Why are there so many security breaches?

It's maybe necessary to point out the fairly (?) obvious, namely that there can be no 100% secure system. A key can always get stolen or be replaced with a sufficiently similar one, and each door and lock has failure modes. That we nowadays believe digital systems are superior to brick-and-mortar, cash, personal interactions and actual signatures on physical paper—all of which can be robbed, stolen, staged, or spoofed—is largely down to our excitement about the perceived utility of doing things the digital way. But where previously a given interaction was only open to say thousands of customers per day (visiting the location of a shop), that same firm's web shop is now readily accessibly 24/7 to billions of actors who don't even have to be humans any more. I'd also venture that a fair number of bad guys only do it the cyber way because that might increase their chances to get something while decreasing their risk of getting caught.

For a transaction I had recently to install an ID app that then wanted to take photos of my face and my ID card. I had no recourse to another method nor can I know where and how these data will be stored. This data, collected in the name of increased security and trust, has now become part of the global data trove, making it a little bit more attractive to commit online crimes. Therefore, the party that forced me to undergo the procedure has, by their action, made the world at large and online transactions in particular a little less secure and trustworthy.

The good guys (defenders) have to be right 100% of the time, the bad guys (attackers) only have to be right once.

This is the crux of the entire information security industry.

Good security and good security people cost money but don't generate any visible revenue. So if you care about your balance sheet, they make you look bad.

Optimism bias is also a thing. People assume bad things won't happen to them. (This is a psychological phenomenon not just an IT thing). So if you're an exec, you could advocate for spending the money or you could just pocket your bonus for cutting costs and go "pfft nothing is going to happen".

And there's the old "if it's cheaper to deal with breaches if they happen than to pay security staff most places are just going to assume nothing bad will happen and deal with the cost if it ever comes up".

Neither governments nor the market adequately punish data breaches, so why expend resources in proactively preventing them when you can just let them happen and pay the (very unlikely) penalty which will be much lower than the cost of proper security?

Yes, there are common reasons -- poor security practices resulting from a lack of empathy, a lack of a profit motive and a very low risk of any tangible consequences.

> Is it more about people behaviour or corporate decisions?

Yes. A small number of people directly decide what corporations do. A corporation's activity is usually carried out by a larger number of people, who have some, less direct, control over the corporate decision making. Orders of magnitude more people are affected by those decisions and have extremely limited and indirect means of influencing them.

The goals and motivations of capital will never be truly aligned with that of the individual/people/society.

Less bankers. Tax capital.

Related from 2 weeks ago "Ask HN: Why are there so many data breaches?" https://news.ycombinator.com/item?id=32864743