Just a few weeks ago, while communicating with a major Australian health insurance provider (which I’m not naming for my own safety), they accidentally sent me a document containing another customer’s personal and medical information, including details about their minor child. I informed them that they were legally required to notify the affected person about this privacy breach. However, the representative I spoke with dismissed my concerns and didn’t take the issue seriously. I’ve since filed a formal complaint with the Office of the Australian Information Commissioner (OAIC).
The Hotmail email I created as a child has been involved in 8 data breaches, leaking my real name, date of birth, phone number, physical address and geographic location amongst other things (credit to Have I Been Pwned).
In 2025, the app ‘Tea’ experienced a data breach, exposing tens of thousands of user selfies and government IDs (like driver’s licenses), along with over a million private messages containing personal details. This led to severe privacy violations, online shaming on platforms like 4chan, and physical safety fears[1] for users.
Last week, when I learnt that photos of a woman on the toilet, taken by her Roomba vacuum cleaner, ended up on Facebook in 2020, I wasn’t surprised.
The breaches we don’t know about
These are just the incidents we know about. These days, hackers will ransom company data out, threatening to leak it if a fee is not paid.
This affected Garmin in 2020, whose fitness trackers are worn by millions. Garmin reportedly paid $10 million to ransomware hackers who rendered their systems useless.
When companies pay the ransom, the data isn’t posted publicly, but it remains in the hands of criminals. There is no reason that these criminals would not pursue further profitable endeavours like identity theft, or selling the data privately to individuals interested in those sorts of crimes.
How many companies have been ransomed that we don’t know about?
Data breaches have been increasing over time, and the recent trend of no-coders productionising applications[1][2][3][4] will only accelerate their frequency.
Age verification and the normalisation of ID uploads
As of 10 December 2025, in Australia, the country that I reside in, introduced a law enforcing that “age-restricted social media platforms must take reasonable steps to prevent Australians under 16s from having accounts”.
While the law explicitly states that platforms must not require government-issued ID and encourages low-friction age verification, many platforms are implementing ID or biometric verification anyway. This normalizes the practice of uploading highly sensitive identification to access the internet (discussion on Hacker News).
A few months ago, Ian Carroll posted a blog post detailing how he obtained access to Max Verstappen’s and a number of other F1 drivers’ passports. The attack cost him just a few hours of work.
My deserted blog, which I am planning on reviving, lived on Substack. The other day, I found out that I was locked out of my account and don’t even have the control to delete my content or account without uploading a 3D scan of my face.
The crumbling barrier
The rise of identity theft is an index for tracking the pervasiveness of data breaches. Since the crime itself requires so many disparate pieces of a person’s information, which can often only be obtained from various places, rising identity theft indicates that data breaches have become both frequent and interconnected enough to enable systematic information assembly.
For many of us, obtaining a single additional form of physical identification, like a driver’s license or passport scan, is the only remaining barrier criminals need to commit identity theft. As we’re pressured to upload these documents to more and more services, that barrier crumbles.
Identity theft cases have reached record highs, with U.S. losses topping $12.7 billion in 2024[1][2][3][4]. Data breaches are also at an all-time high, with a 72% increase over previous records[5][6].
I have had to email privacy@substackinc.com with my request and rely on my right to data deletion, covered under Australian law.
Some other changes I’ve made include setting up a new email address under a fake name, and making a habit of handing it out, including the fake name alongside it, to any form that doesn’t strictly require my real details.
Meanwhile, I’ve set up a personal blog at s-jac.github.io/blog/, and have started to question my entire online presence.