Would You Know If Your Data Was Compromised? Three out of Four Consumers Don’t

august 11, 2021 | identity theft
Would you know if your identity had been compromised

Will you know when your private data gets compromised? An eye-popping study from the University of Michigan indicates you'd be in the minority if you answered "Yes."

Data breaches have increased in recent years, and the victim count has swelled. However, this recent study indicates that only 26% of those connected to documented data leaks were aware of their situation. A whopping 74% of victims remained in the dark.

Breaches on Facebook, LinkedIn and Adobe grab big headlines, and clients know to check their accounts for breach news. Yet, U-M researchers—working with colleagues at George Washington University and Karlsruhe Institute of Technology in Germany—discovered that the majority of 413 individuals with compromised email addresses and other leaked details had no clue. On average, the details tied to a single user came from five breaches.

"This is concerning. If people don't know that their information was exposed in a breach, they cannot protect themselves properly against a breach's implications, e.g., an increased risk of identity theft," U-M doctoral candidate Yixin Zou stated.

Gathering the Evidence

For the study, which may be the first done with proven victim data, scientists utilized Have I Been Pwned, the massive Australian database run by security researcher Troy Hunt. HIBP is an excellent but by no means all-encompassing source of data breaches.

Researchers identified nearly 800 individuals in all and queried 413 individuals with exposed email addresses. The scientists then provided evidence of compromise to 413 victims; over 70% said they did not know about the events. One individual's data appeared in 20 breaches. The victims contacted by email received proof of up to three breaches that exposed their email and other personally identifiable information (PII). Respondents expressed greater concern regarding the breach of names, addresses, passwords and contact data. Many admitted to using identical login credentials for multiple accounts and felt they were to blame for the problems. George Washington U's Adam Aviv disagreed that consumers owned the lion's share of the blame. Instead, he stated, "The fault for breaches almost always lies with insufficient security practices by the affected company, not by the victims of the breach." Still, the team strongly advised against login or credential reuse. It also pointed out that not all data breaches see the light of day. "Risks range from credential stuffing—or using a leaked email address and password to gain access to other accounts of the victim—to identity theft and fraud," Karlsruhe researcher Peter Mayer stated. "Most of the breaches never made the news, and often they involved little or no notification to those impacted."

Notifications Weak or Non-Existent?

Several researchers who collaborated on this new investigation referenced a related study on the nature of data breach notification letters. In that work, many of the same experts checked over 160 data breach notifications filed with the government as most U.S. states require. Maryland's Attorney General provided breach letters for evaluation. The group noted that many breach notifications are lengthy or require high-level reading skills. They further expressed concern that many letters tried to "downplay or obscure the likelihood of the receiver being affected by the breach and associated risks." Shield Yourself Given the vastness of stolen or leaked data circulating on the web, it's not intelligent to reuse any of your login combinations. Reuse creates many headaches for consumers and fuels credential stuffing attacks. If you can't remember all your passwords without reuse, it's time for a password manager. IDShield monitors member identity data 24/7. We scan for Social Security numbers, passwords, medical insurance data, bank account details and a host of other info that makes up your PII. Here's a list of the data points we monitor while you sleep so that you can leave the worries to us.

IDShield is a product of Pre-Paid Legal Services, Inc. d/b/a LegalShield (“LegalShield”). LegalShield provides access to identity theft protection and restoration services. For complete terms, coverage, and conditions, please see an identity theft plan. All Licensed Private Investigators are licensed in the state of Oklahoma. This is meant to provide general information and is not intended to provide legal advice, render an opinion, or provide any specific recommendations.

Learn more about what to do if your data is compromised