78% of Users Do Not Trust Brands That Have Experienced Data Breaches - What Does That Mean for Businesses?
In May, the news of the Cambridge Analytica scandal that affected millions of Facebook users was still fresh. A nervous Mark Zuckerberg had recently appeared before Congress, and many people were discussing privacy. Ping Identity, an identity security company, decided to see just how concerned users were. They called 3,000 individuals located in the US, the UK, France, and Germany, and asked them how they feel about the state of online privacy in the wake of the series of data leaks and breaches that continue to this day. The answers were interesting.
Just over a fifth of the interviewed had already been affected by a data breach at the time of the survey, and of them, 34% had incurred a financial loss because of the incident. Even people that hadn't been impacted by a data breach were concerned, though.
Nearly half of all participants said that they would steer clear of a service provider that had recently suffered a data breach, and a whopping 78% claimed that they would stop their online engagement with such an organization.
On the face of it, then, it looks like immediately after the Cambridge Analytica scandal, people really were worried about their privacy. That said, 59% of the interviewed said that additional security shouldn't cost them any money, and more than half announced that despite the continuous stream of leaked data, they didn't feel like they should take any steps towards ensuring better protection.
You could argue that the numbers aren't completely accurate. For example, Facebook didn't lose 78% of its active users after data of millions of people ended up in the wrong hands.
We can still draw some conclusions from the people's answers, though. They seem to think that service providers are solely responsible for the security of users' data. Some experts reckon that this is a big problem.
Who is to blame when data gets leaked?
You might think that answering this question is easy enough. Obviously, cybercriminals willingly try to obtain access to information they're not authorized to view, and in doing so, they're committing a crime. Therefore, they should take some of the blame.
Not all of it, though. When we sign up for an online service, we trust that the service provider will take the necessary steps to protect our data. Unfortunately, they often fail to do it, and they shouldn't be let off lightly for it.
In September, for example, data management company Veeam left an unprotected database full of users' personal details exposed to the Internet and was lucky that a security researcher managed to discover it before the bad guys. This sort of blunders shouldn't be overlooked. Whoever is responsible for them should face the consequences, and organizations and employees should learn from other people's mistakes.
If your data gets compromised, you'll likely be angry with the person who stole it as well as with the vendor that was supposed to keep it safe. According to security expert Troy Hunt, however, you should first think about your own actions before putting the blame on someone else's doorstep.
Fingers are sometimes pointed in the wrong direction
Last week, following a heated discussion on Twitter, Hunt decided to write a blog post, explaining why, in some cases, the victims of a data breach are the ones who should be ashamed of themselves the most. His musings were triggered by a couple of recent incidents: the latest HSBC data breach and the money-for-nothing bitcoin scam that saw compromised Twitter profiles sporting a "Verified" badge impersonate Elon Musk.
In both cases, we're talking about account takeovers on a fairly large scale, and although nobody has officially confirmed what happened exactly, the attacks bear all the signs of a credential stuffing campaign. In a credential stuffing attack, crooks take username and password combinations that have been stolen during a data breach of one service provider and try them out at another one. Because people tend to reuse passwords, in many cases, the combinations work.
Without a doubt, password reuse is one of the most common mistakes people make, and there's little vendors can do to stop it. Troy Hunt argues that ultimately, the user is the one that chooses whether or not to reuse the same password on multiple accounts.
What we need to do is tell them that having unique passwords needn't be so difficult when you have tools like our own Cyclonis Password Manager. To learn more about it, click here.