Few consumers take strong action to protect their privacy and identities after receiving a data breach notice, according to a report by the Identity Theft Resource Center and research firm, reports Tech News World.
About the survey
The report, based on a survey of 1,050 U.S. adult consumers, found that 16 percent of the participants in the research took no action after receiving notice of a data breach affecting their accounts.
Less than half the participants (48 percent) changed the passwords on the accounts affected by the breach, and only 22 percent changed all their passwords after they were notified of an attack.
Velasquez added that 17 percent of the consumers who did not act when they received a breach notice didn’t know what to do when they received it and 14 percent thought the correspondence was a scam.
Another 29 percent of those not acting on a breach notice believed that it was up to the organization breached to address the issue.
Data breach
“But there are actions they can take, depending on what data was compromised, that will help them minimize their risk,” she told TechNewsWorld. “We’re not doing a good job of explaining that.”
Information from breached accounts can be used for identity fraud or to make employers vulnerable to cyberattacks, including ransomware and business email compromise (BEC) scams.
Ignorance and Apathy
“When we look at those reasons, it lets us know that how we notify people, how we present that information, is completely ineffective, and we need to reevaluate how we’re informing people that their data has been compromised in a breach,” she said.
“Receiving notification that your personal data has been stolen is chilling, but apparently not chilling enough to do anything significant about it,” quipped Saryu Nayyar, CEO of Gurucul, a threat intelligence company in El Segundo, Calif.
Ray Pugh, security operations manager for Expel, a SOC as a service provider inHerndon, Va. agreed that ignorance and apathy may play a role in ignoring data breach notices.
“Some users may not fully understand what a data breach notification truly means and what the implications are,” he told TechNewsWorld, “while others understand the scope but have become apathetic to the topic.”
Growing Cynicism
The number of consumers ignoring data breach notices shouldn’t be surprising because of the lack of training available to them on the subject, maintained James McQuiggan, security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla.
“Without any proper training or awareness — which is not easy to find, unless they work for an organization that provides it — many people do not search out those skills,” he told TechNewsWorld.
John Gilmore, director of research at Abine, a privacy solutions company inBoston, noted that the ITRC/DIG findings are consistent with similar studies released this year.
He added that the surveys also find that there’s a steady decline in privacy as consumers move from awareness to action.
“People are very skeptical about these things,” he said. “They’ll spend time modifying privacy settings, but at the same time they’ll say they don’t think it makes much of a difference.”
“It’s part of a growing cynicism in the public about the sincerity of institutions to do what they say they’re going to do,” he added.
Avoiding Credit Freezes
The ITRC/DIG survey also revealed that after being notified of a breach, only three percent of respondents said they put a credit freeze in place to block the creation of new accounts that require credit checks such as new loans, credit cards and other major purchases.
Velasquez acknowledged that accounts don’t have to be frozen for every data breach.
“If you’re part of a breach where usernames and passwords are the data that is breached, your first step shouldn’t be to freeze your credit,” she said. “That wouldn’t make any sense. Your first step would be to change your user names and passwords.”
“On the other hand,” she continued, “if social security numbers and all the data required to open a new financial account in your name have been breached, then freezing accounts should be higher up on your to-do list.”
Pugh noted that consumers may shy away from freezing credit because they see it as unnecessary and inconvenient.
“Freezing accounts can be more trouble than it’s worth because you have to go back and unfreeze the accounts at some point and there’s a whole rigmarole involved with that,” Gilmore added.
“Most people are willing to roll the dice,” he continued. “It’s not worth the time.”
Reusing Passwords
On the password front, the ITRC/DIG researchers found that only 15 percent of respondents claim to use unique passwords for each of their accounts.
The remaining 85 percent admitted to reusing passwords on multiple accounts, although some claimed a still risky practice of using variations of the same password on different accounts.
In addition, only eight percent of respondents said they closely guard their passwords as a way of preventing identity theft and fraud.
“Complex passwords are hard to remember, and resetting a forgotten password is a pain that busy people are looking to avoid,” added Pugh.
The days of compromised passwords, though, may be numbered.
“In general, the password, as a concept, is on the way out,” Gilmore said. “It’s been around too long and right now, lots of people are looking around for ways to replace it.”
Did you subscribe to our daily Newsletter?
It’s Free! Click here to Subscribe
Source: Tech News World
