No examples have surfaced of anyone actually exploiting the vulnerability.
Of course that is no longer true, as The Royal Canadian Mounted Police are investigating the cases of 900 Canadian identity theft victims. And there are likely undetected further cases. Still, when I hear this crisis described as “On the scale of 1 to 10, this is an 11,” I conclude that economists think about risk differently than do most people, including tech consultants. (To flip this coin on its other side, I am not especially reassured about the web sites judged as “safe” — should we now start trusting such judgments so strongly?)
What can the deadweight loss be of a previously unnoticed crisis? And if that is an 11, what does a 12 look like? How many Canadian victims would be needed to get us up to 13?