Even among the hundreds of data breaches that occur each year, the hacking of card processor Global Payments stands out.
The Atlanta-based company, which processes credit and debit card transactions for Visa and MasterCard, recently revealed that hackers gained access to no more than 1.5 million card numbers.
Visa and MasterCard quickly announced that the accounts are being monitored and cardholders won't be liable for any fraudulent charges.
But the Global Payments breach is another reminder that despite all of our attempts to keep personal information out of the hands of thieves — shredding documents and frequently changing passwords — we still are vulnerable.
"We talk so much about what to protect our computer from — viruses and not going to the wrong site and giving away your passwords. Then the server that has all the credit cards gets compromised," says Avi Rubin, a computer science professor at the Johns Hopkins University. "All of that protection we tell the consumer to take with their own data goes out the window."
For years, security experts say, companies wrote off identity theft fraud as a cost of doing business. Only after such theft began to heavily eat into profits did businesses — usually large ones — start taking security seriously.
But plenty of others need to catch up. Data breaches that potentially put us at risk of financial identity theft occur on average at least once a day — often at hospitals and schools.
The Privacy Rights Clearinghouse has tracked such breaches since 2005, and has recorded more than 3,000, involving 546 million records. Some are sophisticated attacks, but many are the result of simple carelessness. For example, one of the 591 breaches reported last year occurred in the Texas comptroller's office, which had publicly posted for a year or more the Social Security numbers of 3.5 million workers.
And what happens to consumers who have their identities stolen? A new report from the Federal Trade Commission says some victims who contact credit reporting agencies for help complain that the companies push them into buying fraud prevention products.
More than products, consumers need companies and organizations to invest in security technology and train their employees to keep our information safe.
Of course, not all data breaches are equally serious or lead to identity theft.
Breaches that expose names, addresses and emails are the least worrisome.
"You only have to worry about phishing," says Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse. That's where con artists send you an authentic-looking email from a company or agency, trying to trick you into revealing sensitive information.
The most serious cases occur when thieves steal Social Security numbers and birth dates.
"That really allows a fraudster to pose as us and open accounts in our names," says Steve Coggeshall, chief technology officer for ID Analytics, a risk assessment company.
The Global Payments breach — exposing card numbers and expiration dates — falls somewhere in between, experts say.
"With this particular breach, the consumer could be exposed to existing account fraud," Stephens says.
That means thieves could go on a shopping spree using your current account, but can't open a new line of credit. This type of fraud also won't be picked up through credit monitoring services that look for new account fraud, Stephens says.
Security experts say we may never know if the Global Payments breach leads to identity theft.
"Most victims of identity theft have no idea how they became a victim," Stephens says.
Some thieves act quickly, while others sit on victims' information for months.
Eduard Goodman, chief privacy officer with Arizona-based Identity Theft 911, recalls a breach in which medical students' stolen information still hadn't been used by the time the thief was apprehended many months later. The thief told authorities he was waiting for the students to become doctors, Goodman says.
Maryland, like most states, requires businesses to notify consumers if their information has been compromised.
If you're notified of a financial breach, quickly take steps to protect yourself.
Start by carefully scanning your credit card and bank statements for unauthorized charges and immediately report any suspicious charges to the lender or card issuer. Online banking customers have an advantage here because they can check their account frequently and respond faster when they spot suspicious activity.
Don't overlook tiny transactions, which may be a thief testing out the card, Goodman says.
Goodman's own debit card was compromised in February, and the thief made a dozen or so $1 purchases over a few hours before escalating to transactions of about $100 each.