Capitalism, Conspiracy, Corporate, Technology

America’s Largest Corporations Profit from Exposing Your Data While Small Businesses Die

December 14, 2025December 14, 2025By plicabl
0

The data breach that destroyed Code Spaces in 2014 took less than 12 hours. Hackers infiltrated the source code hosting company’s Amazon EC2 control panel, destroyed primary data and backup systems alike, and vanished. The company, unable to recover, shut down permanently within weeks.

Compare that to Equifax’s 2017 breach, which exposed Social Security numbers, birth dates, and addresses for 147 million Americans—more than half the adult population. The credit reporting giant’s stock plummeted 31%. Yet within two years, Equifax had fully recovered, continuing to operate as one of three major credit bureaus that control Americans’ financial lives. The company settled for $1.4 billion—substantial in absolute terms, but pocket change for an enterprise generating billions in annual revenue.

This disparity isn’t an accident. It’s the predictable result of a system where large corporations possess structural advantages that transform catastrophic data breaches from existential threats into manageable quarterly expenses—and sometimes even opportunities for competitive gain.

When Size Determines Life or Death

Stock market analysis reveals a striking pattern: large corporations weather data breaches with remarkable resilience. Research by Comparitech examining 118 publicly traded companies found that share prices bottomed out an average of 41 days after breach disclosure, falling just 1.4%. Within 53 days, most recovered to pre-breach levels. Healthcare companies took the biggest hit, underperforming by 10.6%, while retail companies actually outperformed the market by 7.29% after major breaches.

For small and medium-sized businesses, the math is brutally different. The U.S. National Cyber Security Alliance found that 60% of small companies cannot sustain operations beyond six months after a cyberattack. IBM reports that 62% of all cyberattacks target small and mid-sized businesses, amounting to roughly 4,000 attacks daily. The average global cost of a data breach in 2024 reached $4.88 million—a manageable line item for Fortune 500 companies, but annihilation for most small businesses.

The small accounting software firm that fell victim to ransomware in 2016 illustrates the pattern. An employee opened a malicious email attachment, encrypting 15,000 accounting and customer files. The company’s backup systems hadn’t been working for months. The owner paid the $50,000 ransom. The decryption key didn’t work. Six months later, the company closed permanently.

Discord.io, which provided custom invitations for the Discord messaging platform, apparently chose preemptive closure over bankruptcy litigation. After a breach compromised data for 760,000 members, the company shut down rather than face lawsuits for improper data management with insufficient resources to mount a defense.

Little and King LLC filed bankruptcy in 2010 after losing $164,000 to wire transfer fraud when the owner’s computer was infected with Zeus Trojan malware. The financial loss—devastating for a small firm—would barely register as a rounding error for major financial institutions.

The 2024 bankruptcy of National Public Data illustrates the divergence starkly. The background check company exposed 2.9 billion records containing Social Security numbers for approximately 170 million people. The company’s total assets at bankruptcy? Two HP desktop computers valued at $400, a ThinkPad laptop worth $100, five Dell servers worth $2,000, and $33,105 in a checking account. Total assets between $25,000 and $75,000 against liabilities affecting hundreds of millions of people. “The debtor’s insurance has declined coverage,” the bankruptcy petition stated plainly.

The Scale of Corporate Negligence

Meanwhile, the largest corporations entrusted with Americans’ most sensitive data have proven to be its worst stewards. The telecommunications industry provides the starkest illustration.

T-Mobile has publicly acknowledged eight data breaches between 2018 and 2023. The worst occurred in August 2021 and exposed personal data of at least 76.6 million people—including names, dates of birth, Social Security numbers, and driver’s license information. The company agreed to pay $350 million to settle the resulting class action lawsuit, with an additional $150 million committed to improving data security. For a company that reported $18.8 billion in quarterly revenue in Q2 2024, this represented less than 3% of a single quarter’s earnings.

