This week we’re going to look into some new research that tackles an issue we’ve been pondering at the ITRC for a while now: What do people do when they receive a data breach notice? Most people don’t know how many times they have been breached and even when they learn their information is in the wild, they don’t do much about it. The Weekly Breach Breakdown is possible thanks to the support of Experian.

Show Notes

Learn more about ITRC's new data breach too, Notified: notified.idtheftcenter.org/s/

Follow on LinkedIn: www.linkedin.com/company/idtheftcenter/
Follow on Twitter: twitter.com/IDTheftCenter

Show Transcript

Welcome to the Identity Theft Resource Center’s Weekly Breach Breakdown for June 25th, 2021. I’m James Lee and our podcast today is possible thanks to support from Experian.

Each week we look at the most recent events and trends related to data security and privacy. This week we’re going to look into some new research that tackles an issue we’ve been pondering at the ITRC for a while now: What do people do when they receive a data breach notice? 

In Twelfth Night, Shakespeare wrote what was almost certainly a throw-away line: “There is no darkness but ignorance.” The line, referring to a character who was tricked into believing he only thought his jail cell was dark, was actually a reflection of Shakespeare’s belief that education & knowledge solves most ills

So, it is true today when it comes to the impacts of data breaches and the actions people take when they learn their identities have been compromised. That is to say…most people don’t know how many times they have been breached…and even when they learn their information is in the wild, they don’t do much about it.

Researchers from the University of Michigan School of Information, along with colleagues at Georgetown University and Germany’s Karlsrhue Institute of Technology, published a study this week that found participants were not aware of 74% of the breaches where there was documented evidence their information was compromised.

The researchers also found that most of the 413 study participants blamed themselves for becoming a victim of a data breach with only 14% saying the responsibility for the compromise was with other actors. Victims cited their own use of the same password for multiple accounts…keeping the same email for a long time… and signing up for “sketchy” accounts…as some of the personal behaviors they believe contributed to their information being breached.

But, the researchers point out that the fault for data breaches almost always lies with poor cybersecurity practices by the company that lost control of the information, not with the victims of the breach.

This study supports the conclusions of a smaller report from the Carnagie Melon University’s CyLab from May 2020. That study of data breach victims focused on what happened when consumers received notices of a data breach. 

The short answer is “not much.” 

In the Carnagie Melon study, 2/3rds of the participants who received specific data breach notices of compromised email accounts did not change their passwords. Only 13% of the breach victims who did change their passwords, did so within the first three months following the breach announcement. Most concerning… the updated passwords were often weaker than the previous passwords that were compromised. 

As in the University of Michigan study, participants admitted to using the same or similar passwords on multiple accounts. The Carnagie Melon cohort had an average of 30 other passwords that were like the breached password. On average, those who changed a breached password changed less than three of the 30 similar passwords.

One other common element of the two studies: both sets of researchers believe that breach notices are a great idea in theory, but are generally not helpful in practice. They believe poor communication practices by companies render the notices difficult to understand and don’t offer any practical advice.

That’s not a problem at the ITRC. If you have questions about how to keep your personal information private and secure, visit idtheftcenter dot org where you’ll find helpful tips. You can also sign-up to receive our regular email updates on identity scams and compromises…and…look for our analysis of data breaches in the first half of 2021 that will be released on July 7th.

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next. You can speak with an expert advisor on the phone, chat live on the web, or exchange emails during our normal business hours…just visit www.idtheftcenter.org to get started.

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast – the Fraudian Slip – and we’ll be back next week with another episode of the Weekly Breach Breakdown.