• According to a new study, 74 percent of the participants were not aware of the breaches where there was documented evidence their information was compromised. 
  • While the study also found that most victims blamed themselves, researchers say the fault for data breaches almost always lies with poor cybersecurity practices by the company that lost control of the information, not with the victims of the breach. 
  • However, the reuse of passwords is also to blame. Participants admitted to using the same or similar passwords on multiple accounts. 
  • While researchers say notice of data breach letters are a great idea in theory, they believe the letters are generally not helpful in practice because poor communication by companies can make them hard to understand. 
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website

No Darkness but Ignorance 

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for June 25, 2021. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. This week, we will talk about some new research that tackles an issue we’ve been pondering at the ITRC for a while now: What do people do when they receive a notice of data breach letter? 

In Twelfth Night, Shakespeare wrote what was almost certainly a throw-away line: “There is no darkness but ignorance.” The line, referring to a character who was tricked into believing he only thought his jail cell was dark, was actually a reflection of Shakespeare’s belief that education and knowledge solves most ills. 

So, it is true today when it comes to the impacts of data breaches and the actions people take when they learn their identities have been compromised. That is to say, most people don’t know how many times they have been breached. When they learn their information is in the wild, they don’t do much about it. 

Many Consumers Are Unaware When Their Information is Involved in a Breach 

Researchers from the University of Michigan School of Information, along with colleagues at Georgetown University and Germany’s Karlsrhue Institute of Technology, published a study this week that found participants were not aware of 74 percent of the breaches where there was documented evidence their information was compromised. 

The researchers also found that most of the 413 study participants blamed themselves for becoming a victim of a data breach. Only 14 percent said the responsibility for the compromise was with other actors. Victims cited their own use of the same password for multiple accounts, keeping the same email for a long time and signing up for “sketchy” accounts as some of the personal behaviors they believe contributed to their information being breached. 

Researchers Say Victims Are Not Usually at Fault  

However, the researchers point out that the fault for data breaches almost always lies with poor cybersecurity practices by the company that lost control of the information, not with the victims of the breach.  

This study supports the conclusions of a smaller report from the Carnagie Melon University’s CyLab from May 2020. That study of data breach victims focused on what happened when consumers received a notice of data breach letter. The short answer is “not much.” 

Reuse of Passwords is Also to Blame  

In the Carnagie Melon study, two-thirds of the participants who received data breach notices of compromised email accounts did not change their passwords. Only 13 percent of the breach victims who did change their passwords did so within the first three months following the breach announcement. What is most concerning is the updated passwords were often weaker than the previous passwords that were compromised. 

As in the University of Michigan study, participants admitted to using the same or similar passwords on multiple accounts. The Carnagie Melon cohort had an average of 30 other passwords that were like the breached password. On average, those who changed a breached password changed less than three of the 30 similar passwords. 

Notice of Data Breach Letters May Not Be Very Helpful  

One other common element of the two studies: both sets of researchers believe that notice of data breach letters are a great idea in theory, but are generally not helpful in practice. They believe poor communication practices by companies render the notices difficult to understand and don’t offer any practical advice. 

Contact the ITRC 

That’s not a problem at the ITRC. If you have questions about how to keep your personal information private and secure, visit where you’ll find helpful tips. You can also sign-up to receive our regular email updates on identity scams and compromises. Look out for our analysis of data breaches in the first half of 2021 that will be released on July 7.  

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Just visit to get started.  

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown. 

  • Two new research papers from OpSec Security and Consumer Reports shows how consumer privacy and cybersecurity views are evolving across the U.S. 
  • Findings in the OpSec Security report show that cyberattacks and data breaches are pervasive, and consumers are concerned and desensitized by the volume of information compromises. 
  • The Consumer Reports report concludes that consumers believe companies are primarily responsible for protecting the personal information businesses collect, store and use. 
  • For more information on the latest data breaches, visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notifiedTM. It is updated daily and free to consumers.  
  • For cybersecurity, privacy or data breach advice, contact the ITRC toll-free at 888.400.5530 or by live-chat on the company website. 

