This already makes your digital hygiene better than at least 70% of the population if not more. I don't have the link off the top of my head but I vaguely recall some survey or article put out by bitwarden that nearly 70% of folks re-use the same password for everything.
A surprising number of those little services do store passwords in plain text, and that's where the risk comes from. So you're right, you and anyone else remotely tech savvy that is smart enough to not re-use passwords is unlikely to face any real hardship over a data breach, but the rest of the population that puts in the same email and re-uses "password123" across every service gets into trouble.
As for anecdata about the hairdresser's cousin - my wife, before I met her, had nearly all of main online services compromised from a plain text password data breach because she also re-used the same email & pass everywhere. Netflix, spotify, her email, and amazon account all taken over and did have fraudulent purchases as a result. Now she has 2FA on everything and uses a password manager :) So I don't doubt that there are real people that suffer financial consequences from data breaches due to poor password hygiene.
Even knowing all of that though, I'd still put phishing as a much bigger threat than most data breaches.
Probably not, because most of us are boring. Most of us don't have stalkers. Most of us don't have government clearances. Most of us aren't politically adjacent, significant, or know someone who is. Most of us are not wealthy. Most of us will not be a target by the relatively small pool of humans who could actually do anything with that data.
I might have a few chains where I do connect to someone important (degrees of connection to Kevin Bacon), but that isn't directly useful here.
The point is it's still private information and it must be protected, if only out of common sense or respect for your fellow humans. We don't need damages to defend this point.
The most severe consequences just aren't common enough to elicit any kind of change, and even when they are the response is about cleaning up the damage instead of fixing the upstream problem (how that fraud was allowed to occur in the first place).
One time there was a leak from a university database and as a result there were a few news articles over the years about people that had their identity stolen likely due to that leak. It's not just credit card charges. They have had loans taken in their names, stuff bought on store credit or something (nowadays that's not so easy), stuff stolen from library in their name...
They had to deal with the fallout for years, always fearing that there's a new letter waiting at home regarding some unpaid expense or from debt enforcement agency that they have to contact and try to make it go away. It shouldn't be too hard if you have an open case with the police but it's not always that easy.
Also, if the leaked data is sensitive (e.g. private conversations, records about mental health etc.), you can face extortion or the data may get published.
One other thing that I know of personally is that victims of harassment very much don't like to have their contact info leaked to the harasser.
If the most severe consequences of this pattern are sufficiently uncommon—uncommon enough that even by your own admission the system as a whole fails to notice them, much less feel any pain over it—then maybe it's a waste of the organism's resources to attempt a systemic resolution. Maybe the "losing battle" as you call it is not with individual organizations or even with broader data security culture per se. It might not even be with the legal system to finally inflict some, any consequence on anyone for letting this repeatedly happen. Perhaps the battle we're losing is, at some deeper level, with the very physics of civilizational energy distribution and consumption, aka, with societal entropy. In which case... Yeah, that battle seems pretty heckin' losing to me. Good thing identity theft only seems to happen to "other people."
I know this argument is going to ring pretty hollow and the irony will bite me pretty hard if I get my SSN highjacked literally tomorrow. Which, thanks to Equifax in 2017, could theoretically happen any minute now! Just like it could've happened any minute now for the last 9 years!
But then again, even if and just because I suddenly personally care a lot more about this issue because I'm suddenly affected by it, that doesn't obligate you or anyone else to feel the same way.
A certain kind of indifference toward the suffering of others might be civilizationally efficient. In which case it might be absurd and maybe even ethically problematic to care in aggregate any more than we happen to do.
Literally, who's to say?
My wife has had someone rent an apartment in Oakland and open bank accounts with her name and social. Other than getting the bank accounts cancelled, and locking credit, there's nothing to do. The apartment management said they weren't able to evict based on stolen identity; and Oakland PD did nothing. Reporting identity theft to the FTC like they want you to do is a joke.
Unfortunately, the Oakland address has been showing up in KYC questionaires so it's probably in some minor credit bureau file as true.
Thankfully AMEX called her to notify when the fraudster tried to open a new AMEX with the wrong address.
There's no accountability for the people that collect this data and allow it to be copied. There's no accountability for those who use it for fraud. There's no accountability when credit bureaux distribute inaccurate data. It's a big mess.
