In the wake of the historic hacking of credit reporting agency Equifax that has left millions of consumers vulnerable to a surge in identity theft, new research reveals widespread uncertainty among consumers who don’t know how to effectively protect themselves. The new survey from CyberScout and the Identity Theft Resource Center (ITRC) examines consumer perceptions and behaviors in response to identity theft and data breaches.
The study surveyed consumers who had experienced a data breach that exposed their personal information, and explored the ways that respondents reacted to the breach and the steps they took to mitigate the risk of financial harm.
Most of the participants responded that they felt the immediate path toward help was unclear
When asked where they would look for support in the event of financial loss due to identity theft, many respondents (38 percent) said they would turn to their bank, followed by 31.5 percent of respondents who said they wouldn’t know where or who to turn to for support. Only 3.8 percent would contact their insurance company, despite most policies including identity theft coverage or monitoring.
If consumers who were exposed by the Equifax breach follow this pattern of feeling overwhelmed and confused, along with breach fatigue and inaction, millions of people will be at a significantly higher risk of identity theft that may result in financial damage compared to those who take appropriate action.
“These survey results reiterate something we already had a feeling was happening, which is that many people don’t know what to do in the event that their personal data is stolen,” said Eva Velasquez, CEO and president of the Identity Theft Resource Center, in a news release. “As we are seeing with the Equifax breach, no one is immune to data breaches or the threat of identity theft, and there clearly needs to be better public education about how consumers can resolve ID theft and protect themselves.”
Highlights of the research:
- 80 percent of respondents understood that the data breach meant they were at higher risk for identity theft that could lead to financial harm, reflecting a broad awareness of the risks related to the theft of personal information.
- However, 49.3 percent were confused about what to do after receiving a breach notification and 31.5 percent did not know where or whom to turn to for support.
- Most consumers were frustrated, angry and anxious (77 percent). Frustration/annoyance (32.2 percent) and anger (25.5 percent) were the top specific emotions felt upon receiving a breach notification.
- Nearly half (41 percent) said they wouldn’t do business with the breached company again, a result that points to trouble for businesses who unwittingly expose customer data.
- More than a third of respondents (38 percent) would turn to their bank for help, although banks are only obligated to address credit card or bank account fraud, not fraud related to Social Security numbers and other identifiers
- Less than half of respondents took basic, recommended steps to protect themselves after the theft of their personal information in a data breach. See detailed survey results here.
“Consumers understand that data breaches put them at real risk, but they don’t know who to trust or where to turn,” said Matt Cullina, CEO at CyberScout, in the release. “We need to start treating identity theft protection like we treat the risk of heart disease—with lifetime preventive measures, regular checkups and expert support. After the Equifax breach, it is no longer a question of if you will be affected—consumers need to operate under the assumption their critical data, such as Social Security numbers, has been compromised, and take steps to protect themselves proactively.”
The website-based study was conducted by the ITRC and received 317 responses. The majority of respondents were website visitors who clicked on a link in a pop up on the ITRC website posing the question “have you received a data breach notification?” Other links to the survey included those from social media, the ITRC e-newsletters and an alert on the ITRC homepage. This question-based entry into the survey allowed for a filtering process by which participation was limited to those who had already experienced some kind of personal information exposure. As such, those who responded may have already had an identity theft experience which led them to the ITRC website.