Privacy and cybersecurity impact consumers. Two new research papers show how consumer privacy and cybersecurity views are evolving across the U.S. The reports validate a central concern among consumers that there is not enough done to protect their most precious possession; their name. 

Subscribe to the Weekly Breach Breakdown Podcast 

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our Weekly Breach Breakdown Podcast. This week, we will look at two new research reports. The first focuses on recent changes in consumer attitudes. The second takes a longer-term look at how consumer privacy and cybersecurity views are different now compared to 25 years ago when the modern commercial internet was born.

The Importance of Reputation 

Reputations are important to individuals, companies and organizations. That’s why OpSec Security, a global cybersecurity firm, recently surveyed 2,600 consumers throughout the U.S. and four European countries. Researchers asked consumers whether they have been affected by cybercrime, their perceptions of brands, and if their role – or the role they should play – in keeping consumers safe has changed over time. 

The findings show that cyberattacks and data breaches are pervasive and consumers are both concerned and desensitized by the volume of information compromises. Some of the key findings in the last year include the following: 

  • 40 percent of respondents were a victim of an email or phishing scam
  • 51 percent of respondents say they receive more phishing attempts now than before the COVID-19 pandemic. 
  • 35 percent of respondents experienced credit or debit card fraud. 
  • 21 percent of respondents were a victim of identity theft at some point.  

Meanwhile, 30 percent of respondents were impacted by a data compromise, which did not surprise nearly one-third of the people who received a data breach notice. Of those who had their data compromised, 46 percent were contacted more than five times. Almost half of those who haven’t received a data breach notice, 48 percent, are worried they will soon.  

Those 30 percent of consumers in the OpSec survey who say they had their data compromised in a data breach equal the same percentage of people who responded to a similar question from Consumer Reports.  

Consumers Think Businesses are Responsible for Protecting Personal Information 

Both surveys came to a similar conclusion: consumers believe companies are primarily responsible for protecting the personal information businesses collect, store and use. Consumer Reports surveyed more than 5,000 U.S. residents about privacy and security. They also reviewed past research to show how consumer attitudes changed over time. 

  • In 1995, 44 percent of consumers were worried “a lot” or “some” about losing privacy due to the internet. 
  • By 2002, 76 percent of survey respondents were uncomfortable about companies collecting data about them. However, 94 percent thought they had a legal right to see what data the company collected about them from a website. 
  • Fast forward to 2019; 65 percent of consumers said they do not believe their personal information is kept private. 

In the Consumer Reports research published in October, 96 percent of consumers surveyed agreed that more could be done to ensure companies protect consumer information. Other findings include the following: 

  • 68 percent of consumers surveyed believe companies should be required to delete the data they have about someone upon the consumer’s request. 
  • 67 percent of respondents think there should be tougher penalties, like high fines, for companies that don’t protect someone’s privacy. 
  • 63 percent say companies should be required to give consumers access to the data companies have about them. 
  • 63 percent also believe there should be a national law that says companies must get a person’s permission before sharing their information. 

There are now laws, passed in multiple states, that include one or more of the items from the consumers’ privacy wish list above, but a national privacy law remains elusive. 

Built-In Privacy Features 

One finding that did not emerge from either survey on consumer privacy and cybersecurity views was a consensus around what consumers want to happen next to protect their information. Consumer Reports notes that companies are beginning to build products with built-in privacy features. More than 40 percent of consumers say they may be willing to pay companies to stop collecting, sharing and selling their personal information. Right now, that practice is prohibited in California, the state with the toughest privacy law in the U.S.  


For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.   

Contact the ITRC 

If you receive a breach notice and would like to know how to protect yourself, contact the ITRC at no-cost by calling 888.400.5530 to speak with an expert advisor. You can also live-chat with an advisor on the company website. Also, download the free ID Theft Help App to access advisors, data breach resources, a case log and much more.  

Join us on our weekly data breach podcastto get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.   

Read more of our latest information & educational resources below

Unsubscribe Email Scam Looks to Trick Consumers

Social Media Scams are on the Rise as More People Use the Platforms to Connect

Phishing Attack Report Reveals Microsoft is the Top Spoofed Brand and Other Data Breach News