[BreachExchange] ISU professor warns of the threat of data breach fatigue

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jan 30 20:18:28 EST 2018


Despite recent major data breaches or hacks from companies such as Equifax
or Gmail, Iowa State University Associate Professor of Informations Systems
Rui Chen said people still do not seem to be overly concerned with their
online security, a trend he believes is growing and could place consumers
at further risk of hackers.

The trend is known as “data breach fatigue,” and Chen and his colleagues at
the University of Texas at San Antonio are working to better understand the
behavior. According to Chen, data breach fatigue results in many consumers
not changing their passwords or signing up for identity theft protection,
despite the increased risk.

“We need more attention from all different parties, consumers, industry,
government, law enforcement,” Chen said. “We need a lot of joint efforts
from different stakeholders to combat this data breach fatigue.”

According to ISU, Chen and his colleagues received funding from the
National Science Foundation to study public response to the 2015 data
breach at the U.S. Office of Personnel Management (OPM), which affected
21.5 million people. Chen and his team examined more than 18,000 tweets
posted on Twitter over a two-month period that included the hashtag
”#OPMHack.” According to ISU, the two-month period started with public
notification about the breach and included five significant events, such as
the OPM director’s resignation.

The results from the study showed a drop-off rate after the news first
broke of about 35 percent, which near the end of the two-month period was
around 84 percent, meaning that consumers were no longer engaged on social
media and commenting on the breach.

With so much personal information stored online, Chen said breaches have
become the norm for consumers, and this breach fatigue has created
constantly growing opportunities for cyber criminals.

“When an incident happens, when a data breach incident goes to the media,
people read that news and they start to lose interest,” Chen said. “They
take it as a new normal in today’s society.”

According to Ames Police Cmdr. Geoff Huff, data breaches resulting in
stolen credit card numbers or identity are difficult to investigate.

“It actually is kind of hard to narrow it down because it happens all the
time and so many different ways,” Huff said. “There are just so many ways
that people are getting our personal information, that it’s really hard to
narrow it down to do this or do that and you’ll never be the victim because
I don’t think we can probably say that.”

Both Chen and Huff said that responsibility comes down to the individual.
With hackers constantly finding new ways of obtaining personal information,
Huff suggested consumers make sure everything looks in order, and take
extra caution when a site or email seems untrustworthy.

“Every day you hear about data breaches, and our information is in so many
places in the online world that it really does get to the point where you
figure, ‘I’m probably just going to be the victim sooner or later so what
am I going to do?’” Huff said. “But at the end of the day, I think it’s
just about being vigilant about your own information and trying to check on
those things occasionally.”

Chen said breaches do not only come in the form of stolen credit card
numbers, as hackers have hit medical facilities, government agencies and
email providers to obtain other personal information.

“Anymore, people target biodata,” Chen said. “We know that everything is
circulated around the black market, and that’s not just credit cards but
like fingerprints, for government agencies their personal records,
background check records. Everything is there and everything has a

According to Chen, the breach fatigue also gives legislators less incentive
to put laws in place to help combat data breach and hackers, as it becomes
a less urgent matter. Chen said that cyber laws are already been one step
behind, as technology is constantly advancing, making regulation difficult.

“Given the history of so many other big profile breaches in the past, and
also the widespread fatigue, the chance of quick action may be low,” Chen
said. “It may be a sad consequence out of the breach fatigue.”

Chen said that he and his colleagues believe that data breach fatigue can
be combated. He said the responsibility relies on the consumers, who should
be constantly checking their bank and credit card statements for fraudulent
charges, stop posting personal information on social media, stop responding
to “phishing” emails, and take the opportunity to use or renew ID
protection services.

“If a company provides a victim 12 or 18 months of ID protection services
for free, guess what, some people will say that 12 or 18 months is a long
time, so they’re protected,” Chen said. “Well that’s not really too much
time. Social Security numbers will not change after 18 months, so that’s
really not enough time to protect you.”

Chen said that while there is no guarantee against being hacked, any
proactive measure is better than not taking any action at all.

“People can do a lot of things just to help,” he said. “It may not prevent
subsequent ID theft, but it really helps to reduce the chance that bad
things will happen.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180130/746a41a4/attachment.html>

More information about the BreachExchange mailing list