Apparently some company I do business with shared my data with another corp without me knowing,
WTF?
then that corp who I did not know had my data was breached.
WTF?
Then the breached corp who could not competently secure the data in the first place offers victims gratis credit monitoring services (read: offers to let yet another dodgy corp also have people’s sensitive info thus creating yet another breach point). Then the service they hired as a “benefit” to victims outsources to another corp and breach point: Cloudflare.
WTF?
So to be clear, the biggest privacy abuser on the web is being used to MitM a sensitive channel between a breach victim and a credit monitoring service who uses a configuration that blocks tor (thus neglecting data minimization and forcing data breach victims to reveal even more sensitive info to two more corporate actors, one of whom has proven to be untrustworthy with private info).
I am now waiting for someone to say “smile for the camera, you’ve been punk’d!”.
(update)
Then the lawyers representing data breach victims want you to give them your e-mail address so they can put Microsoft Outlook in the loop. WTF? The shit show of incompetence has no limit.
That sounds like the average megacorp terms of service these days.
Yes, just because everyone’s doing it doesn’t mean they can’t be better. They should be better, but worldwide government regulations don’t force that (yet).
But at some point to interact with any kind of large company, your information is going to end up crossing the path of a large company, especially one of the hyperscale cloud and connectivity providers like Microsoft, Akami, Cloudflare, Google, Amazon, etc.
Whether businesses get copies of information is usually included in a site’s privacy policy, and if you’re curious about that list (and it’s not publicly documented), I’d hope there’s a contact to get more info about the policy (like a privacy@ email address)
If you really want to limit your information exposure, you either have to audit everyone you do business with this way (because most large companies do this) or hire someone (or a service) to do it.
You could also consider not interacting with large companies at all - but you’d limit yourself from part of the modern world. If that’s your game, by all means by my guest.
Actually the large corps are more likely to hold the data in-house. Small companies cling to outsourcing. E.g. credit unions are the worst… outsource every service they offer to the same giant suppliers. Everyone thinks only a small company has the data (and consequently that the small dataset does not appeal to cyber criminals) but it’s actually worse because they outsource jobs even as small as printing bank statements to the same few giants most other credit unions use. Then they do the same for bill pay with another company. It’s getting hard to find a credit union that does not put Cloudflare in the loop. So in the end a dozen or so big corps have your data and it’s not even disclosed in the privacy statement.
Of course it depends on the nature of the business. A large grocery chain is more likely to make sure your offline store purchase history reaches Amazon and Google than a mom & pop grocer who doesn’t even have a loyalty program.
I have never seen a privacy policy that lists partners and recipients apart from Paypal, who lists the 600+ corps they share data with for some reason. Apart from bizarre exceptions privacy policies are always too vague to be useful. Even in the GDPR region. If you read them you can often find text that does not even make sense for their business because they just copied someone else’s sufficiently vague policy to use as a template.
The breach happened in a country where companies are not required to respond to audits. No company wants any avg joe’s business badly enough to answer questions about data practices. In the EU, sure, data controllers are obligated to disclose the list of parties they share with (on request, not automatically). And even then, some still refuse. Then you file an article 77 complaint with the DPA where it just sits for years with no enforcement action.
My approach is a combination of avoiding business entirely, or supplying fake info, or less sensitive info (mailing address instead of residential, mission-specific email, phone number that just goes to a v/m or fax). This is where the battle needs to be fought – at data collection time. Countless banks needlessly demand residential address. That should be rejected by consumers. Data minimization is key.
In the case at hand, I’m leaning toward opting out of the class action lawsuit and suing them directly in small claims court. I can usually get better compensation that way.