Equifax data breach—consumers heard about it but took little action
When the Equifax data breach impacting nearly 147 million people occurred just over a year ago most consumers took little to no action to protect themselves despite the risk of identity theft, University of Michigan researchers found.
In comprehensive interviews with 24 consumers, a team of researchers at the U-M School of Information led by Yixin Zou and Florian Schaub found that few knew if they were impacted by the breach, although they had heard about it and understood the risks of identity theft, and even fewer took protective measures, such as freezing their credit reports.
"We expected that people might have issues with protecting themselves effectively but the degree of inaction after the data breach was definitely unexpected," said Zou, a doctoral student at the school. "While a majority of our participants (19 out of 24) knew a big data breach had occurred at one of the big three credit bureaus and demonstrated detailed awareness of identity theft risks, more than half of them did not translate this awareness into any protective measures."
The researchers said many participants exhibited what is called optimism bias.
"They underestimated the likelihood of becoming a victim of identity theft, thinking they would not be an attractive target and making the assumption that whoever had access to the stolen data would target people who were more affluent and had a better credit history, even though scammers are unlikely to investigate their financial situation before stealing their identity," said Schaub, U-M assistant professor of information. "In fact, other research has shown that people of low socioeconomic status are disproportionately affected by identity theft."
Some consumers reported a tendency to delay security related tasks until they are actually harmed, even though recovery from identity theft is more labor and time-intensive than prevention, the researchers said.
Many consumers think if a problem is going to occur it will happen right away, so when all seems well shortly after a breach they move on without much more thought about it.
Then there were some who were unaware of available protective measures or had heard certain terms but misinterpreted their meanings.
"For example, 'fraud alerts' were understood as alerts sent by your bank or credit card company when fraudulent activities have been detected on your account, whereas placing a fraud alert on your credit file actually means adding a flag to your credit report when it is requested by vendors, alerting them that you may be at risk of fraud and that they should carefully verify your identity before a transaction," Zou said. "Credit freezes, which are the only effective way to prevent companies from requesting your credit report without you explicitly "unfreezing" it again, were misunderstood as 'freezing' credit cards by half of our participants."
For a number of the consumers, their inaction was an issue of cost. Placing a freeze on credit can cost up to $10 for each of the three major credit bureaus.
"Freezing and unfreezing your credit reports should be free nationwide, because it is the only measure that can effectively limit certain types of identity theft," Schaub said. "Similarly, consumers should be able to access their credit reports anytime for free, whereas current laws only mandate one free credit report per year.
"The good news is that credit freezes will be free in all U.S. states starting from this September, as a result of a new federal law amending the Fair Credit Reporting Act. However, this new law doesn't address some of the other issues we uncovered. For instance, consumers still need to place separate credit freezes at each credit bureau, something many of our participants were not aware of."
The actions favored by those that took the time to monitor their accounts were no-cost options such as going to Equifax's website, checking credit reports either through the annual credit report site or free third-party services, and closer self-monitoring of existing bank, credit card and other financial accounts.
Those actions can help spot identity theft when it occurs, but on their own do little to prevent identity theft, the researchers said. The Equifax breach included names, social security numbers, birth dates, addresses and driver's license numbers of all impacted, plus credit card numbers of about 209,000 consumers and credit dispute documents for another 182,000 people.
Zou and Schaub said the media played a role in informing consumers about the breach but not in prompting action. Instead, consumers were more willing to take actions when prompted by family members, colleagues or experts.
The researchers said this points to the need for the companies not only to report breaches but to clearly inform consumers how they are affected, what their risks are from the exposure of their personal data, and what steps to take to protect themselves. Usually when a breach happens, the companies send a message that says the consumers' data may have been compromised, with an offer for free credit monitoring and little more, leaving consumers to decide if they want to take steps or wait and hope for the best.
The Identity Theft Resource Center shows that the number of data breaches in the United States climbed from 157 in 2005 to 1,579 in 2017 with nearly 179 million records exposed. All told, from 2005 to date there have been 9,215 breaches and 1.1 billion records exposed.