It’s Not Real Until It Hurts: Why No One Demands Change

If nobody is going to hold you accountable, why be accountable?

Believe it or not, some people will claim that we’ve made progress in cybersecurity. Sure, there are more tools, more frameworks, more professionals, and more funding than ever—but let’s be honest. When you zoom out and look at the full picture, we haven’t progressed. We’ve drifted.

And it’s the slow drift that gets you—not the sharp turn.

The First Cut Was in 2005

Cybersecurity has always been there, lurking in the background. But for most people, it didn’t become real until a data breach letter landed in their mailbox—maybe the one from ChoicePoint in February 2005. That’s widely considered to be the first official customer breach notification in the U.S.

Since then?

Nobody really knows how many data breaches there have been. You’d think someone would track this stuff, but no. Not reliably. A few groups have tried, thankfully.

The Identity Theft Resource Center (ITRC) has been doing the best job in the U.S., tracking publicly reported data breaches since 2005. According to their 2024 report, since 2005, we’ve seen:

• 21,900+ data compromises

• Nearly 60 billion records exposed

• Nearly 12 billion breach notifications sent

And this is just privacy-related breaches, a subset of the total security mess.

Ransomware? That’s just as ugly.

In 2024 alone, Cyberint counted 5,414 publicly reported ransomware attacks worldwide—up 11% from the year before. And that’s just the ones we know about. Most attacks aren’t reported. Some are swept under the rug. Some companies just pay quietly and move on.

So no—we’re not making progress. We’re just getting used to the pain.

$16.6 Billion in Pain (That We Know About)

We also suck at measuring impact. The FBI’s Internet Crime Complaint Center (IC3) recorded $16.6 billion in cybercrime losses in 2024—a 33% increase from 2023. Among older adults (60+), reported losses hit $4.8 billion.

And if you’re thinking, “Well, that’s bad, but it’s manageable,” think again. Cybersecurity Ventures estimated global cybercrime costs reached $9.5 trillion in 2024. That number’s probably inflated—but it’s not imaginary.

Still, the public doesn’t demand change.

We don’t demand accountability. We don’t demand security. We shrug, maybe freeze a credit report or two, and move on.

Why?

Because it doesn’t hurt enough.

The Pain is Spread Too Thin

The average person doesn’t feel the full sting of a data breach. Maybe a few more bucks in banking fees. Maybe a new debit card. Maybe a class-action email promising you $3 and a pat on the back. But that’s not pain. That’s inconvenience.

And that’s the problem.

We don’t change until it hurts. Really hurts.

And so far, we’ve managed to spread the pain around just enough to avoid a collective outcry. But that won’t last.

Because the chickens will come home to roost.

Why People Don’t Care (Yet)

Let’s break this down. Why don’t people give a damn—even after tens of billions of records have been compromised?

1. It’s Death by a Thousand Cuts

   Breaches happen slowly and constantly. Since 2005, the U.S. alone has seen thousands of them. It’s become background noise. Changing a password or freezing your credit doesn’t feel like suffering.

2. The Fallout Is Manageable

   Most people never face real consequences. Maybe some fraud, some spam, maybe an annoying call. The big stuff—identity theft, ruined credit—is rare. And even when it hits, free credit monitoring smooths it over.

3. Nobody Feels in Control

   You didn’t cause the breach, and you can’t stop it from happening again. So what’s the point in getting mad?

4. We Trade Privacy for Convenience

   Social media. Free apps. Online shopping. People gladly hand over their data for ease, entertainment, or a discount. It numbs them to risk.

5. Desensitization Through Frequency

   Breach fatigue is real. When there are thousands of compromises per year, none of them feel special anymore. Especially when the headlines are just numbers—no faces, no stories, no blood.

The Tipping Point Is Coming

Here’s the scary part. This is just privacy. We’re not even talking about:

• Critical infrastructure

• Intellectual property theft

• National security

• Human safety

The real pain is coming. And when it does, it’s going to feel like it came out of nowhere—even though it didn’t.

Picture this:

• Mass identity fraud fueled by decades of leaked data

• AI-driven phishing and deepfake scams that empty retirement accounts overnight

• Healthcare ransomware that locks people out of medical records during surgery

• Nation-state breaches that weaponize your personal data against you or your kids

• Biometric theft (e.g., facial recognition, fingerprints, DNA) that can’t be undone or reset

Then what?

Maybe then, people will care.

Why Real Change Hasn’t Happened

Because the pain is abstract and delayed.

And the consequences? Spread out, hidden, and easily forgotten.

Equifax exposed 147 million people’s data in 2017. Only a fraction suffered real harm. The company paid a pittance per person in settlement. Less than 4% of affected individuals even claimed it.

There’s no rallying cry when the harm trickles in quietly.

What Will Drive Real Change?

When it finally hurts bad enough, here’s what might (finally) move the needle:

• Real Accountability: Not just fines. Personal liability for executives and decision-makers who ignore basic security hygiene.

• Define Negligence: If a company doesn’t know what systems it owns (no asset inventory), that should be gross negligence. Period. Today, most companies don’t have an asset inventory.

• Stronger Laws: Like a real U.S. federal privacy law with teeth.

• Consumer Revolt: People actually boycotting companies or adopting privacy tools at scale.

• Tech Shifts: Moving away from centralized data models. More encryption. Less reliance on big-data honeypots.

But why wait until it hurts that bad?

Final Thought

Every little compromise feels harmless.
Justified. Rationalized. Brushed aside.

But compromise stacks up.
And one day, you’ll look around and wonder how the hell we got here.

The answer?

One degree off course. Every day. For years.

Cybersecurity didn’t fail overnight.
It failed slowly—because nobody made it real.

Until it becomes personal, until it cuts deep, until it wrecks something you can’t ignore—nobody demands change.

But part of my job is to try to help people up before that happens.

And I won’t stop.

NOTE: Matt Goodacre and I will discuss this LIVE on the InfoSec to Insanity podcast August 7th at 9pm CT, here. Join us.