AT&T experienced multiple breaches in 2024 alone. The March incident exposed data on 73 million current and former customers dating back to 2019, including Social Security numbers and account passcodes subsequently found on the dark web. A second breach in July, traced to a third-party cloud provider, compromised call and text records for nearly all of AT&T’s 110 million cellular customers. The company agreed to a $177 million settlement—$149 million for the March breach and $28 million for July’s incident. This represents less than 5% of AT&T’s $3.9 billion in net income for Q2 2024 alone.

The credit reporting industry demonstrates that this pattern extends beyond telecommunications. Equifax’s 2017 breach occurred because the company failed to patch a known Apache Struts vulnerability for which a fix had been available for months. An internal audit in 2015 had revealed a significant backlog of unresolved vulnerabilities and failure to adhere to patching schedules, but by the time of the breach two years later, many recommended security improvements had not been implemented. The FTC specifically noted that Equifax failed to implement basic security measures, including patching policies, network segmentation, and robust intrusion detection for legacy databases.

Money Without Security is a Resource Paradox

These companies possess resources that should make their data functionally impenetrable. Bank of America’s CEO Brian Moynihan once famously declared that the nation’s second-largest lender had an unlimited cybersecurity budget. JPMorgan Chase spends roughly $600 million annually on cybersecurity with a staff of around 3,000 IT security personnel. Microsoft has committed more than $20 billion for security improvements between 2021 and 2025.

According to McKinsey & Company, the corporate sector was projected to spend $213 billion on cybersecurity software in 2024 alone. Fortune 500 companies allocated an average of $26 million for cybersecurity initiatives in 2024, with 46% of respondents reporting spending increases above 25%.

Yet basic security failures plague major corporations with alarming frequency.

The 2024 Change Healthcare ransomware attack, which compromised data for over 100 million individuals, succeeded because the company failed to implement multi-factor authentication on critical systems. UnitedHealth Group paid a $22 million ransom to the ALPHV/BlackCat cybercriminal group—then watched the data leak anyway. For context, UnitedHealth’s health insurance operations had revenue of $281 billion in 2023. The ransom payment represented 0.0078% of annual revenue—equivalent to someone earning $50,000 annually paying $3.90.

The massive Snowflake breaches of 2024, affecting AT&T, Ticketmaster, Santander and dozens of other major corporations, exploited unencrypted user credentials. None of the compromised accounts had enabled multi-factor authentication. Some of the stolen credentials had been available for purchase illegally for years. A hacker known as UNC5537 accessed some of the world’s largest companies’ data with credentials so old they’d been sitting on underground markets gathering digital dust.

Ticketmaster’s May 2024 breach exposed personal and financial information for over 560 million customers—1.3 terabytes of data extracted through “unauthorized activity in a third-party cloud database environment.” The company faces four class action lawsuits but continues operating as the dominant ticketing platform in entertainment.

T-Mobile’s 2021 breach was traced to hackers gaining entry through a poorly secured testing environment and moving laterally across systems due to lack of proper network segmentation—a basic cybersecurity safeguard that should have been in place.

Why Corporate Breaches Are Different

Startup BreachCorporate Breach
Typical Data ExposedUsernames, emails, hashed passwordsSocial Security numbers, dates of birth, driver’s licenses, financial accounts
Consumer RecourseReset passwords, abandon serviceCannot change SSN or birth records
Duration of HarmLimited to account accessLifelong identity theft risk
Corporate ImpactOften existentialUsually manageable

This fundamental distinction matters. A startup photo editor simply does not possess your Social Security number. A telecommunications carrier, by legal mandate, does—and when that carrier’s systems fail, the consequences are catastrophic and permanent.

When AT&T or Equifax exposes immutable identity data, the repercussions for consumers are lifelong: identity theft, credit fraud, SIM swapping, and ongoing vulnerability to scams. Unlike passwords or usernames, you can’t reset a Social Security number without major bureaucratic difficulty. Victims can spend years repairing credit and protecting themselves.

Required Collection, Inadequate Protection

Large telecommunications and financial services companies face a structural challenge that smaller technology firms do not: they are required by law to collect and retain identity verification data. Customer Proprietary Network Information rules, Know Your Customer requirements, and credit reporting regulations mandate that these companies maintain extensive repositories of sensitive personal information.

