The report, based on a survey of 1,050 U.S. adult consumers, found that 16 percent of the participants in the research took no action after receiving notice of a data breach affecting their accounts. Information from breached accounts can be used for identity fraud or to make employers vulnerable to cyberattacks, including ransomware and business email compromise (BEC) scams.
What’s more, less than half the participants (48 percent) changed the passwords on the accounts affected by the breach, and only 22 percent changed all their passwords after they were notified of an attack.
“When we asked the 16 percent why they didn’t act when they received a data breach notice, 26 percent said their data is already out there, and they can’t do anything about it,” said Eva Velasquez, president and CEO of the ITRC, a San Diego-based non-profit organization founded to provide identity theft victim assistance and consumer education.
“But there are actions they can take, depending on what data was compromised, that will help them minimize their risk,” she told bluehillco. “We’re not doing a good job of explaining that.”
Ignorance and Apathy
Velasquez added that 17 percent of the consumers who did not act when they received a breach notice didn’t know what to do when they received it and 14 percent thought the correspondence was a scam.
“When we look at those reasons, it lets us know that how we notify people, how we present that information, is completely ineffective, and we need to reevaluate how we’re informing people that their data has been compromised in a breach,” she said.
Another 29 percent of those not acting on a breach notice believed that it was up to the organization breached to address the issue. “That’s not true,” Velasquez observed, “so there has to be more communication about where that responsibility begins and ends.”
“Receiving notification that your personal data has been stolen is chilling, but apparently not chilling enough to do anything significant about it,” quipped Saryu Nayyar, CEO of Gurucul, a threat intelligence company in El Segundo, Calif.
“Part of this issue,” she told bluehillco, “is that users default to thinking that nothing bad will happen to their accounts.”
“Some users may not fully understand what a data breach notification truly means and what the implications are,” he told bluehillco, “while others understand the scope but have become apathetic to the topic.”
The number of consumers ignoring data breach notices shouldn’t be surprising because of the lack of training available to them on the subject, maintained James McQuiggan, security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla.
“If they suffer a breach, most users will believe they are powerless and may not know who to contact,” he told bluehillco.
“Without any proper training or awareness — which is not easy to find, unless they work for an organization that provides it — many people do not search out those skills,” he told bluehillco.
John Gilmore, director of research at Abine, a privacy solutions company inBoston, noted that the ITRC/DIG findings are consistent with similar studies released this year.
“About 85 percent of consumers will say they’re extremely concerned about online privacy and there’s always 15 to 20 percent who just don’t care,” he told bluehillco.
He added that the surveys also find that there’s a steady decline in privacy as consumers move from awareness to action. So 85 percent will say they’re concerned about privacy, but only 79 percent will say they’re willing to act to protect their privacy and around 50 percent will actually act on their privacy concerns.
When it comes to consumers who are proactive in protecting their privacy, he continued, the needle dips even further: around 30 percent.
“People are very skeptical about these things,” he said. “They’ll spend time modifying privacy settings, but at the same time they’ll say they don’t think it makes much of a difference.”
“It’s part of a growing cynicism in the public about the sincerity of institutions to do what they say they’re going to do,” he added.
Avoiding Credit Freezes
The ITRC/DIG survey also revealed that after being notified of a breach, only three percent of respondents said they put a credit freeze in place to block the creation of new accounts that require credit checks such as new loans, credit cards and other major purchases.
Velasquez acknowledged that accounts don’t have to be frozen for every data breach.
“If you’re part of a breach where usernames and passwords are the data that is breached, your first step shouldn’t be to freeze your credit,” she said. “That wouldn’t make any sense. Your first step would be to change your user names and passwords.”
“On the other hand,” she continued, “if social security numbers and all the data required to open a new financial account in your name have been breached, then freezing accounts should be higher up on your to-do list.”
Pugh noted that consumers may shy away from freezing credit because they see it as unnecessary and inconvenient.
“They may be thinking that there were thousands of people involved in the breach, and that they’d rather bet on the odds that the information won’t be leveraged to harm them personally,” he said.
“Freezing accounts can be more trouble than it’s worth because you have to go back and unfreeze the accounts at some point and there’s a whole rigmarole involved with that,” Gilmore added.
“Most people are willing to roll the dice,” he continued. “It’s not worth the time.”
On the password front, the ITRC/DIG researchers found that only 15 percent of respondents claim to use unique passwords for each of their accounts.
The remaining 85 percent admitted to reusing passwords on multiple accounts, although some claimed a still risky practice of using variations of the same password on different accounts.
In addition, only eight percent of respondents said they closely guard their passwords as a way of preventing identity theft and fraud.
“It is convenient and easier to use the same password than having to remember different passwords,” noted McQuiggan.
“Users are told to create strong passwords and always check links, but this is a habit foreign to them,” he explained. “They also believe they probably will not get hacked because they do not have anything the cybercriminals would want to steal.”
“Complex passwords are hard to remember, and resetting a forgotten password is a pain that busy people are looking to avoid,” added Pugh.
The days of compromised passwords, though, may be numbered.
“In general, the password, as a concept, is on the way out,” Gilmore said. “It’s been around too long and right now, lots of people are looking around for ways to replace it.”