Expert Warns of the Risks Posed by Data Breach Fatigue

With news of data breaches regularly dominating national headlines, the evidence seems to suggest that people are becoming less concerned about the threats their data faces online, one professor says.

by Grayson Schmidt, Ames Tribune / January 31, 2018

(TNS) — Despite recent major data breaches or hacks from companies such as Equifax or Gmail, Iowa State University Associate Professor of Informations Systems Rui Chen said people still do not seem to be overly concerned with their online security, a trend he believes is growing and could place consumers at further risk of hackers.

The trend is known as "data breach fatigue," and Chen and his colleagues at the University of Texas at San Antonio are working to better understand the behavior. According to Chen, data breach fatigue results in many consumers not changing their passwords or signing up for identity theft protection, despite the increased risk.

"We need more attention from all different parties, consumers, industry, government, law enforcement," Chen said. "We need a lot of joint efforts from different stakeholders to combat this data breach fatigue."

According to ISU, Chen and his colleagues received funding from the National Science Foundation to study public response to the 2015 data breach at the U.S. Office of Personnel Management (OPM), which affected 21.5 million people. Chen and his team examined more than 18,000 tweets posted on Twitter over a two-month period that included the hashtag "#OPMHack." According to ISU, the two-month period started with public notification about the breach and included five significant events, such as the OPM director's resignation.

The results from the study showed a drop-off rate after the news first broke of about 35 percent, which near the end of the two-month period was around 84 percent, meaning that consumers were no longer engaged on social media and commenting on the breach.

With so much personal information stored online, Chen said breaches have become the norm for consumers, and this breach fatigue has created constantly growing opportunities for cyber criminals.

"When an incident happens, when a data breach incident goes to the media, people read that news and they start to lose interest," Chen said. "They take it as a new normal in today's society."

According to Ames Police Cmdr. Geoff Huff, data breaches resulting in stolen credit card numbers or identity are difficult to investigate.

"It actually is kind of hard to narrow it down because it happens all the time and so many different ways," Huff said. "There are just so many ways that people are getting our personal information, that it's really hard to narrow it down to do this or do that and you'll never be the victim because I don't think we can probably say that."

Both Chen and Huff said that responsibility comes down to the individual. With hackers constantly finding new ways of obtaining personal information, Huff suggested consumers make sure everything looks in order, and take extra caution when a site or email seems untrustworthy.

"Every day you hear about data breaches, and our information is in so many places in the online world that it really does get to the point where you figure, 'I'm probably just going to be the victim sooner or later so what am I going to do?'" Huff said. "But at the end of the day, I think it's just about being vigilant about your own information and trying to check on those things occasionally."

Chen said breaches do not only come in the form of stolen credit card numbers, as hackers have hit medical facilities, government agencies and email providers to obtain other personal information.

"Anymore, people target biodata," Chen said. "We know that everything is circulated around the black market, and that's not just credit cards but like fingerprints, for government agencies their personal records, background check records. Everything is there and everything has a pricetag."

According to Chen, the breach fatigue also gives legislators less incentive to put laws in place to help combat data breach and hackers, as it becomes a less urgent matter. Chen said that cyber laws are already been one step behind, as technology is constantly advancing, making regulation difficult.

"Given the history of so many other big profile breaches in the past, and also the widespread fatigue, the chance of quick action may be low," Chen said. "It may be a sad consequence out of the breach fatigue."

Chen said that he and his colleagues believe that data breach fatigue can be combated. He said the responsibility relies on the consumers, who should be constantly checking their bank and credit card statements for fraudulent charges, stop posting personal information on social media, stop responding to "phishing" emails, and take the opportunity to use or renew ID protection services.

"If a company provides a victim 12 or 18 months of ID protection services for free, guess what, some people will say that 12 or 18 months is a long time, so they're protected," Chen said. "Well that's not really too much time. Social Security numbers will not change after 18 months, so that's really not enough time to protect you."

Chen said that while there is no guarantee against being hacked, any proactive measure is better than not taking any action at all.

"People can do a lot of things just to help," he said. "It may not prevent subsequent ID theft, but it really helps to reduce the chance that bad things will happen."

©2018 the Ames Tribune, Iowa Distributed by Tribune Content Agency, LLC.