A. Khedron de León - Nov 05, 2019

Breached is the New Black

The phenomenon becoming known as "breach fatigue" represents a warning against complacency with regard to the prevalence and success of data breaches.


As frequent as they are, breaches have, started desensitizing consumers to the pain they bring. Our own tendency for believing a threat is less so as it fades from memory is also to blame. The market showed 0% unemployment for cybersecurity employees in 2016, projected to stay that way until at least 2021. The identity theft protection market is expected to reach over $20B by 2026. Breached is the new black, and everyone is wearing it.

Why is this dangerous? Apathy. The same defense mechanism that allows our brains to cope with pain in the past makes us care less as time goes by. Among other things, vigilance and reminders of the suffering are two of the most important aspects of staving off breach fatigue. What’s worse is that some people may be born into a state of breach fatigue, where no one cares about their security, so they never learn to.


People born after 2011, due to the randomization of Social Security Numbers (SSNs) in an effort to remove identifying information from what used to be a 9-digit code—may find their SSNs used years before the owner even has reason to use it. In a technique called synthetic identity fraud, unissued or just unused (as in, your child has one, but has never used it for anything) SSNs are used to generate false accounts with financial institutions. Much like grinding in a video game or mining Bitcoin, these accounts are slowly nurtured until they are brimming with credit, and either sold or drained and left with all the accrued debt still attached. Tack on a few years of neglect with no one paying those debts, and when it comes time to open your teen’s first bank account, it’s rejected outright because of a low credit score and hundreds of thousands in unpaid debt. It turns out children’s accounts represent a blank slate from which to build solid credit and other aspects of a usable false identity. Two-thirds of stolen children’s IDs in 2018 were of those under age 7, and the rate of identity theft using children’s IDs is over fifty times that of adults.

Despite the reassurances we get from financial institutions, monitoring your credit is reactive in nature, not preventative. It only works after the fact to inform you of any questionable behavior. Monitoring the dark web is just as ineffective, and represents nothing more than a source of free income that preys upon consumer fear. This is from the same organizations who profess to want our money to grow; perhaps they are saving for a ransomware attack.

The only real step one can take to prevent this happening to a child’s life is to freeze their accounts as soon as they obtain the SSN until time to use it for opening bank or credit accounts that will receive regular monitoring. Doing so makes any accounts opened using that number unusable.


The answer is not simple. Bad actors will always be, well, acting badly. But the more research that goes into finding vulnerabilities, the fewer there will be—not to claim that new ones can be avoided, because as long as we have software development, there will always be new technologies, new methods, and new risks. To combat this, HackerOne has begun setting up sandboxes where white hat hackers can test software for vulnerabilities, and then get paid by the vendor for finding the bugs. These bug bounties are more lucrative than software engineering in some countries.

The next best thing you can do to secure your data is to ensure all your favorite websites use secure HTTP (it will show “https://” before the URL) and strong authentication, and reject the ones who don’t. If you cancel a membership with a site, make sure you never reuse that password. If you are sending sensitive information, use a VPN to protect data in transit.

We can fight breach fatigue, but we have to start now with education and vigilance, and we must not forget the breaches of the past. Until credit organizations determine how to forgive surreptitiously generated debts for minors who can’t possibly have a credit history, consumers must lead the charge.

Breaches, Data Protection