In a world where social media platforms constantly collect personal data, and everything seems to be public, why should data leaks still matter to anyone? While many seem not to care, experts warn that cybersecurity apathy might be dangerous.
It is no longer surprising to hear news of another data breach where numerous people's private data is compromised. Data leaks have become a common occurrence in our highly digital world, affecting businesses of all sizes, from small companies to multinational corporations.
The Cybernews’ research team is constantly working to find and responsibly disclose data leaks and vulnerabilities that could lead to data breaches. However, editorial experience within the industry suggests that companies are often not doing enough to protect data from leakage, and affected individuals are frequently unaware of the scope and potential dangers associated with their data being handled by malicious actors.
Although people remain vigilant about their physical belongings, such as wallets and passports, they often seem to let their guard down when it comes to digital security.
As the number of digital threats continues to rise, so does a sense of apathy toward cybersecurity. Why don’t we care anymore about our leaked data? Cybernews talked to experts in the field to dig deeper to the root cause of this phenomenon.
Not aware of potential dangers
People may choose not to raise the alarm about leaked data because they are unaware of the potential dangers.
“People keep the information private while talking to someone they do not know well. But also, people use public Wi-Fi without a VPN, accept all the cookies on sites, and agree to privacy agreements of freshly installed apps,” Pavlo Haidamak, product manager at MacPaw, told Cybernews.
The technical details of cyberattacks can be difficult to understand, and the consequences of a data leak may not be immediately apparent or measurable. This might create a false sense of security that “nothing is going to happen.”
“The feedback loop is simply too long, and as human beings, we suffer from survivor bias. [...] Most users of computers, mobile devices and technology in general have no real idea what motivates criminals when they ask for certain information and how they can turn your information into online gold.”
explained Tom Van de Wiele, principal technology and threats researcher at WithSecure.
People often underestimate the extent to which their personal information can be exploited. Cybercriminals can use stolen personal information to commit a variety of fraudulent activities, ranging from identity theft and phishing attacks to other kinds of cybercrimes, like opening new credit accounts, making unauthorized purchases, or obtaining loans under false pretenses.
The digital realm contains a wider range of information about individuals than physical records. Experts warn that even seemingly insignificant pieces of leaked personal information can be assembled together to create a devastating impact.
“Having an old social media account you never use breached doesn’t seem so bad – until you realize that the one password you use for everything is now publicly available.”
told Vytautas Kaziukonis, CEO of Surfshark.
Kaziukonis suggests that in many instances, individuals whose data has been leaked may not even realize that their personal information has been compromised and, as a result, not be concerned about its implications.
“Companies have no incentive to make a song and dance about every data breach they suffer. Quite the opposite. Even when clear and timely announcements are made, they can get lost among all the other data breaches and data privacy scandals,” added Kaziukonis.
According to Manav Mital, CEO of Cyral, companies themselves may lack awareness regarding what sensitive data they have, including its location, usage, and who has access to it. “Sadly, most people don't find this terribly shocking, so they expect their data to be leaked or stolen at some point, and it usually is,” said Mital.
“I have nothing to hide”
A careless attitude to data security could also be a reason for apathy toward data leaks. Crowds don’t care about hacks because they do not think it affects them in any sense.
It is not uncommon to hear people say, “who needs my data? I am not famous” or “I have nothing to hide” when it comes to cybersecurity and data privacy. While many sleep calmly at night, experts highlight that public figures are not the only ones targeted by cybercriminals.
“[Saying] "I'm not a target" usually means you don’t understand the threat and techniques,” added Van de Wiele. “With data leaks, people tend to think they will not be a victim because as data breaches go, there usually isn't a single person impacted but several thousand, hundreds of thousands, or even millions of people.”
Van de Wiele notes that the attacker does not really care who you are. “Thinking that you are only one drop in the ocean does not make any difference for attackers that can easily repurpose millions of records of PII [personally identifying information] in seconds to attempt credential stuffing or to reuse your information, high-resolution photo, and other information to apply for an online resource.”