This creates what security researchers describe as a honeypot dynamic. These companies must store nuclear-grade personal data by regulatory design, making them extraordinarily attractive targets. A startup built in 2020 can use modern security-by-default architecture. AT&T and T-Mobile are running systems built across decades of acquisitions and mergers, with data scattered across ancient mainframes, vendor platforms, and cloud hybrids. This legacy infrastructure complexity provides numerous attack surfaces that determined adversaries can exploit.

However, mandatory collection does not excuse inadequate protection. The contrast is instructive: when startups experience breaches, the compromised data typically consists of usernames, email addresses, and hashed passwords—information that, while requiring password changes, does not enable the wholesale identity theft that follows exposure of Social Security numbers, birthdates, and financial account information.

Where Breach Data Finds Second Life

While victims scramble to freeze credit reports and monitor bank accounts, a sophisticated ecosystem quietly transforms stolen data into profit. Data brokers—companies that collect, aggregate and sell personal information—benefit directly when corporate databases leak into the wild.

When hackers breach a company’s systems, they don’t just steal isolated records. They acquire puzzle pieces that, when combined with data from other breaches and legally purchased datasets, create comprehensive profiles worth far more than the sum of their parts.

In June 2025, the largest credential compilation in history surfaced: 16 billion login credentials aggregated from approximately 30 different datasets. This wasn’t a single corporate hack but an accumulation of infostealer malware deployed on infected devices over several years. The compilation created what security researchers called a “blueprint for mass exploitation”—a searchable database enabling automated attacks against virtually any online service.

The mechanics of data enrichment are straightforward. A breach of a Zoom account containing a username and email address can be linked to information from data broker databases to create a complete user profile. When a data breach occurs, hackers can use data broker databases to enrich stolen data with more information.

Companies like Acxiom, LexisNexis, Experian, and Oracle operate as intermediaries in what has grown into an industry projected to exceed $441 billion by 2032. Acxiom (now LiveRamp) claimed by 2023 to have files on 2.5 billion people worldwide, with over 3,000 data points per person—up from 500 million people with 1,500 data points in 2012.

These data brokers are themselves frequent breach victims. In May 2025, LexisNexis Risk Solutions disclosed a breach affecting more than 364,000 people, exposing names, dates of birth, phone numbers, addresses, Social Security numbers, and driver’s license numbers. The company, which works with 91% of Fortune 100 companies and 85% of Fortune 500 companies for risk and fraud assessment, had stored this information on a third-party software development platform.

Incogni researchers analyzing 506 registered U.S. data brokers found that 23 (4.5%) had suffered breaches, exposing at least 444.5 million records. The 2019 breach of California-based People Data Labs resulted in 179 million leaked records—40% of all major data broker breaches studied.

There is even a dark web “data broker” ecosystem—actors who broker the information stolen in a data breach, serving as intermediaries that transform stolen data into purchasable intelligence.

The National Public Data breach demonstrates how this works at scale. The company collected data to perform background checks, aggregating public records with purchased datasets. When breached, the stolen data contained not just names and Social Security numbers but pre-compiled profiles ready for exploitation. At least 207.6 million American records were compromised, representing nearly half of all exposed records.

The data broker industry creates a secondary market where information from corporate breaches can be laundered and repackaged. Data brokers collect information from public records, commercial sources, and online tracking—but they also acquire personal information from other data brokers and, in some cases, from data breaches. A company that would never directly purchase stolen data can still benefit from enriched consumer profiles built partly on breach-derived information.

The Economics of Insufficient Deterrence

The financial penalties imposed on these corporations, while nominally substantial, represent a fraction of their annual revenues and create insufficient deterrence for companies generating tens of billions in quarterly revenue.

T-Mobile’s $350 million settlement for exposing 76.6 million people’s data works out to approximately $4.57 per affected individual—roughly the cost of a coffee. AT&T’s $177 million settlement, divided among tens of millions affected across both breaches, yields similarly modest per-capita exposure.

