You've probably noticed the pattern by now. A major company announces a data breach. Millions of accounts are compromised. They issue an apology, offer a year of free credit monitoring, promise to "take security seriously going forward," and then – sometimes months, sometimes years later – it happens again. Same company, same basic failure, different headline.
This isn't just bad luck. It's a systemic problem, and understanding why it keeps happening tells you something important about how corporate security actually works – and why the incentives that should fix it often don't.
When a data breach makes the news, it's usually because it's large enough to be impossible to ignore. But for every breach that gets covered, dozens go unreported or are disclosed quietly in regulatory filings that nobody reads. The Identity Theft Resource Center tracked over 3,200 data compromises in the US alone in 2023, affecting more than 350 million victim notices. That's not a spike – it's a sustained baseline that has been growing year on year for more than a decade.
What's notable is that many of the repeat offenders are household names with substantial security budgets. Companies like T-Mobile, AT&T, Yahoo, LinkedIn, and healthcare giants like Change Healthcare and Anthem have each experienced multiple significant breaches. These aren't small operations running on shoestring IT budgets. The question of why large, well-resourced companies keep getting breached – repeatedly – is the more interesting and uncomfortable one.
One of the least glamorous explanations is also one of the most accurate: a lot of large organizations are running critical systems on infrastructure that is decades old and was never designed with modern threat models in mind.
Banks, healthcare providers, airlines, and government agencies often have core systems built on technology from the 1980s and 1990s that has been patched, extended, and integrated with newer layers over time but never fundamentally replaced. Replacing a core banking system or a hospital records platform is an enormously expensive and risky undertaking – the project can take years, cost hundreds of millions of dollars, and carries the risk of catastrophic failure if something goes wrong during the transition. So organizations patch, layer, and defer. Those old systems accumulate vulnerabilities the way old buildings accumulate structural cracks: slowly, invisibly, until something gives.
The 2017 Equifax breach – one of the most consequential in history, exposing the personal data of 147 million Americans – was traced to a known vulnerability in Apache Struts, an open-source web framework. A patch had been available for two months before the breach. Equifax simply hadn't applied it. The failure wasn't exotic or technically sophisticated. It was a missed update on legacy infrastructure in a complex system where patching was nobody's clearly defined job.
Large organizations have security teams, compliance departments, IT operations, and executive leadership who all ostensibly share responsibility for security. In practice, this diffusion often means that security becomes something everyone assumes someone else is handling at the level of detail that matters.
A security team might identify a vulnerability and flag it. But remediating it requires the cooperation of an IT operations team that is measured on uptime, not patch velocity. That team has its own backlog, its own priorities, and its own management chain. Without someone with clear authority and accountability pushing the remediation through, it sits in a queue. This is how known vulnerabilities remain unpatched for months or years in organizations with dedicated security budgets.
There's also the question of what security teams are actually measured on. In many organizations, security is treated as a cost center rather than a strategic function. The metrics that matter to executives – revenue, customer growth, operational efficiency – don't directly include "number of vulnerabilities remediated this quarter." Security teams that prevent breaches are largely invisible, because nothing bad happened. It's a discipline where doing your job perfectly produces no obvious result, and the consequences of failure are delayed and probabilistic. That's a difficult environment for sustained investment.
One of the most significant shifts in the data breach landscape over the past decade is the rise of supply chain and third-party vendor attacks. A company can have excellent internal security practices and still get breached through a vendor, contractor, or software library that it relies on but doesn't fully control.
The SolarWinds attack in 2020 is the defining example of this. Attackers compromised SolarWinds' software build process and pushed malicious code into a legitimate software update that was then distributed to 18,000 customers, including multiple US government agencies, Microsoft, Intel, and major financial institutions. The victims didn't do anything wrong in the conventional sense. They installed a routine software update from a trusted vendor. The breach happened upstream, in a part of the supply chain they had no direct visibility into.
This pattern has become increasingly common. The MOVEit vulnerability in 2023 exploited a flaw in a widely used file transfer software and affected hundreds of organizations, including the BBC, British Airways, and numerous government agencies. Again – the victims weren't necessarily negligent. They were using software they had every reason to trust, and a previously unknown vulnerability in that software became an entry point.
The uncomfortable reality is that modern enterprises rely on hundreds or thousands of third-party tools, services, and software libraries. Maintaining genuine security visibility across that entire ecosystem is a problem nobody has fully solved.
