The consensus view of data breaches has calcified into something almost comfortable. A company gets breached. The story runs for three days. Executives apologize. Settlements happen. Customers get credit monitoring for two years. We move on.
But here's what should unsettle us more than any individual breach: the ones we never hear about.
We know the problem exists in the abstract. Data brokers operate in regulatory shadows. Government databases contain errors nobody audits regularly. Companies conduct internal breach investigations and quietly settle with victims under non-disclosure agreements. The forensics reports stay private. The public learns nothing.
The real question isn't why breaches happen anymore. We've seen enough breaches involving elderly Americans' financial records, educational platforms' student data, and internal corporate repositories to understand that security failures are structural, not accidental. They happen because organizations systematically underinvest in it, because legacy systems talk to modern ones through vulnerable bridges, because pressure to move fast beats pressure to move carefully.
The question that matters now is this: what breaks when breach consequences become predictable and manageable for large entities?
When a major telecommunications company faces a breach, they have sophisticated legal teams, insurance policies, and established settlement frameworks. They calculate the cost of the breach against the cost of implementing better security. Sometimes the math favors the breach.
When a major educational platform experiences a breach disrupting schools nationwide, the outrage is real but temporary. The company's market position often survives intact because switching costs are high and alternatives are limited.
But the person or small organization without those resources? They face different calculus entirely. A small healthcare clinic breached by ransomware might close. A nonprofit that loses donor information might lose donors. A startup that gets compromised during due diligence might never recover from investor distrust.
This asymmetry matters because it creates a two-tiered breach ecosystem. Large entities treat breaches as a cost of doing business. Smaller ones treat them as existential threats.
The consensus says "improve security practices" and "strengthen regulations." These things are fine. But they're comforting precisely because they don't threaten the fundamental power distribution around data. The companies holding the most data, touching the most lives, and causing the most damage when breached often have the strongest ability to weather the consequences.
What this trend breaks next is the assumption that regulatory pressure alone can balance these incentives.
We're beginning to see cracks. Ransomware gangs now have more sophisticated business models. Insider threats are rising because disgruntled employees know exactly what's valuable. Supply chain attacks work because they exploit the fact that large companies' security is only as good as their least-secure vendor.
The system is becoming adversarial in new ways precisely because the old ways have become too profitable to resist and too expensive to defend against uniformly.
So what's the better framing? Not "how do we stop breaches," which is technically impossible. But "who absorbs breach costs, and what does that concentration of risk tell us about power?"
When a major institution's breach barely dents its valuation, while a smaller competitor's breach could be fatal, we're not looking at a security problem anymore. We're looking at a market structure problem.
The comfortable consensus ignores this. It pretends that better passwords and incident response plans will eventually solve things. They won't. Not when the incentives are this distorted.
The real question isn't what's being stolen. It's why some organizations can afford to let it happen, and why others cannot.