The disparity isn’t just about having resources—it’s about how consequences scale. Large corporations can absorb the reputational damage, the legal fees, the regulatory fines. They have insurance policies worth hundreds of millions. Capital One, after its 2019 breach, expected costs between $100 and $150 million—but carried cyber insurance with a $400 million coverage limit after a $10 million deductible.

National Public Data had no such cushion. Small businesses have no reserves, no insurance coverage, no legal teams to navigate bankruptcy proceedings. When their systems fail, the businesses simply cease to exist.

Meanwhile, McKinsey estimates that cyberattacks are on track to cause $10.5 trillion in damage globally per year by 2025, yet the corporate sector collectively spent only $189 billion on cybersecurity in 2023—leaving what analysts describe as a $1.8 trillion spending gap between actual investment and what would be necessary for adequate protection.

This penalty structure creates a troubling calculus: the cost of insufficient security may be less than the cost of adequate security. When settlement payments are a rounding error relative to quarterly earnings, the business case for maximizing security investment weakens.

Why invest billions in security infrastructure when a breach costs millions, insurance covers much of the damage, stock prices recover within weeks, and regulatory penalties remain negligible compared to revenue? Why implement robust access controls when lobbying can water down privacy laws that might require them?

Writing the Rules of the Game As They Go

Perhaps the most insidious advantage large corporations enjoy is their ability to shape the regulatory environment that governs data protection—or more accurately, to prevent meaningful regulation from taking hold.

A May 2022 investigation by The Markup, examining public hearing testimony, public comments and lobbying records across 31 states, uncovered a coordinated nationwide campaign by Big Tech to mold privacy legislation to corporate specifications.

In Virginia, Amazon drafted the state’s 2021 Consumer Data Protection Act. The bill was “originally authored by Amazon with input from Microsoft.” The legislation passed, establishing a framework that other states have since adopted—a framework that privacy advocates describe as fundamentally inadequate.

“In late 2019, Utah state senator Kirk Cullimore got a phone call from one of his constituents, a lawyer who represented technology companies in California,” The Markup reported. The lawyer suggested Utah proactively pass a business-friendly consumer privacy law. Cullimore introduced the bill. The only advocacy group calling for stronger consumer protections during public hearings was Consumer Reports. Governor Spencer Cox signed the industry-crafted bill into law in March 2021.

A November 2021 Reuters investigation revealed that Amazon “has killed or undermined privacy protections in more than three dozen bills across 25 states.” In Virginia, the company increased political donations tenfold over four years before persuading lawmakers to pass its self-authored privacy bill. In California, Amazon stifled proposed restrictions on collecting and sharing voice recordings from devices like Alexa. In Washington state, Amazon won so many exemptions and amendments to biometric data regulation that the resulting law was effectively toothless.

By 2020, Amazon had registered at least 180 lobbyists across 44 states, up from 62 lobbyists in 27 states in 2014.

Google has spent more than $125 million on federal lobbying, campaign contributions and trade associations since 2019. The company’s policy statement argues that “requiring individuals to control every aspect of data processing can create a complex experience that diverts attention from the most important controls without corresponding benefits.” Translation: consumers shouldn’t be burdened with understanding how their data is used. Companies should decide what’s best.

The lobbying strategy has two primary objectives. First, establish opt-out rather than opt-in frameworks for data collection and targeted advertising—meaning tracking is enabled by default unless consumers navigate often-complex processes to disable it. Second, eliminate private rights of action that would allow consumers to sue for violations.

“That may be a bonanza for the trial bar, but it will not be good for business,” Dan Jaffe, group executive vice president for government relations for the Association of National Advertisers, told The Markup. TechNet, a Big Tech industry group, claimed that “enormous litigation costs for good faith mistakes could be fatal to businesses of all sizes.”

The American Data Privacy and Protection Act, introduced in June 2022, became one of the most lobbied bills in Congress, drawing attention from more than 180 corporate clients including Amazon, Disney and Target. Corporate interests successfully softened sections of the bill before it advanced through the House Energy and Commerce Committee by a 53-2 vote.