Breach fatigue
The phenomenon of "security fatigue" seems to be a significant factor in why many people don't seem to care about data leaks even when they are affected.
The occurrence of data leaks has become frequent, which has led to their normalization. The continuous coverage of data breaches has caused the public to become desensitized to these incidents, resulting in a reduced level of concern when a leak does occur.
“I cannot remember a day in the last three years that didn't bring news of a new breach. The public is more fatigued on breaches than NFTs. Although the leak flood is always flowing, the public does not see any consequences. And if there are no consequences, then why does it matter?”
said David Maynor, director of the Cybrary threat intelligence team.
Researchers at the US National Institute of Standards and Technology conducted a research project named “Security Fatigue.” Their findings revealed a sense of resignation, loss of control, fatalism, risk minimization, and decision avoidance among participants, showing signs of, as the report’s name indicates, security fatigue.
The authors discovered that this fatigue or malaise affected users’ cost-benefit analysis of adopting security practices and reinforced their belief that following security advice is not worthwhile.
“Breach victims range from one-person startups to multi-billion-dollar corporations. The variety of victims and number of reports makes a breach seem more like an act of nature than a preventable IT issue,” said Maynor.
Over-sharing culture
The emergence of social media highly disrupted the perception of private data. Over the decade of living with social media platforms, people have started to feel more comfortable sharing private information, often with thousands of strangers on the internet.
“Times have changed almost as quickly as technology has over the past fifteen years. The rise of social media has led to online personas, which really don’t abate. That means that, for most participating in the online sphere, privacy is no longer an expectation, particularly for those under the age of forty.”
observed Richard Gardner, CEO of Modulus.
The prevalence of oversharing in our culture can cause people to feel detached from their personal information, and they may not even be aware of what types of data they have already shared on the internet.
“After a breach, one of the first questions is: did the hackers get financial data or Social Security numbers? When the answer is no, that hackers only received information like name, address, and birth date – items that are widely considered public records for many because of public voter records and social media, many stop reading and move on with their lives. This practice of acceptance isn’t good for the health of cybersecurity, to be sure, but it is the trend,” said Gardner.
Convenience over safety
Convenience is another factor that can contribute to people's indifference to data breaches. As the internet becomes increasingly integrated into our lives, the practice of trading personal information for free services or personalized advertising has become commonplace.
This trend has led to a widespread mindset that the benefits of sharing personal information outweigh the potential risks, despite the ever-increasing number of high-profile data breaches and privacy concerns.
Norton’s Cyber Safety Insights Report showed that more than three in five consumers say they accept certain risks to their online privacy to make their life more convenient, and more than half of internet users surveyed across countries including the US, UK, Japan, and the Netherlands broadly agreed that it’s impossible to protect their privacy.
According to Norton’s Cyber Safety Insights Report, 38% of users have never considered their identity could be stolen, and 46% of Americans would have no idea what to do if it was.
“At conferences, I would ask people if they knew Home Depot or Target was hacked. All hands would go up. Then I would ask if anyone stopped shopping there. The only time I ever saw hands go up was at a cybersecurity conference, and even then, it was two or three hands.”
said Mark Herschberg, cybersecurity CTO at Vodex.
Herschberg believes that the challenge lies in the fact that the negative consequences of a data breach often occur at a later time and are not directly linked to the initial incident.
While the user may experience some immediate benefits from using a website, the pain of the stolen information may not be felt until much later, if at all. As a result, the user perceives a clear benefit in using the site, but the potential harm is unclear. “Until we can link the pain to the incident, people won't be bothered by breaches,” claimed Herschberg.
While cybersecurity apathy is understandable, the implications of such an attitude can be severe and hazardous. Raising awareness and education in the field could make a difference in the long run.
Your email address will not be published. Required fields are markedmarked