Names, email addresses, passwords, Social Security numbers, dates of birth, credit card numbers, banking data, passport numbers, phone numbers, home addresses, driver’s license numbers, medical records—they all get swept up by shadowy, amorphous hackers for fraud, identity theft, and worse

More attackers may be forced to use zero-day exploits to carry out future breaches—increasing the resources required—if businesses, governments, and other institutions succeed in substantially improving their baseline cybersecurity postures through initiatives like consistent patching and network access control.

Ideally, companies and other institutions that hold data would commit to invest forever in rigorously locking their systems down. But organizations always vacillate between factoring in cost, ease of use, and risk. There’s no easy way to reconcile the three.

An important concept in security, though, is the idea of the cat and mouse game. For determined, motivated, and well-resourced attackers, improved defenses spur malicious innovation. This is why security is an endless expense that institutions try to minimize, cap, or avoid altogether—defenders need to think of everything, while attackers only need to find one small mistake. An unpatched web server or an employee clicking a malicious link in a phishing email can be all it takes.

Attackers are able to perpetrate most current data breaches relatively easily by exploiting an institution’s basic security oversights

In Marriott’s case, the intrusion occurred in the Starwoods Preferred Guest system and persisted for four years. Marriott acquired Starwoods in September 2016, two years after attackers would have first infiltrated, but it then persisted for two more years on Marriott’s watch. The breach exposed various combinations of personal details, including hundreds of millions of passport numbers, from as many as 500 million customers overall, making it one of the three largest known breaches to date

Just weeks ago, Facebook disclosed its first-ever true data breach, in which attackers gained access to 30 million user authorization tokens. This meant that the hackers could access users’ Facebook accounts and exfiltrate a significant portion of their personal data. Facebook is investigating the incident with the FBI and has not yet said who was behind it or what their goals were in launching the attack.

If any good came from the Equifax breach, it was that the sheer severity may have served as the wake-up call corporate American needed.

the credit monitoring firm Equifax disclosed a massive breach at the beginning of September, which exposed personal information for 147.9 million people. The data included birth dates, addresses, some driver's license numbers, about 209,000 credit card numbers, and Social Security numbers—meaning that almost half the US population potentially had their crucial secret identifier exposed. Because the information stolen from Equifax was so sensitive, it's widely considered the worst corporate data breach ever. At least for now. Equifax also completely mishandled its public disclosure and response in the aftermath. The site the company set up for victims was itself vulnerable to attack, and it asked for the last six digits of people's Social Security numbers to check if their data had been impacted by the breach. This meant that Equifax was asking Americans to trust them with their data all over again. Equifax also made the breach-response page a stand-alone site, rather than part of its main corporate domain—a decision that invited imposter sites and aggressive phishing attempts. The official Equifax Twitter account even mistakenly tweeted the same phishing link four times. Four. Luckily, in that case, it was just a proof-of-concept research page and not an actual malicious site. There have since been numerous indications that Equifax had a dangerously lax security culture and lack of response procedures in place. Former Equifax CEO Richard Smith told Congress in October 2017 that he usually only met with security and IT representatives once a quarter to review the company's security posture. And hackers got into Equifax's systems for the breach through a known web framework vulnerability for which a patch had been available for months. A digital platform used by Equifax employees in Argentina was even protected by the ultra-guessable credentials "admin, admin"—a truly rookie mistake.

Yahoo lodged repeated contenders for the distinction of all-time biggest data breach when it made an extraordinary series of announcements beginning in September 2016. First, the company disclosed that an intrusion in 2014 compromised personal information from 500 million user accounts. Then, two months later, Yahoo added that it had suffered a separate breach in August 2013 that exposed a billion accounts. Sounds like a pretty unassailable lead in the race to the data-breach bottom, right? And yet! In October 2017, the company said that after further investigation it was revising its estimate of 1 billion accounts to 3 billion—or every Yahoo account that existed in August 2013.

Today, data breaches are so common that the cybersecurity industry even has a phrase—“breach fatigue”—to describe the indifference that can come from such an overwhelming and seemingly hopeless string of events.

Data breaches didn’t truly become dinner table fodder, though, until the end of 2013 and 2014, when major retailers Target, Neiman Marcus, and Home Depot suffered massive breaches one after the other.

Yes, it’s a difficult, never-ending process for a large organization to secure its inevitably sprawling networks, but for decades many institutions just haven’t really tried. They’ve gone through some of the motions without actually making digital security a spending priority. Over the past 10 years, however, as corporate and government data breaches have ramped up—impacting the data of billions of people—institutional leaders and the general public alike have finally begun to understand the urgency and necessity of putting security first. This increased focus is beginning to translate into some concrete data protections and security improvements. But collective inaction for decades has created a security deficit that will take significant time and money to make up. And the reality that robust digital security requires never-ending investment is difficult for institutions to accept.

But massive institutional breaches don’t need to happen as often as they do. Many occur not because of complex and sophisticated hacking but because organizations have made basic and potentially avoidable mistakes in implementing their security schemes. They’re low-hanging fruit for hackers to pluck.

victims of identity theft know the consequences of data breaches intimately and painfully. They may have their credit wrecked by thieves, lose all their money, or be dogged for years by a shadow hand meddling in their affairs and opening digital accounts in their name.