The two dissenting votes? Representatives from California, which has the strongest state-level privacy protections in the nation. Business lobbyists demanded that federal law preempt state regulations—effectively lowering the floor for everyone to match the weakest proposed standard.

“It’s just a numbers game,” Maureen Mahoney, a former policy analyst for Consumer Reports, told The Markup. “If you have one or two advocates that are saying, ‘I want a bunch of changes to these bills to push back against industry,’ but you’ve got 20 lobbyists telling you they’re going to kill your bill unless you take this edit, legislators want their bills to move.”

Jennifer Lee of the ACLU of Washington described the experience more bluntly: “It’s been this coordinated national push to advance really weak privacy bills. We’ve definitely felt outnumbered.”

The Regulatory Vacuum at the Federal Level

Efforts to regulate the data broker ecosystem at the federal level have consistently stalled. In December 2024, the Consumer Financial Protection Bureau under Director Rohit Chopra proposed rules that would have treated data brokers as consumer reporting agencies under the Fair Credit Reporting Act, subjecting them to accuracy requirements, consumer access provisions, and safeguards against misuse. The proposal aimed to protect Americans from surveillance, fraud, and criminal exploitation when bad actors purchase personal and financial information.

On May 15, 2025, the CFPB withdrew the proposed rule entirely. Acting Director Russell Vought stated in the Federal Register notice that legislative rulemaking was “not necessary or appropriate at this time.” Consumer advocates condemned the decision. Matt Schwartz of Consumer Reports called it “the latest troubling move by this administration to abandon the CFPB’s critical mission to protect consumers,” warning that “dropping these proposed limits will leave consumers unprotected and make it more likely that sensitive information like their Social Security numbers will wind up in the hands of crooks.”

The withdrawal leaves data brokers operating with minimal federal oversight. While the European Union’s General Data Protection Regulation provides substantial consumer protections, American privacy law remains a patchwork of state regulations and sector-specific federal rules that data brokers routinely navigate.

National Security Implications

The risks extend beyond individual identity theft. A 2022 analysis published by the U.S. Naval Institute Proceedings described data brokers as a threat to national security. Three major data brokers—Acxiom, LexisNexis, and Nielsen—sell data on current or former U.S. military personnel, including family information, spending habits, mental health conditions, and geolocation. Both Acxiom and LexisNexis provide users the ability to verify whether someone is active duty.

Foreign adversaries can purchase this information directly or, if that fails, steal it. Chinese state-sponsored hackers were suspected in the Equifax breach, which yielded sensitive information on nearly half of all Americans. The Department of Justice in 2020 indicted four members of China’s People’s Liberation Army in connection with the hack. Adversaries can use such data sets to identify where service members work, leverage health or financial information for bribery or blackmail, track movements, and impersonate personnel for targeted operations.

The Normalization of Privacy Collapse

Perhaps the most insidious benefit that large corporations derive from ubiquitous data breaches is the normalization of privacy loss. When everyone’s Social Security number, address history, and purchase behavior is already “out there,” consumers stop expecting privacy. This lowered expectation reduces political pressure for strict data minimization laws and makes aggressive data collection seem like an unavoidable status quo rather than a policy choice.

The competitive harm from breaches is also muted when industry-wide exposure levels are similar. If your competitor also gets breached, the relative disadvantage disappears. There is less incentive to invest heavily in security if the entire industry operates at a comparable baseline of inadequate protection. The result is a race to the middle rather than the top.

Security researcher Brian Krebs has characterized data brokers as “the digital equivalent of massive oil tankers wandering the coast without GPS or an anchor, because when they get hacked, the effect is very much akin to the ecological and economic fallout from a giant oil spill.” Unlike oil spills, however, data breaches create permanent contamination. Social Security numbers cannot be changed. Birthdates are immutable. The information exposed in breaches years ago continues to enable identity theft today and will do so for decades to come.

