The Equifax settlement has a provision through which victims can claim a cash payment for "time spent."If you spent hours researching what to do about the breach, setting up credit freezes, hopping on the phone with your bank, or doing anything else remotely relevant, you can claim up to $250 for that time without needing to show any specific evidence.

But Rotenberg notes that without a comprehensive data breach response plan within the federal government, a settlement like Equifax's may not have been much more effective even with an FTC fine.

They've negotiated a settlement with Equifax that entitles all victims to 10 years of free credit monitoring, or $125. This (unfortunately) could actually come in handy, given that Social Security numbers taken from Equifax are starting to show up on the dark web, and consumers have already suffered identity theft related to the breach, according to Pennsylvania attorney general Josh Shapiro.

The state and federal groups that investigated Equifax touted the payout as an important wake-up call for all US corporations—especially since Equifax will also be required to make hundreds of millions of dollars of additional internal cybersecurity improvements on top of the fines.

While CBP says "none of the image data has been identified on the Dark Web or internet,” the dump of hacked Perceptics data just a few short weeks ago doesn’t give much confidence that this breach is contained, or will stay that way.

“More than 90 percent of the department’s cases alleging economic espionage over the past seven years involve China,” then-deputy attorney general Rod Rosenstein said in a December press conference announcing a wave of indictments that specifically tied hackers to the Chinese government.

As Motherboard points out, WIRED included Dread Pirate Roberts 2 on a list of Dark Web drug lords who got away in 2015, but it turns out that he was arrested in November 2014; the case just didn't attract notice because UK media law prevented reporting on it before its conclusion.

The data set was first reported by security researcher Troy Hunt , who maintains Have I Been Pwned , a way to search whether your own email or password has been compromised by a breach at any point.

But between the company's increasingly dismal track record on third-party access limits and a recent incident in which a bug exposed 6.8 million users' photos to third-party developers, it's hard to feel like things are going as well as they could on the user privacy and data management front.Atlanta RansomwareIn March, a ransomware attack locked down the City of Atlanta's digital systems, destabilizing municipal operations.

The site the company set up for victims was itself vulnerable to attack, and it asked for the last six digits of people's Social Security numbers to check if their data had been impacted by the breach.

But the bulk of the victims—currently thought to be 327 million people—had different combinations of name, address, phone number, email address, date of birth, gender, trip and reservation information, passport number, and Starwood Preferred Guest account information all stolen."Four years is an eternity when it comes to breaches."David Kennedy, TrustedSecSome credit card numbers were also stolen as part of the breach, Marriott says, but the company did not provide an initial estimate of how many were taken.

But the company later clarified that the compromised data included payment card expiration dates and Card Verification Value codes—the extra three or four-digit numbers that authenticate a card—even though British Airways has said it does not store CVVs. British Airways further noted that the breach only impacted customers who completed transactions during a specific timeframe—22:58 BST on August 21 through 21:45 BST on September 5.These details served as clues, leading analysts at RiskIQ and elsewhere to suspect that the British Airways hackers likely used a "cross-site scripting" attack, in which bad actors identify a poorly secured web page component and inject their own code into it to alter a victim site's behavior.

Newman reported on how a T-Mobile data breach last week exposed personal information, like phone numbers, and why that matters so much.Another major security story this week came out of California, which is trying to pass a comprehensive digital privacy law to give residents control over their data.

Companies don't seem interested in catching up.'If it’s not a secret, then you can’t use it as an authenticator.'Jeremy Grant, Better Identity CoalitionIdentity management experts have warned for years about over-reliance on phone numbers.