Few consumers take strong action to protect their privacy and identities after receiving a data breach notice, according to a report from the Identity Theft Resource Center and research firm DIG.Works.
The report, based on a survey of 1,050 U.S. adult consumers, found that 16 percent of the research participants took no action after receiving a notice of a data breach affecting their accounts. Information from breached accounts can be used for identity fraud or to make employers vulnerable to cyberattacks, including ransomware and business email compromise (BEC) scams.
Additionally, less than half of the participants (48 percent) changed the passwords for the accounts affected by the breach, and only 22 percent changed all of their passwords after being notified of an attack.
“When we asked 16 percent why they did not act when they received a data breach notice, 26 percent said their data is already available and they can’t do anything about it,” said Eva Velásquez, President and CEO from the ITRC, a San Diego-based non-profit organization founded to provide assistance to victims of identity theft and consumer education.
“But there are actions they can take, depending on what data was compromised, that will help them minimize the risk,” he told TechNewsWorld. “We are not doing a good job of explaining that.”
Ignorance and apathy
Velasquez added that 17 percent of consumers who did not act when they received a non-compliance notice did not know what to do when they received it, and 14 percent thought the correspondence was a scam.
“When we look at those reasons, it lets us know that the way we notify people, how we present that information, is completely ineffective, and we need to re-evaluate how we inform people that their data has been compromised in a breach.” she said.
Another 29 percent of those who failed to act on a violation notice believed it was up to the offending organization to address the problem. “That’s not true,” Velasquez observed, “so there has to be more communication about where that responsibility begins and ends.”
“Receiving a notification that your personal data has been stolen is chilling, but apparently not scary enough to do anything meaningful about it,” joked Saryu Nayyar, CEO of Gurucul, a threat intelligence company in El Segundo, California.
“Part of this problem,” he told TechNewsWorld, “is that users think by default that nothing bad will happen to their accounts.”
“Some users may not fully understand what a data breach notification really means and what the implications are,” he told TechNewsWorld, “while others understand the scope but have become apathetic about it.”
The number of consumers ignoring data breach notices should come as no surprise given the lack of training available to them on the subject, said James McQuiggan, a security awareness advocate at KnowBe4, a safety awareness training provider in Clearwater, Florida.
“If they are breached, most users will think they are powerless and may not know who to contact,” he told TechNewsWorld.
“Without proper training or awareness, which is not easy to find, unless they work for an organization that provides them, many people are not looking for those skills,” he told TechNewsWorld.
John Gilmore, research director of Abine, a privacy solutions company in Boston, noted that the ITRC / DIG findings are consistent with similar studies published this year.
“About 85 percent of consumers will say they are extremely concerned about privacy online and there are always 15 to 20 percent who just don’t care,” he told TechNewsWorld.
He added that surveys also find there is a steady decline in privacy as consumers move from awareness to action. So 85 percent will say they are concerned about privacy, but only 79 percent will say they are willing to act to protect their privacy and about 50 percent will actually act on their privacy concerns.
When it comes to consumers who are proactive in protecting their privacy, he continued, the needle drops even further: about 30 percent.
“People are very skeptical about these things,” he said. “They will spend time modifying the privacy settings, but at the same time they will say that they do not think it makes much difference.”
“It is part of a growing cynicism in the public about the sincerity of institutions to do what they say they are going to do,” he added.
Avoid credit freezes
The ITRC / DIG survey also revealed that after being notified of a violation, only three percent of respondents said they put in a credit freeze to block the creation of new accounts that require credit checks, such as new loans, cards. credit and other major purchases. .
Velásquez acknowledged that it is not necessary to freeze accounts for every data breach.
“If you are part of a breach where usernames and passwords are the data being breached, your first step shouldn’t be to freeze your credit,” he said. “That wouldn’t make any sense. Your first step would be to change your usernames and passwords. “
“On the other hand,” he continued, “if the social security numbers and all the data necessary to open a new financial account in your name have been violated, then freezing accounts should be higher on your to-do list.”
Pugh noted that consumers can avoid freezing credit because they see it as unnecessary and inconvenient.
“They may be thinking that there were thousands of people involved in the breach and that they would rather bet on the odds that the information is not being used to harm them personally,” he said.
“Freezing accounts can be more troublesome than it’s worth because you have to go back and unfreeze accounts at some point and there is gibberish involved with that,” Gilmore added.
“Most people are willing to roll the dice,” he continued. “It’s not worth the time.”
When it comes to passwords, ITRC / DIG researchers found that only 15 percent of respondents claim to use unique passwords for each of their accounts.
The remaining 85 percent admitted to reusing passwords across multiple accounts, although some claimed a still risky practice of using variations of the same password across different accounts.
Additionally, only eight percent of those surveyed said they keep their passwords closely as a way to prevent identity theft and fraud.
“Using the same password is convenient and easier than having to remember different passwords,” McQuiggan noted.
“Users are told to create strong passwords and always check links, but this is a foreign habit for them,” he explained. “They also believe that they probably won’t be hacked because they don’t have anything cybercriminals want to steal.”
“Complex passwords are hard to remember, and resetting a forgotten password is a hassle that busy people seek to avoid,” added Pugh.
However, the days of compromised passwords may be numbered.
“In general, the password, as a concept, is disappearing,” Gilmore said. “It’s been around too long, and right now, a lot of people are looking for ways to replace it.”