People aren’t aware of 74% of breaches, a new study reveals

by | July 11, 2021 | Cybersecurity News, Cybersecurity

Nowadays, being prepared in terms of recognizing cyberattacks might just save you or your company.

After massive data breaches, such as the recent one that affected LinkedIn, or the one that compromised Equifax four years ago, exposing millions of private records, one would think people have learned their lesson.

However, most people aren’t aware of these attacks and don’t know how to react to them, according to a new study.

The University of Michigan School of Information conducted a study on the awareness regarding data breaches

The researchers found 74% of the data breaches went unnoticed. Most participants had no clue that their personal information had been compromised in an average of five data breaches each.

The study showed the 431 participants facts from up to three breaches involving their own personal information. The study concluded that they weren’t aware of an alarming percentage of 74 of breaches.

“This is concerning. If people don’t know that their information was exposed in a breach, they cannot protect themselves properly against a breach’s implications, e.g., an increased risk of identity theft.”

Yixin Zou, doctoral candidate at the University of Michigan School of Information

As stated in a conference paper, the study also revealed that the majority of those breached blamed themselves for the incidents, pointing to personal behaviours, such as re-using passwords for multiple accounts, keeping the same email address for a long time or signing up on suspicious sites. Only 14% of participants attributed the events to external factors.

“While there’s some responsibility on consumers to be careful about who they share their personal information with, the fault for breaches almost always lies with insufficient security practices by the affected company, not by the victims of the breach.” 

Adam Aviv, associate professor of computer science at George Washington University

The study used the Have I Been Pwned database, a comprehensive list of nearly 500 online breaches and 100 million records compromised over the last decade. The number of these attacks may be even higher, according to the Identity Theft Resource Center, reporting over 1,108 such violations in the U.S. in the past year alone.

Results and responses

Using the Have I Been Pwned dataset, the researchers gathered 792 responses involving 189 breaches and 66 different leaked data types. They discovered that 73% of participants’ information was exposed in at least one data breach, with the highest number of 20.

Email addresses were compromised the most, followed by usernames, passwords, IP addresses and dates of birth.

“It could be that some of the breached services were considered ‘not important’ because the breached account did not contain sensitive information. However, low concern about a breach may also be explained by people not fully considering or being aware of how leaked personal information could potentially be misused and harm them.”

Peter Mayer, postdoctoral researcher at Karlsruhe Institute of Technology

“Today’s data breach notification requirements are insufficient. Either people are not being notified by breached companies, or the notifications are crafted so poorly that people might get an email notification or letter but disregard it. In prior work, we analyzed data breach notification letters sent to consumers and found that they often require advanced reading skills and obscure risks.”

Yixin Zou, doctoral candidate at the University of Michigan School of Information

The study ended with researchers showing participants the complete list of breaches affecting them and suggesting ways to protect themselves against potential dangers online.

“The findings from this study further underline the failure and shortcomings of current data and security breach notification laws. “What we find again and again in our work is that important legislation and regulation, which is meant to protect consumers, is rendered ineffective in practice by poor communication efforts by the affected companies that need to be held more accountable for securing customer data.”

Florian Schaub, assistant professor of information at the University of Michigan

Europe’s General Data Protection Regulation legislates heavy fines for companies that fail to protect consumers’ data. The implementation of such regulations and sanctions has led companies worldwide to comply and retool their privacy policies and invest in security awareness training for their employees.




Feature Image: Photo by FLY:D on Unsplash

by Diana Panduru

Content writer for Attack Simulator. Passionate about all things writing and cybersecurity, and obsessed with driving. I sometimes indulge in pencil drawing, poetry, and cooking for fun.

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.