their own innocence whenever someone loaned money in their name without rigorously verifying their identity. If someone claims to have loaned a bunch of money to me without ever interacting with me, the recovery of that foolish loan should really not be my problem. It would still be bad for an insurance company to expose private information, but there wouldn't be such a tremendous incentive to steal, agregate, and distribute this kind of data if there wasn't so much easy money in it.
Stolen credentials of the kind described in this breach are valuable largely because there is an asymmetry of effort favoring thieves: it's so much easier to borrow money in my name than it is for me prove my innocence that the process of borrowing money with other peoples' identity can be done in bulk, and to some extent automated. This situation is only sustainable because the lenders have shifted the responsibility of authentication onto their customers, retroactive to the issueance of credit. Identity verification prior to extending credit to a debtor is trivial and automated, while retroactively proving fraud has a large cost to the debtor in actual human labor.
It seems like payment systems and consumer creditors have colluded to force a Faustian bargain on us: to gain access to utilities and payment systems you have use credit, even if you don't want it. Therefore, if you want to be able to have municipal water, a place to live, or a phone, all of which are practically contingent on credit rating even if you pay with cash, you have to protect your credit rating.
It would be nice to decouple payment systems from consumer credit, but we won't. Nobody, whether they are a buissiness or the state, can afford to cross the credit card companies or the ratings agencies. They are buisiness titans with big lobbying clout. If you get taken by theives, it doesn't mattter if you're a consumer, a big corporation like Target, or a government agency like the VA, you're going under the bus because the status quo is too profitible to fix, and security is your problem. Nothing can be allowed to slow down the issuance of easy credit, or to create the slightest friction in CC transactions. Look what just happened with chip and pin? We can't even _opt into_ a pin for CC transactions because it might confuse us. While we're on the subject, go read about what happens to people who to try to build alternative payment systems that cut out MCVISA...
How many data breaches would there be if bad actors had to take the trouble to personally hassle each of the millions of people they had data on before they could take our money?
Probably some, but how much would we care who knew our SSN's or addresses if they couldn't easily be monetized?
SSN should not be worth anything because it's really not different from a name. Instead of saying "hi my name is exelius", you're saying "hi my name is 302-45-9522". You wouldn't trust me if I said the former, so why the latter?
I don't know any solution to this problem that would realistically be any better. Crypto isn't a good long-term solution -- any crypto we use today will be trivially cracked by a cell phone 20 years from now. Trust mechanisms seem better, but even then they can be simulated (see: twitter bots, facebook bots, click fraud, etc.)
Identity theft is far too easy today, but even if we had an effective system that could prove identity... I'm not sure we would want that societally. It basically guarantees big brother and wraps it in the guise of security.
Tldr: this is a tricky problem where the situation caused by the solution may actually be worse than the original situation.
> any crypto we use today will be trivially cracked by a cell phone 20 years from now.
This is completely false for correctly implemented crypto unless mobile phones of the future are made of something other than matter and occupy something other than space. It could also be that fundamental understandings of math and physics are incorrect. But the idea that just because of improved technology we'll be able to crack today's crypto is ludicrous
However, there would be less harm from these kinds of breaches if consumers were not obliged to prove their own innocence whenever someone loaned money in their name without rigorously verifying their identity. If someone claims to have loaned a bunch of money to me without ever interacting with me, the recovery of that foolish loan should really not be my problem. It would still be bad for an insurance company to expose private information, but there wouldn't be such a tremendous incentive to steal, agregate, and distribute this kind of data if there wasn't so much easy money in it.
Stolen credentials of the kind described in this breach are valuable largely because there is an asymmetry of effort favoring thieves: it's so much easier to borrow money in my name than it is for me prove my innocence that the process of borrowing money with other peoples' identity can be done in bulk, and to some extent automated. This situation is only sustainable because the lenders have shifted the responsibility of authentication onto their customers, retroactive to the issueance of credit. Identity verification prior to extending credit to a debtor is trivial and automated, while retroactively proving fraud has a large cost to the debtor in actual human labor.
It seems like payment systems and consumer creditors have colluded to force a Faustian bargain on us: to gain access to utilities and payment systems you have use credit, even if you don't want it. Therefore, if you want to be able to have municipal water, a place to live, or a phone, all of which are practically contingent on credit rating even if you pay with cash, you have to protect your credit rating.
It would be nice to decouple payment systems from consumer credit, but we won't. Nobody, whether they are a buissiness or the state, can afford to cross the credit card companies or the ratings agencies. They are buisiness titans with big lobbying clout. If you get taken by theives, it doesn't mattter if you're a consumer, a big corporation like Target, or a government agency like the VA, you're going under the bus because the status quo is too profitible to fix, and security is your problem. Nothing can be allowed to slow down the issuance of easy credit, or to create the slightest friction in CC transactions. Look what just happened with chip and pin? We can't even _opt into_ a pin for CC transactions because it might confuse us. While we're on the subject, go read about what happens to people who to try to build alternative payment systems that cut out MCVISA...
How many data breaches would there be if bad actors had to take the trouble to personally hassle each of the millions of people they had data on before they could take our money?
Probably some, but how much would we care who knew our SSN's or addresses if they couldn't easily be monetized?
Some, but less, I think.