Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/4/2014
12:30 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Breach Fatigue Sets In With Consumers

Report from Ponemon and RSA shows that consumers aren't really adjusting behavior due to mega breaches.

A new study out today confirms experts' belief that in the wake of mega breaches at retailers like Target and Home Depot, consumers are reaching a point of "breach fatigue." Conducted by Ponemon Institute on behalf of RSA, the survey report released today shows that consumers really do little to alter their shopping behavior following breaches at their favorite stores. However, their antennae are up and they do have preferences about how online retailers handle security measures such as authentication.

Among the 1,000 consumer respondents who participated in the study, half have been the victim of a breach. But a mere 14 percent reported that they care enough about privacy that a data breach at an institution they do business with would affect their shopping or banking behavior. While the majority of those polled say they do care about their privacy to some degree -- just not enough to change their online behavior -- some 23 percent said that privacy has absolutely no influence over their consumer perceptions or behaviors. Among all respondents, the increased news of retail breaches has affected the way some consumers spend their money. Approximately 49 percent reported that they are still shopping online, but they're now putting away their debit cards more often in favor of their credit cards.

"That ultimately comes down to the fact that as a consumer, do I want to be out of that money out of my checking account or would I rather deal with a statement later and fight it via my bank on my credit card?" says Ruben Rodriguez, principal product marketing manager in the fraud, risk, and intelligence group at RSA. "That has caused some hesitation and a shift in what they do, but they're still shopping and using their cards. It's just a difference between using one versus the other."

This isn't the first survey to support the theory that as news of breaches continues to saturate the headlines, consumers these days are taking a somewhat ho-hum attitude about it all. Last month, a report from Software Advice, an analyst subsidiary of Gartner, found among a pool of 4,000 consumers that only two of the top breaches in 2014 reached higher than 23 percent awareness. Also, as the year has worn on, consumers seem to have tuned out about breach news: Awareness of Target's nearly year-old breach registered higher than the bigger, more recent Home Depot breach. And the mega breach at eBay hardly affected perception at all, with 77 percent of respondents unaware it even happened.

"The results of our poll suggest that the public may already have reached 'peak breach,' responding to most of these stories with a shrug," writes Daniel Humphries, market research associate for Software Advice. "A breach has to be truly massive, and focus on credit cards over other types of data loss, for it to attain any serious level of public awareness. And even then, the Home Depot breach seems to be having less of an impact than the Target breach did -- so even the mega-breaches may be having less impact."

Nevertheless, consumers still have strong opinions about how companies should protect their information and how they should respond to breaches.

Approximately 62 percent of consumers say that they don't trust systems or websites when they only use passwords to authenticate users or when identity and authentication procedures seem too easy. And 77 percent of consumers say that when a breach occurs, they view prompt notification as important -- however, just 21 percent of consumers are very confident that retailers are actually telling them when their information has been compromised. 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RichardB055
50%
50%
RichardB055,
User Rank: Apprentice
11/5/2014 | 1:37:56 PM
It's Really Breach Resignation
I believe that Ponemon and RSA have ignored their own observations and mischaracterized the attitude of consumers. The article states that "consumers really do little to alter their shopping behavior following breaches at their favorite stores" but also that "consumers still have strong opinions about how companies should protect their information and how they should respond to breaches."

This is not "breach fatigue" but rather "breach resignation." What can a consumer do realistically in order to counter the risk of a breach? They could no longer shop at a store that has suffered a breach, which many consumers including myself have done. Of course, this assumes that the stores publicly admit to having been breached and also assumes that consumers have an alternative place to shop. Consumers can also stop using credit cards and carry around large wads of cash with which to make their purchases. I've done that, too; but that poses a different type of security risk. Or, I suppose, consumers can bring a security team with them to conduct a security audit of the store and all of its suppliers whenever they want to buy a roll of toilet paper.

In fact, if a consumer really needs something and needs to use a credit card, they are at the mercy of the store with regard to protection from a breach. With an ever increasing number of stores suffering breaches, consumers have no practical alternative but to resign themselves that they are taking a risk by shopping there.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
11/5/2014 | 11:34:57 AM
Difficult to visualise
I think a lot of the problems with this stem from the fact that the consumers can't see the problem and can't see the reaction from the company. Because it's all digital, it's hard to imagine it being real. 

If a store gets robbed at gunpoint, you might see an armed guard show up, or a better alarm system and security doors in place, but with a hack or data breach, it seems like business as usual for the consumers. So everything must be ok, right?
aws0513
100%
0%
aws0513,
User Rank: Ninja
11/4/2014 | 2:52:32 PM
Decisions are often local
The hard fact about the survey is that it cannot eliminate the human need for services or products when taking distance into consideration.

Example: If a person has reasonable access to only one hardware store, that person is going to use that hardware store.  The person may decide to stop using their payment card if a bank or ATM is conveniently located where they can get cash before going to the hardward store.  But if that is not the case, or they are in a pinch to get a certain product, they may conduct their own on-th-spot "risk assessment" and accept the risks involved with conducting an electronic purchase with the store.
I know some people would claim that there are always other stores or means to purchase services or products.  But that is not a realistic claim. 
Many parts of the world have a limited number of vendors that are nearby where they live and/or work.  If one needs to buy lumber, you could try to buy it online, but delivery options may be limited if there are no distribution points nearby.  BTW...  if you buy lumber, would you really trust the delivery guys to bring the quality lumber you expect?

I guess what I am trying to say is that reliance on customer actions to change commercial security practices is very likely a false expectation.

 
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
CVE-2021-21246
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...