Just a few weeks ago, while communicating with a major Australian health insurance provider, they accidentally sent me a document containing a minor’s personal and medical information. I informed them that they were legally required to notify the affected person about this privacy breach. However, the representative I spoke with dismissed my concerns and didn’t take the issue seriously. I’ve since filed a formal complaint with the Office of the Australian Information Commissioner (OAIC).
The Hotmail email I created as a child has been involved in 8 data breaches, leaking my real name, date of birth, phone number, physical address and geographic location amongst other things (credit to Have I Been Pwned).
In 2025, the app ‘Tea’ experienced a data breach, exposing tens of thousands of user selfies and government IDs (like driver’s licenses), along with over a million private messages containing personal details. This led to severe privacy violations, online shaming on platforms like 4chan, and physical safety fears[3] for users.
A few months ago, Ian Carroll posted a blog post detailing how he obtained access to Max Verstappen’s and a number of other F1 drivers’ passports. Though clever, it was not a sophisticated attack.
And in February 2026, the AI social network MoltBook leaked 1.5 million API keys, right after the creator posted a tweet bragging:
I didn’t write one line of code for @moltbook.
The breaches we don’t know about
These are just the incidents we know about. These days, hackers will ransom company data, threatening to leak it if a fee is not paid.
This affected Garmin in 2020, whose fitness trackers are worn by millions. Garmin reportedly paid $10 million to ransomware hackers who rendered their systems useless.
When companies pay the ransom, the data isn’t posted publicly, but it remains in the hands of criminals. There is no reason that these criminals would not pursue further profitable endeavours like identity theft, or selling the data privately to individuals interested in those sorts of crimes.
How many companies have been ransomed that we don’t know about?
Data breaches have been increasing over time. Thanks to AI coding tools, individuals are able to launch applications without reading or understanding their code, and this is likely to accelerate the frequency of data breaches[7][8][9][10].
Age verification
On December 10, 2025, Australia (where I reside) introduced a law requiring that “age-restricted social media platforms must take reasonable steps to prevent Australians under 16s from having accounts”.
While the law explicitly states that platforms must not require government-issued ID and encourages low-friction age verification, many platforms are implementing ID or biometric verification anyway. This normalises the practice of uploading highly sensitive identification to access the internet (discussion on Hacker News).
When I tried to revive my deserted blog on Substack, I found that I was locked out of my account. To log back in, I needed to upload a 3D scan of my face. According to online reports, if you make through this step, you are then required to upload a government issued ID2122.
This is what I saw when I tried to visit Substack
The crumbling barrier
Identity theft can serve as an index for tracking the pervasiveness of data breaches. Since the crime itself requires so many disparate pieces of a person’s information, which can often only be obtained from various places, rising identity theft indicates that data breaches have become both frequent and interconnected enough to enable systematic information assembly.
Obtaining a single additional form of physical identification, like a driver’s license or passport scan, is the only remaining barrier to identity theft. As we’re pressured to upload these documents to more and more services, that barrier crumbles.
Fraud cases have reached record highs, with U.S. losses topping $12.5 billion in 2024[14][15][16][17]. Data breaches are also at an all-time high, with a 72% increase over previous records[18][19].
The barrier to identity theft is crumbling.
I have had to email privacy@substackinc.com with my request and rely on my right to data deletion, covered under Australian law.
Some other changes I’ve made include setting up a new email address under a fake name, and making a habit of handing it out, to any form that doesn’t strictly require my real details.
Finally, I’ve set up a personal blog at s-jac.github.io/blog, and you are on it right now.