Thankfully, most of the haveibeenpwned breaches I'm involved in are like name and email which big deal. But when at&t allowed their records to be copied, someone tried to open a bank of america account with my info. At&t didn't really need my ssn, but they required it as a condition of service, so they had data people wanted.
I failed to realize that I needed to secure a studentaid .gov account someone was able to open in my name with data breach information.
Thankfully my credit was frozen so I didn’t need to untangle an actual loan, but it would have been a huge legal mess otherwise.
I guess my fear is what account am I going to miss securing next that leads to a giant life ruining problem? If I didn’t setup credit freezes someone else could have with the info in the breaches. I didn’t even think to secure a studentaid account I didn’t know existed. In theory having those credit bureau accounts frozen should be enough, but anyone with enough information on you can likely recover them regardless.
To me the whole experience really drives home how much of a joke the security on a lot of this is. Anyone who seriously sets their eyes on you can just totally ruin your life if they’re dedicated enough.
Though most people doing this its much more effective to take advantage of people who don’t know any better. Credit not frozen, loan accounts not made or secured, etc. Pwning 20 people doing nothing will always be better ROI than trying to PWN one person with their stuff in order. Until you piss the wrong person or they think you’re worth the effort.
I guess I can see how you can view it as not your problem. But there are only so many grandmas to scam. The whole problem space to me metaphorically is everyone’s door is wide open, grandmas is just a straight shot to get in. Mine? Well I have some ball bearings, calipers, and a moat but the doors still open. It’s not like someone is going to rob my open house instead of grandma. I only have to dodge all the traps when I leave and come back but that’s whatever.
The whole thing is absurd. We have doors and locks and better ways to do this and instead we just live like this?
And then go to each company and bag them to except that this was a fraudulent situation and not me. If they didn’t accept my request, then I would basically be out of luck, owing them the money.
These data leaks are great opportunities for doxing. You can look up all the people that have died from swatters.
Because something bad has happened at some point to someone somewhere, you personally must take precautions against it happening to you?
Do you intend to modify your behavior, spending habits, or thought patterns to reduce the risk of catching mad cow disease? Oh, no? So you're saying mad cow disease doesn't exist?
But mad cow disease has a documented casualty count and data breaches do not. So actually, you're being irrational if you care about and take measures to mitigate the one but not the other.
Now that we've established that you are rationally obligated to mitigate the risk of mad cow disease, I have some guaranteed Definitely Not Placebo[^TM]-brand pills to sell you.
---
If you find this counterargument spurious, absurd, or unfair, then I have a proposal for you: let's both agree that reduction to absurdity benefits no one, and try to talk reasonably in the middle ground between extremes.
Well, yes, in the sense I vote for rational politicians rather than raving single issue lunatics.
The problem here is you latch on to the most absurd example, where the actual farmers raising cattle are the ones expected to avoid mad cow disease because there is an actual cost to them (slaughtering their entire herd). The analogy here would be businesses having to protect their customers data or suffer consequences, which they generally don't.
Now, if you're a deer hunter the responsibility now returns to you. If you shoot some janky ass deer and eat it you might find your brain full of holes in a decade. Again, the analogy here would be using some sketch ass card reader, or hell, using an ATM in a part of town where you get mugged.
This is missing the broader perspective of identity becoming less reliable, and that results is millions of paper cuts in everyday life.
The reason you need to scan your face with your phone to access a government site or your bank is hugely because asking people personal questions or a password has become useless.
There is an argument that the old security models wouldn't have survived for long either way, but if we see it as an arms race, racing at a slower pace is still better than running like there's no tomorrow towards the bitter end.
From a personal example, about ten years ago, my tax return was rejected by the IRS. It turned out someone stole my identity which had been leaked/ breached multiple times. At that time it was trivial to file the paperwork and get the tax return sent to someone else.
I do the more less the same as you, the bare minimum of protecting my data that would actually have any impact at all (banks, whatsapp, etc.) and nothing bad has ever happened -- I'm yet to see what will happen if my email gets leaked someday (if not already!) by any EvilCorp
But there are still people (eg, the main comment, as of this writing, by @kleiba) telling you about WHY we you must deGoogle ASAP, avoid using any social network to cross-login, etc.
Go touch some grass mate, life is too short to worry about what your local ISP will or will not do with your "data" (we do are a number in the end in this society)