ITRC weekly breach breakdown for June 29, 2021
  • According to a new study, 74 percent of the participants were not aware of the breaches where there was documented evidence their information was compromised. 
  • While the study also found that most victims blamed themselves, researchers say the fault for data breaches almost always lies with poor cybersecurity practices by the company that lost control of the information, not with the victims of the breach. 
  • However, the reuse of passwords is also to blame. Participants admitted to using the same or similar passwords on multiple accounts. 
  • While researchers say notice of data breach letters are a great idea in theory, they believe the letters are generally not helpful in practice because poor communication by companies can make them hard to understand. 
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org

No Darkness but Ignorance 

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for June 25, 2021. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. This week, we will talk about some new research that tackles an issue we’ve been pondering at the ITRC for a while now: What do people do when they receive a notice of data breach letter? 

In Twelfth Night, Shakespeare wrote what was almost certainly a throw-away line: “There is no darkness but ignorance.” The line, referring to a character who was tricked into believing he only thought his jail cell was dark, was actually a reflection of Shakespeare’s belief that education and knowledge solves most ills. 

So, it is true today when it comes to the impacts of data breaches and the actions people take when they learn their identities have been compromised. That is to say, most people don’t know how many times they have been breached. When they learn their information is in the wild, they don’t do much about it. 

Many Consumers Are Unaware When Their Information is Involved in a Breach 

Researchers from the University of Michigan School of Information, along with colleagues at Georgetown University and Germany’s Karlsrhue Institute of Technology, published a study this week that found participants were not aware of 74 percent of the breaches where there was documented evidence their information was compromised. 

The researchers also found that most of the 413 study participants blamed themselves for becoming a victim of a data breach. Only 14 percent said the responsibility for the compromise was with other actors. Victims cited their own use of the same password for multiple accounts, keeping the same email for a long time and signing up for “sketchy” accounts as some of the personal behaviors they believe contributed to their information being breached. 

Researchers Say Victims Are Not Usually at Fault  

However, the researchers point out that the fault for data breaches almost always lies with poor cybersecurity practices by the company that lost control of the information, not with the victims of the breach.  

This study supports the conclusions of a smaller report from the Carnagie Melon University’s CyLab from May 2020. That study of data breach victims focused on what happened when consumers received a notice of data breach letter. The short answer is “not much.” 

Reuse of Passwords is Also to Blame  

In the Carnagie Melon study, two-thirds of the participants who received data breach notices of compromised email accounts did not change their passwords. Only 13 percent of the breach victims who did change their passwords did so within the first three months following the breach announcement. What is most concerning is the updated passwords were often weaker than the previous passwords that were compromised. 

As in the University of Michigan study, participants admitted to using the same or similar passwords on multiple accounts. The Carnagie Melon cohort had an average of 30 other passwords that were like the breached password. On average, those who changed a breached password changed less than three of the 30 similar passwords. 

Notice of Data Breach Letters May Not Be Very Helpful  

One other common element of the two studies: both sets of researchers believe that notice of data breach letters are a great idea in theory, but are generally not helpful in practice. They believe poor communication practices by companies render the notices difficult to understand and don’t offer any practical advice. 

Contact the ITRC 

That’s not a problem at the ITRC. If you have questions about how to keep your personal information private and secure, visit www.idtheftcenter.org where you’ll find helpful tips. You can also sign-up to receive our regular email updates on identity scams and compromises. Look out for our analysis of data breaches in the first half of 2021 that will be released on July 7.  

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.  

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.