The 16 billion leaked credentials compiled in 2025 represent years of systematic failure across thousands of companies. Each credential stolen represents a company that failed to secure its users’ data, an employee who fell for phishing, a security protocol that went unenforced. The aggregated breach creates what one security researcher describes as the fundamental reality: “Your vendors will be compromised, and your credentials will be stolen.”

The Tragedy of the Commons in Data Security

The current system creates perverse incentives. Large corporations can treat data breaches as manageable business expenses rather than existential threats. They maintain enough resources to recover, enough market power to retain customers who have limited alternatives, and enough political influence to prevent regulations that might impose meaningful accountability.

Meanwhile, the broader data ecosystem benefits from the constant flow of leaked information. Data brokers aggregate and resell. Companies with sophisticated analytics derive competitive intelligence. The dark web functions as a shadow market where stolen data gets laundered into ostensibly legitimate datasets.

Small businesses and individual consumers bear the concentrated costs. When Code Spaces failed, its customers lost access to their repositories. When National Public Data collapsed, 170 million Americans faced elevated identity theft risk with no meaningful recourse against a company holding $33,000 in assets.

The evidence suggests that large corporations could secure their systems far better than they do. The prevalence of basic security failures—missing multi-factor authentication, unencrypted databases, unpatched known vulnerabilities—indicates not technical inability but insufficient incentive.

In this environment, large corporations aren’t just victims of data breaches—they’re often inadvertent beneficiaries of a system that treats data security as optional rather than essential, that allows the costs of lax security to be externalized onto consumers and smaller competitors who lack the resources to recover.

The asymmetry isn’t a bug in the system. It’s a feature that large corporations have successfully lobbied to preserve.

The Path Forward

Addressing this systemic failure requires recognizing that current incentive structures do not adequately protect consumers. Companies that profit from personal information must bear responsibility commensurate with the harm their negligence causes.

Settlement amounts tied to actual damages—not negotiated ceilings designed to cap corporate exposure—would create meaningful deterrence. When a breach affects 100 million people and settlement payments work out to less than $5 per victim, there is no real accountability.

Regulatory requirements for data minimization would reduce the honeypot problem by limiting what companies collect in the first place. Companies should not be permitted to maintain vast repositories of sensitive personal information simply because it might be commercially useful. If the data isn’t collected, it can’t be stolen.

Comprehensive federal oversight of data brokers equivalent to that applied to consumer credit reporting is essential. The CFPB’s withdrawn proposal represented a step in this direction; its abandonment leaves a regulatory vacuum that invites continued exploitation. State-level privacy laws like California’s Consumer Privacy Act provide partial protection but cannot substitute for coherent federal standards.

Penalties must scale with corporate size and resources. Until the cost of failure exceeds the cost of prevention—until settlements represent a material fraction of quarterly earnings rather than rounding errors—large corporations will continue to treat security as a line item rather than a mandate.

Most fundamentally, the framing of these incidents as “data breaches”—suggesting external attacks that companies could not prevent—obscures the reality that many represent failures to implement basic security measures that had been available for months or years. When a company fails to patch known vulnerabilities, store credentials securely, or segment networks properly, the breach is not an act of god but a consequence of corporate priorities.

The companies entrusted with Americans’ most sensitive data have the resources to protect it. That they repeatedly fail to do so—while facing penalties insufficient to change behavior and maintaining political influence sufficient to block meaningful regulation—suggests a system designed to extract value from personal information rather than safeguard it.

Until that system changes, small businesses will continue to disappear while their larger counterparts absorb similar breaches and emerge relatively unscathed. And consumers will continue bearing the permanent, irreversible consequences of corporate decisions in which they had no voice.

Sources and Citations

AT&T Data Breach Settlements and Disclosures

T-Mobile Data Breach and Settlement

Equifax Data Breach

Data Broker Industry

Small Business Impact and Bankruptcy Cases

Cybersecurity Spending and Industry Analysis

Regulatory Capture and Lobbying

CFPB Data Broker Rule Withdrawal

Major 2024-2025 Breaches

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,