A significant proportion of data breaches – particularly at larger companies – aren't initiated through sophisticated technical exploits. They start with a stolen or phished credential. An attacker gets access to one employee's username and password, often through a phishing email or by purchasing it from a previous breach on the dark web, and that single credential becomes a foothold into the organization.
This is more effective than it should be because of two persistent behaviors: password reuse and inadequate multi-factor authentication (MFA) adoption. If an employee uses the same password across their work email and a personal account that was breached elsewhere, an attacker can take that leaked credential and try it against the corporate login. This is called credential stuffing, and it's automated and cheap to run at scale. Billions of username-password combinations from historical breaches are freely available to anyone willing to look.
The fix for this – strong unique passwords combined with MFA – is well understood and not technically difficult to implement. The challenge is adoption. Organizations struggle to enforce MFA consistently across all employees, all systems, and all access points, especially when some users push back on the friction it adds. One account without MFA, in a system with access to sensitive data, is enough.
Here's the uncomfortable economic reality: for many large companies, the financial cost of a data breach is manageable. It's unpleasant, it involves legal fees and regulatory fines and notification costs, but it rarely threatens the company's fundamental viability. The calculus that security investment has to win against is not "breach costs everything" – it's "breach costs X, and prevention costs Y, and X is often less than Y when you factor in probability and timeline."
The GDPR in Europe raised the stakes significantly by introducing fines of up to 4% of global annual revenue, which for large tech companies is genuinely eye-watering. But enforcement has been inconsistent, and the time between a breach and a meaningful penalty can stretch to years, which reduces the urgency considerably. In the US, there is no single comprehensive federal data breach law, and state laws vary widely. The Federal Trade Commission can pursue companies for unfair or deceptive practices, but the penalties for data security failures are often modest relative to the companies involved.
Meta, for example, has paid billions in settlements and fines globally and continues to operate essentially unchanged. Yahoo settled a class-action lawsuit for $85 million related to a breach affecting 3 billion accounts. T-Mobile has settled multiple breach-related lawsuits totaling hundreds of millions of dollars. In each case, the company paid, absorbed the cost, and moved on. The deterrent effect of these penalties is real but limited. Until the financial consequences of chronic security failures genuinely threaten executive compensation and shareholder returns, the incentive to invest in prevention over remediation remains weak.
Even with excellent infrastructure, strong patch management, and MFA enforced across the board, one well-crafted phishing email sent to the right employee can undo a lot of it. Social engineering – manipulating people rather than exploiting code – remains one of the most effective attack vectors, and it's genuinely difficult to defend against at scale.
The 2020 Twitter breach is a clear example. Attackers called Twitter employees and impersonated IT staff, convincing them to hand over credentials. That's it. No zero-day exploit, no advanced persistent threat infrastructure – just a phone call. Using those credentials, they accessed the accounts of Barack Obama, Elon Musk, Bill Gates, Apple, and others to run a Bitcoin scam. A company with significant security resources was taken down by a social engineering call because the human layer – the employee who received the call and made a judgment call in the moment – is not something you can patch.
Security awareness training helps, but it's a statistical game. If an organization has thousands of employees and attackers can send thousands of convincing phishing emails, the question isn't whether any employee will fall for one – it's when. The realistic goal isn't zero failures; it's containing the blast radius when a failure happens through network segmentation, least-privilege access, and fast detection and response.
One detail that never gets enough attention in breach news coverage: the average time between a breach occurring and a company detecting it is measured in weeks to months, not hours. The IBM Cost of a Data Breach Report 2023 found a mean time to identify a breach of 204 days, and a mean time to contain it of an additional 73 days. That's nearly nine months from breach to containment, during which attackers can move laterally through systems, exfiltrate data, and cover their tracks.
Organizations that invest in detection and response – security operations centers, threat hunting, behavioral analytics that flag unusual access patterns – can compress these timelines dramatically. But building and staffing those capabilities is expensive and competes for budget with the more visible, immediate-feeling investments in firewalls and perimeter defenses. Perimeter defense is intuitive: keep attackers out. Detection and response is a harder sell: assume attackers are already in, and get better at finding them.
The reality of modern enterprise security is closer to the second mindset. Perimeters are porous, third-party access is extensive, and the idea that a company's data is fully separated from the outside world by a clean boundary is a comfortable fiction. The organizations that handle security best tend to be the ones that have internalized that assumption.
The pattern of repeat breaches isn't inevitable – it's a product of specific, identifiable failures in incentives, accountability, and investment. A few things would move the needle meaningfully.
