Evidence suggests that high-profile breaches do not typically change consumers’ behavior. Experts call this behavior “breach fatigue.”
Last year was a banner year for the exposure of personal information, and so far this year there has been a steady drumbeat of data breaches, so many that experts worry that people are just throwing up their hands in defeat.
Timehop, an app that collects old photos and posts from social media, disclosed a breach in July that affected 21 million of its users. Names, dates of birth, phone numbers and email addresses were among the identifiable details that were leaked.
Under Armour revealed a data breach in March of 150 million accounts on its food and nutrition app MyFitnessPal. The genealogy site MyHeritage announced one in June affecting 92 million users, and 340 million individual records held by the marketing firm Exactis were exposed that month on a publicly accessible server.
In one of the most jaw-dropping cases, Yahoo last year updated figures to reveal that an attack in 2013 had affected all 3 billion of its user accounts, up from a previous estimate of 1 billion.
Experts caution that the stream of news about such breaches can set a new normal and instill a sense of fatalism — and complacency — in consumers.
Anthony Vance, an associate professor and director of the Center for Cybersecurity at the Fox School of Business at Temple University, said last year’s breach of information held by the credit reporting company Equifax, which affected 145 million Americans, was “a game-changer.”
The information gleaned could be used to fraudulently open new credit accounts, he said, adding, “That should give even the most jaded American consumer pause and prompt them to do something.”
But evidence suggests that high-profile breaches do not typically change consumers’ behavior.
A Pew Research Center study found most Americans keep track of their passwords by memorizing or writing them down, with only 12 percent using a password manager, which can generate hard-to-crack passwords.
A RAND report in 2016 said only 4 percent of people started using password managers after being notified that their data was exposed in a breach, Vance said.
And an experiment conducted by Vance and other researchers found a disconnect between consumers’ professed concerns about online security and their actions. In the experiment, people using their personal computers to complete an assigned task tended to ignore warnings that some sites they were about to visit were not secure.
He said consumers may be told the same advice repeatedly but are slow to respond unless they have already had a bad experience. Only then does this “once bitten, twice shy” lesson sink in.
“You’re not going to back up data, no matter what I tell you, until you lose the baby pictures of your first child,” Vance said. “Sometimes it takes an incident to internalize behavior. It’s so easy to get inured.”
Experts call this behavior “breach fatigue.”
Steven Andrés, who teaches at the Fowler College of Business and homeland security program at San Diego State University, said it would be reasonable to think consumers would be more diligent after heavily publicized breaches, but some research indicates just the opposite.
“We may adjust to this being the ‘new normal,’” he said, adding that “digital natives and younger generations may perceive their personal data — in a distorted sense — to never have been private, so what’s the big deal with it leaking out on the web anyway?”
A “recency bias” leads consumers to believe that as a breach recedes in the headlines, it becomes less threatening, Vance said. However, the data in the Equifax breach does not have a half-life and could be used for nefarious purposes at any point.
Blame human nature.
Anticipated danger can easily be “deflected, deferred or declined” because it makes us feel anxious and stressed, said James Norrie, dean of the Graham School of Business at York College of Pennsylvania and a cybersecurity expert.
People also tend to have unrealistically optimistic outlooks about future events and believe that bad things will happen to someone else, experts said.
“There’s not going to be a magic bullet,” said Vinny Troia, chief executive and principal security consultant of Night Lion Security and an expert in network security. “It’s the same things we’ve been saying over and over again.”
Consumers will be best served if they heed this familiar advice: Do not reuse passwords, rely on two-factor verification, install software only from trusted sources, question any alert that pops up on your screen and get a password manager.
“We are not living in a bubble per se, but instead we are underestimating the security of our data,” said Gilbert E. Franco, an assistant professor of psychology at Beacon College in Leesburg, Florida. “Much like a teenager underestimates the risks they take, we as a society are still in our adolescent years when it comes to the internet.”