Also, Facebook and other big tech companies are way less likely to get hacked thanks to more established data handling practices.
Breaches still occasionally happen, but you're more likely to see data breaches from these data broker companies because they didn't secure their elasticsearch DBs or something dumb like that.
> In response to the reporting, Facebook said in a blog post on Tuesday that "malicious actors" had scraped the data by exploiting a vulnerability in a now-defunct feature on the platform that allowed users to find each other by phone number.
I think every company has an incident that makes data protection a real concern. When it's two guys with a PHP app in a dorm room, you don't really expect anything serious, but eventually the risk to the company becomes too high and some useful system gets implemented.
I think Google's watershed moment was this: https://www.gawker.com/5637234/gcreep-google-engineer-stalke... By the time I got there, it seemed like standard practice for engineers to not be able to read "their own" databases -- every piece of data would be encrypted by a per-user key that only arrives at your application when the user's session is present (or by heavily-audited special exceptions; breakglass, batch jobs, etc.) Much attention was paid to not making data available too widely. (For example, on Google Fiber our hardware knew the MAC addresses of devices that wanted to use WiFi. That's a requirement for 802.11 to work. We modified the Linux kernel, wpa_supplicant, etc. to not log these, explicitly so that someone couldn't collect the logs and do a mapreduce to see who takes their iPhone to their friend's house and intuit a social network. We did that because it was the right thing to do; we only wanted information that was required to operate the service effectively, not to be a dragnet for anything potentially interesting. I'd personally be fascinated to see that information, but it's not the right thing to do.)
I have to imagine that any other large tech company has similar access controls and privacy focus -- even Facebook. Where it gets scary are governments and large non-tech companies that just email around spreadsheets with personal information in them. Yesterday there was an article about Missouri exposing teachers' social security numbers in HTML comments. If you tried to write that code with a data storage system like Google's, it simply wouldn't work. Your code wouldn't have the decryption key for those rows, and you wouldn't be able to output them as HTML comments.
Breaches still occasionally happen, but you're more likely to see data breaches from these data broker companies because they didn't secure their elasticsearch DBs or something dumb like that.