A breach happens. The breached data circulates for months on forums and then quietens. The person whose information was in it forgets, or never knew. Years later the data surfaces again, repackaged, cross-referenced with other breaches from other years, and turned into a commercial product: a search engine that takes a name and returns every account, address, password, and identifier the person has ever used.
The aggregation is the harm. Any single breach is partial. The combination of dozens of partial breaches, indexed against a single name, returns a near-complete identity. This is what the present generation of people-search services and credential-stuffing operations sells.
The principal is on these aggregations whether they know it or not. The question is what is in their aggregation and what someone with access to the right service would be able to read about them today. The answer is rarely flattering and is rarely fully known to the person it concerns.
The defences cannot undo the data that has been released. They can address the routes that the released data still enables: changing the passwords that appear in the breaches, removing the accounts that were never closed, hardening the recovery on the accounts that remain.
·
The work is in the reading. The reading depends on knowing where to look.
More from the desk
The third-party vendor as the route in
Ransomware and the private family office
Why the case for protection grows stronger each year
What the next decade of records will look like
The cryptocurrency exchange and the KYC record
The private school and the family record