Here we go again. Another day, another massive data breach, another carefully crafted corporate apology that lands with all the sincerity of a politician caught with their pants down.
Last week, TechGiant Inc. (not their real name, but you know exactly which company I’m talking about) finally admitted that hackers had accessed the personal data of 37 million users. Names, addresses, phone numbers, and for the really unlucky ones, partial credit card details and location history. The usual goldmine that makes identity thieves rub their hands with glee.
The kicker? They’ve known about this breach since March last year. That’s right – fourteen months of keeping quiet while your data was floating around the dark web like confetti after a parade.
I was actually at a friend’s dinner party when the news broke. My phone buzzed with the notification, and I nearly choked on my risotto. “You okay?” asked Sarah, my host, as I scrolled through the breaking news alert.
“TechGiant just announced a massive data breach,” I explained, already checking if my accounts were affected. “They’re terribly sorry and taking this very seriously,” I added with air quotes so aggressive I nearly spilled my wine.
“Aren’t they always?” Sarah rolled her eyes. “Didn’t the same thing happen with that fitness app last year? And that delivery service the year before?”
She wasn’t wrong. The script is so predictable at this point that I could write it myself. In fact, let me have a go:
“At TechGiant, user security is our top priority. We recently discovered unauthorized access to certain user information. While we have no evidence of misuse, out of an abundance of caution, we are notifying affected users. We have engaged leading security experts and are implementing additional safeguards. We deeply regret this incident and are committed to earning back your trust.”
Sound familiar? It should. It’s essentially the same hollow apology template that’s been recycled more times than those plastic containers under your sink.
What they conveniently leave out is much more interesting. Like how they discovered the breach through a third-party security researcher who got fed up waiting for them to respond to vulnerability reports. Or how they sat on the information for over a year while their legal team calculated the minimum disclosure required by law. Or my personal favorite – how the “sophisticated attack” was actually possible because someone forgot to update a security patch from 2019.
I remember when these breaches felt shocking. Now they’re just Tuesday.
The first major breach that affected me personally was back in 2013. I got an email saying my details had been compromised in a “security incident.” I freaked out, changed all my passwords, froze my credit, the whole nine yards. I even called my mum to warn her about potential scam calls. Poor woman thought I’d lost the plot.
Fast forward to now, and I’ve been part of so many data breaches that I’ve lost count. My reaction has devolved from panic to mild irritation, like finding out the coffee shop is out of oat milk. “Oh well,” I sigh, as I dutifully change my password for the 47th time.
This normalization is exactly what these companies are counting on.
The morning after TechGiant’s announcement, I called my mate Darren who works in cybersecurity. He wasn’t surprised in the slightest.
“The problem isn’t just that they had a breach,” he explained between slurps of what sounded like a particularly aggressive smoothie. “Breaches happen. The problem is they knew about it, didn’t fix the underlying issues properly, and kept it quiet until legally forced to disclose.”
“But why wait so long?” I asked. “Surely telling people straight away is the right thing to do?”
Darren laughed so hard I had to hold the phone away from my ear. “Right thing, yes. Profitable thing? No chance. Every day they delay is another day their stock price doesn’t tank, another day without furious customers cancelling subscriptions, another day for their PR team to craft the perfect non-apology.”
He’s not being cynical – he’s being realistic. Studies have shown that the average cost of a data breach is about £3.8 million. Sounds massive until you compare it to the quarterly profits of these tech behemoths, which often run into billions. The math is simple: paying the fine is cheaper than proper security.
I remembered reading about a breach at a major hotel chain a few years back. They paid a £18.4 million fine, which sounds enormous until you learn their annual revenue was £5.4 billion. That’s like me being fined £3.40 for leaving my car in a no-parking zone all day. I’d probably risk it too.
The worst part of TechGiant’s belated confession wasn’t even the breach itself – it was the patronizing tone of their email. “We recommend you change your password out of an abundance of caution,” they wrote, as if they were suggesting I might want to bring an umbrella when there’s a 90% chance of rain.
An abundance of caution? My data has been sitting on hacker forums since last spring! That’s not caution – that’s the bare minimum damage control after leaving the stable door open for over a year while the horse not only bolted but set up a new life in the Bahamas with a fake passport and my credit card details.
“We take your privacy seriously,” they claimed, which at this point feels like a partner saying “I love you” immediately after you’ve caught them cheating. Actions, my friend, not words.
What really gets me is the predictable cycle we go through every single time:
Day 1: Company announces breach, apologizes, promises it won’t happen again.
Day 2: Tech journalists reveal the breach was actually much worse than initially disclosed.
Day 3: Company CEO appears somber in carefully staged interviews, talking about “lessons learned.”
Day 4: Security experts point out that the company ignored basic security protocols.
Week 2: Class action lawsuit announced.
Year 1: Company settles lawsuit without admitting fault, affected users get a free year of credit monitoring worth about £10.
Year 2: Same company, new breach, repeat from step one.
I was venting about this to my dad over Sunday lunch, and he just shrugged. “That’s why I don’t put my information online,” he said smugly, forking another roast potato. This from a man who shares every Facebook quiz result and has his debit card details saved on at least three shopping sites I’ve personally set up for him.
“Dad, your information is definitely online,” I sighed. “Remember that doctor’s office you go to? Or your insurance company? Or the government?”
His face fell faster than a soggy soufflé. Welcome to the club, Dad.
The thing is, we don’t really have a choice anymore. Modern life requires digital participation. Try getting a job without an email address or a bank account without a mobile phone. Good luck with that.
Companies know this, which is precisely why they can get away with treating our data like bargain bin items at a car boot sale. The consequences simply aren’t severe enough to force meaningful change.
After the TechGiant announcement, I spent an hour changing passwords, enabling two-factor authentication, and checking my credit report. As I was doing this utterly joyless admin task on what should have been a relaxing Friday evening, I wondered how many collective human hours are wasted cleaning up after corporate negligence. Millions? Billions? Time we could spend doing literally anything else more pleasant – like getting a root canal or explaining NFTs to grandparents.
A week after the announcement, TechGiant’s stock had already recovered. Their CEO issued a statement about “renewed commitment to security” and announced a new Chief Privacy Officer – the corporate equivalent of putting a sticking plaster on a severed limb.
And we’ll all keep using their services because, let’s be honest, what’s the alternative? That other company with an equally atrocious privacy record but slightly different colored logo?
Maybe I’m being unfair. Maybe companies really do learn from these incidents. Maybe next time will be different.
But I doubt it. Because as long as holding onto our data remains profitable and losing it remains cheap, nothing will change. The breaches will keep happening, the apologies will keep coming, and we’ll keep sighing and changing our passwords like it’s some sort of digital groundhog day.
In the meantime, I’ve got TechGiant’s next apology email already drafted for them. They can use it free of charge:
“Dear Valued User, We’ve known about this massive data breach for months but hoped nobody would notice. Someone did. Oops. Please change your password while we calculate if it’s cheaper to actually fix our security or just pay the fine. Thanks for your continued trust despite all evidence suggesting you shouldn’t trust us at all.”
At least that would be refreshingly honest.
