There's more bad news on the data breach front, with fresh reports from Equifax and the United States Marine Corps that draw more attention to preventative measures.

Equifax once again disclosed that its 2017 breach impacted more than the initially reported (2.4 million more are impacted). And personal identifiable information including banking data and Social Security numbers of 20,000-plus Marines, sailors and civilians was compromised by the U.S. Marine Corps Forces Reserve.

Breach investigations can be very lengthy and it is not uncommon to disclose additional findings over time. For example, some companies may soon be required to issue a public notification of data breaches within three days of a cyber incident, but in some complicated cases the actual findings may continue to be identified for months.

A monitor displays Equifax signage on the floor of the New York Stock Exchange.
Bloomberg News

Regardless of whether or not a person's information is confirmed to be affected, payment companies should suggest that everyone follow the best practices shared at the time of the incident, such as freezing access to credit reports and putting a credit monitoring service in place."

In the case of the Marines, the details of about 21,000 accounts were exposed. This sort of case is not uncommon.

In 2014, a report established that 22% of companies surveyed experienced some form of accidental data leak by employees. Data-leak-prevention products have existed for over a decade, and this is one of the easiest use cases for these products to catch and prevent. An email containing a spreadsheet of credit card numbers or Social Security numbers is the example every company uses to introduce its security solution.

The problem is that most of these solutions get deployed at the edge of the network where email security is typically applied.

But, for example, in the case of internal emails where most emails transit via internal Microsoft Exchange servers, very little is usually done to detect and prevent data leakage. The problem with PII in general is that it is accessed on a need-to-know basis, which means internal networks need to deploy defenses against accidental or malicious access.