Fallout from data breaches often underestimated at first in rush to inform those affected

The revelation that the data breach at the U.S. government's personnel office was actually much worse than the government originally thought is following a familiar script.

That's been the case in many recent high-profile hackings at major U.S. companies. Target, Home Depot and TJX all had to announce additional bad news weeks after going public with their breaches.

The Obama administration said Thursday that hackers stole Social Security numbers from more than 21 million people and took other sensitive information when government computer systems were compromised. That's up from the 14 million figure investigators gave The Associated Press last month.

The hacking ultimately prompted the Friday resignation of Office of Personnel Management Director Katherine Archuleta.

Whether it's the government or a major corporation that's been breached, time is of the essence when it comes to informing the people affected, so they can take the steps needed to protect themselves and their personal information. That prompts many hacked entities to go public before all the facts are in.

Meanwhile, inadequate data security measures can make it tough for whoever has been hacked to quickly get a handle on how bad the damage actually is.

As a result, bombshells of bad news such as Thursday's can fall well after the initial dust has settled.

Adam Levin, chairman and founder of the security firm IDT911 Consulting, blamed the "woefully inadequate" state of data security in both government and at major corporations.

"Any organization that has personal identification information needs to know exactly what they have and where they have it," Levin says. "Otherwise, you may not find out for months that information has been stolen in a breach."

Here's a look at some of the highest-profile breaches in recent years:

HOME DEPOT

Home Depot said in September 2014 that 56 million debit and credit card numbers were compromised in a months-long breach of its computer systems. But about two months later, the nation's largest home improvement chain disclosed that hackers also stole 53 million email addresses in addition to the card data.

___

TARGET

Target Corp. first announced its massive data breach in December 2013, saying that 40 million debit and credit cards were affected. But weeks later, the retailer said that further investigation had revealed that the hackers also took the personal information — including email addresses, phone numbers, names and home addresses — of 70 million people.

___

TJMAXX

TJX Cos., the parent company of retailers T.J. Maxx and Marshall's, didn't say at first how many people were affected by the data breach it announced in 2007. At first it said the intrusion into its customer data files took place between May 2006 and January 2007, but it later learned that it also was hacked into in July 2005 and other periods during that year. Ultimately, the breach exposed at least 45.7 million credit and debit cards to possible fraud.

___

SONY PICTURES

While different than the large retail breaches, the hacking of the computer systems at Sony Pictures also got progressively worse in the weeks following its initial discovery in November 2014. At first, personal information, including emails, Social Security numbers and salary details for nearly 50,000 current and former Sony workers were leaked online. And screeners of unreleased movies were uploaded to the Internet for illegal download.

Thousands of emails involving Sony executives many of them embarrassing, were later released. The hackers also threatened violence targeting movie theaters that planned to show "The Interview," a comedy about an assassination attempt on the leader of North Korea. While many major theaters canceled showings of the movie, it went on to screen at independent theaters and air digitally. The Obama administration later implicated North Korea in the attack.

___

Follow Bree Fowler at https://twitter.com/APBreeFowler