Less than Half of Consumers Change Passwords Post-Breach

There’s a “shockingly high” disconnect between awareness of best practices following a data breach and actions taken, according to a new study from the Identity Theft Resource Center (ITRC).

The non-profit polled over 1000 US consumers to gauge their understanding of and response to breach incidents involving personal information.

The report found that more than half (55%) of social media users have had their accounts compromised in the past, so there’s generally a high level of awareness about what can be done to enhance personal security.

However, nearly a fifth (16%) of respondents said they took no action following a breach. Less than half (48%) changed affected passwords, and only a fifth (22%) changed all of their passwords.

That’s particularly worrying when 85% admitted to reusing log-ins across multiple accounts, putting them at risk of credential stuffing.

“When asked why they don’t use unique passwords, 52% said it’s too difficult to remember their passwords, 48% don’t trust or know how to use password managers, and 46% don’t think it’s important or believe their password practices are good enough,” the report noted.

Just 3% followed best practice advice following a breach notice and put a credit freeze in place to prevent fraudsters running up debts on new lines of credit taken out in victims’ names. Some 11% said they used free credit monitoring services, even though these are of limited use as they don’t block new account fraud, the report revealed.

A quarter (26%) of respondents claimed that they took no action after a breach notice as they believed “my data is already out there,” while slightly more (29%) naively thought third-party organizations would handle the issue.

Nearly a fifth (17%) claimed they didn’t know what to do, while 14% thought the notice itself was a scam.

“Organizations need to review how they notify consumers of data breaches to reduce the level of inaction and improve the credit freeze adoption rates,” argued ITRC president Eva Velasquez. “Also, businesses should recommend to consumers that they reset any passwords that are not unique and offer multi-factor authentication with an app.”

What’s Hot on Infosecurity Magazine?