What is worse about this is that credit monitoring does nothing to protect you, it only alerts you after the fact.

The issue I have seen in a few incidents is that a company will fix the 1-2 issues that they feel caused the data breach but not take a serious look at overall security. To me that just means they aren't serious and realize that the cost of providing credit monitoring is cheaper than fixing issues and consumers aren't demanding more so it passes as good enough.

What is going to have to change is that consumers in quantities beyond 1-2's are going to need to start suing for damages. Personally, I think the damages could be fairly high. Think of the cost of credit, lost or reduced employment opportunities, car insurance etc. All of which cost more or are damaged when your credit is dinged regardless of the source. Multiply that by the years it can take to repair your credit even with all the proper legal documents etc and then by the number of consumers affected in some of these cases. That could be a big number which starts to get corporations to change their tune about security.

Of course, to me Credit Bureaus is an industry ripe with potential to disrupt. The problem is the barrier to entry is steep and the incumbents are not going to let new players in without a major fight, so my guess is the cost would likely be high.

Everyone has their own reasons for not actually fixing the root cause of so many problems, but I've found that the larger the company and the larger systems entropy that's been uncontrolled has manifested the less the business actually has any truly actionable control over actually fixing anything anymore - the inertia of old, bad systems that your business relies upon to keep the lights on is just too much to overcome. For starters, legacy application architectures and systems that just can't be offline nor actually fixed by a vendor can be a hard block. Add in so many vendors and contractors involved as standard for most large companies, add a lot of internal politics to the mix, and the reality becomes that the most cost-effective solution is sadly to just not fix anything and to just pay for PR damage and the credit monitoring and some more random security consultants to make people feel better somewhat.

A big component of real world security practice is that fixing things has real, serious costs and so businesses will compare those costs to the costs of simply not fixing them and rolling some dice.

Even the ever-critical Bruce Schneier understands and recognizes this reality.

Fixing the problem after the fact does nothing for the people affected by said vulnerabilities. Sure, they can fix the hole and assure people that it's fixed, but if you've had your identity stolen/etc, that's not much consolation.

Because it has been established by precedent as a reasonable "consideration" for the limited harm of losing your personal data. (You don't have actual damages until your identity is stolen, not just your information.) It's meant to show that they didn't do nothing, without having to do anything more expensive. It's the minimum they think they can get away with.