If history repeats itself, the high-profile Experian data breach announced two weeks ago today will affect a lot more than the initial estimate of about 15 million T-Mobile customers.
Quartz’s recent comparison of data-breach announcements from recent years shows that initial estimates of how many people or records were compromised usually end up dwarfed by post-investigation numbers.
For example, the publication cites numbers from announcements by the following entities:
- U.S. Office of Personnel Management: “Approximately 4 million” in June became “21.5 million” in July.
- Target Corp.: “Approximately 40 million” in December 2013 became “up to 70 million” in January 2014.
- Adobe: “2.9 million” in October 2013 reportedly became at least 38 million and then more than 150 million later that month after hackers posted stolen data online.
One reason numbers change is because initial estimates are made before investigations start or as they get underway. The language that companies use in initial announcements often hints at this. For example, Adobe’s first announcement said, “Our investigation currently indicates …”
Salvatore J. Stolfo, a computer science professor and part of the Intrusion Detection Systems Group at Columbia University, tells Quartz that another reason numbers change is because companies are forced to revise their estimates after hackers post stolen data online.
Discoveries by outside law enforcement agencies also can turn up greater numbers than companies’ internal investigations.
Do you take any steps to protect yourself against data breaches? Let us know how below or on Facebook.