In 2024, over 1.7 billion individuals experienced breaches of their personal data, with many incidents involving the exposure of highly sensitive information, including Social Security numbers and physical addresses. This alarming trend leaves affected individuals vulnerable to identity theft and targeted attacks. Data breaches are becoming increasingly prevalent at both local and national levels. A notable example occurred in Ann Arbor, where hackers accessed the University of Michigan’s systems, resulting in the theft and exposure of data belonging to approximately 230,000 people. Additionally, a series of state-sponsored cyberattacks, including Russian interference in U.S. elections and a breach of the U.S. Department of the Treasury by Chinese hackers, highlight the rising significance of data security in global power dynamics. This situation underscores that privacy is not only a personal concern but also a critical component of national and geopolitical security.
While the tech and digital sectors are among the fastest-growing industries in the United States, they paradoxically receive limited regulatory oversight. Currently, there is no comprehensive federal law in the U.S. that specifically governs data privacy and the protection of personal information. The absence of robust regulations has a direct financial impact, significantly contributing to rampant identity theft, widespread fraud, and escalating national security risks. The deficiency in data protection is compounded by a widespread misunderstanding of privacy among Americans. Research indicates that a majority of the population lacks knowledge about how their personal data is handled by various companies. Alarmingly, 91% of individuals believe they have little to no control over their data, emphasizing the urgent need for enhanced privacy awareness and ownership.
Digital identity wallets are emerging as a potential solution to bolster personal data security. These secure mobile applications store and manage users’ personal information while using advanced security measures, including biometric authentication and encryption, to protect data and provide users with greater control. Unlike the current system, which allows companies to collect and maintain an extensive amount of personal data during online transactions, digital identity wallets empower users to decide what information they share and how it is stored. For instance, when making an online purchase, instead of providing personal details that can be misused or sold, consumers can grant temporary access to only the necessary data, such as shipping addresses.
Countries around the globe are beginning to adopt such digital identity systems, with the European Union mandating that member states must offer digital ID wallets by 2026. The U.S. may soon follow suit, especially following recent Supreme Court decisions that have brought privacy concerns to the forefront of public discourse. Given the focus on government efficiency and cost reduction, and considering that fraud costs the U.S. economy over $500 billion annually, there is a growing likelihood of federal adoption of digital ID wallets. However, the successful implementation of such a system could encounter challenges stemming from a historical mistrust of government data management among American citizens.
Nevertheless, many states have already initiated the use of digital IDs for driver’s licenses, stored within widely used applications like Apple Wallet and Google Wallet. These applications not only securely carry and store sensitive information but have also shown greater resilience to breaches than many corporate data stores. Expanding the functionality of these digital wallets to include personal identification is a logical next step, provided that appropriate infrastructure is developed to support widespread adoption.
As technology continues to evolve rapidly, it is critical to modernize the underlying infrastructure to address the increasing threats posed by data breaches. The growing prevalence of these breaches calls for a systemic approach to protecting personal data in an ever-connected world. Businesses must remain vigilant and informed about cybersecurity practices, as the risks associated with data exposure are severe and pervasive.
The MITRE ATT&CK framework identifies several potential adversary tactics that could have been employed in these attacks. Techniques such as initial access, persistence, privilege escalation, and data exfiltration may have been utilized by threat actors targeting both individuals and organizations. By understanding these tactics, businesses can better prepare for and mitigate the risks associated with data breaches, fostering a culture of proactive cybersecurity management.