Liability frameworks that hold executives personally accountable for chronic security failures would change the internal calculus around security investment faster than almost anything else. When the personal financial exposure of a CISO or CEO is directly connected to a breach, security stops being a cost center and starts being a personal concern. The SEC's 2023 cybersecurity disclosure rules, which require public companies to report material cybersecurity incidents within four days and disclose cybersecurity governance practices annually, are a step in this direction – they tie security posture to disclosure obligations that executives take seriously.
Mandatory minimum security standards with teeth – not just guidelines, but enforceable requirements – would raise the floor across industries that handle sensitive data. Healthcare and financial services have sector-specific frameworks (HIPAA and PCI DSS respectively), but compliance with these frameworks doesn't guarantee security and the enforcement record is mixed.
And at the individual level, understanding that your data is a target held by third parties beyond your control is its own kind of useful calibration. Using unique passwords managed by a password manager, enabling MFA wherever it's offered, and being realistic about what you share and where won't stop a company from getting breached. But it limits the damage to you when they do.
Why do companies keep getting breached even after investing in security? Because security is not a state you achieve – it's an ongoing process against an adversary that adapts. A company can be secure today and vulnerable tomorrow if a new vulnerability emerges in software they use, if an employee makes a mistake, or if a vendor they rely on gets compromised. The companies with the most repeat breaches tend to combine large data holdings (making them high-value targets), complex legacy infrastructure, and inconsistent follow-through on known vulnerabilities.
What's the most common way breaches actually start? Phishing and credential theft are the most common entry points, not sophisticated hacking. IBM's research consistently shows that stolen or compromised credentials are the leading cause of data breaches, followed by phishing. The technical exploits that get the most attention in coverage are real but represent a smaller proportion of total breaches than social engineering and credential reuse.
Should I be worried about my personal data? Realistically, assume that some of your personal data has already been exposed in at least one breach. Tools like Have I Been Pwned (haveibeenpwned.com) let you check your email address against known breach databases. The practical steps that reduce your exposure are: using unique passwords for each account, enabling MFA wherever possible, and being skeptical of unsolicited contact that asks for personal information or login credentials.
Do companies ever actually face real consequences? Sometimes, increasingly. GDPR enforcement has resulted in billion-dollar fines for Google, Meta, and others in Europe. The FTC has pursued several companies for inadequate security practices. Class-action settlements add up. But the consequences are often delayed, inconsistent, and still smaller relative to company size than most people assume. The regulatory environment is tightening, but it's a slow process.
What is a zero-day vulnerability and why does it matter here? A zero-day is a software vulnerability that is unknown to the software vendor – meaning no patch exists yet because the vendor doesn't know to make one. Attackers who discover or purchase zero-days can exploit them without the target being able to defend against them through patching. They're significant but relatively rare in practice. Most breaches exploit known vulnerabilities for which patches exist but haven't been applied, which is arguably a more indicting failure.
Data breaches keep happening at the same companies because the problem is structural, not accidental. Legacy infrastructure, diffuse accountability, inadequate detection, the economics of remediation versus prevention, supply chain complexity, and the persistent effectiveness of human-layer attacks combine into a system where breaches are not anomalies – they're the expected output.
Understanding why it keeps happening is the first step toward holding companies to a higher standard when it does. The question to ask after the next breach isn't "how did hackers get in?" It's "what decision, investment, or incentive structure made this more likely than it should have been – and has anything changed that would prevent the next one?"
Usually, the honest answer isn't encouraging.
Identity Theft Resource Center 2023 Annual Data Breach Report – ITRC: https://www.idtheftcenter.org/publication/2023-annual-data-breach-report/
IBM Cost of a Data Breach Report 2023 – IBM Security: https://www.ibm.com/reports/data-breach
Equifax data breach details and causes – US Senate PSI Report: https://www.hsgac.senate.gov/subcommittees/investigations/media/senators-release-bipartisan-report-on-the-equifax-data-breach
SolarWinds attack explained – CISA Advisory: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a
MOVEit vulnerability and impact – CISA: https://www.cisa.gov/news-events/alerts/2023/06/07/progress-software-releases-security-advisory-moveit-transfer-vulnerability
Twitter 2020 breach details – Twitter blog: https://blog.twitter.com/en_us/topics/company/2020/an-update-on-our-security-incident
SEC cybersecurity disclosure rules 2023 – SEC: https://www.sec.gov/news/press-release/2023-139
Have I Been Pwned breach database – haveibeenpwned.com: https://haveibeenpwned.com
