Massive corporate data breaches now happen so often and are so big that consumers are starting to have a very understandable reaction: Who cares?
“I don’t feel like knowing either way makes a difference,” said one Los Angeles-area Equifax customer who asked that their name be kept private. “I know there’s ID protection steps I should take, but it all feels so futile.”
Hardly a day goes by without a new headline about Corporate America exposing millions of consumers to potential financial crime. After the Equifax hack—145.5 million people now at risk—it’s understandable that some people are wondering if there’s even a point in trying to take action.
Add on the recent revelation that Yahoo’s security disaster affected all 3 billion accounts.
The unprecedented scale of Equifax cyberattack has left many people feeling alone and confused without the level of damage-control customer service that a company might otherwise provide in the case of a more limited breach. Others are simply playing the odds; what’s the ultimate likelihood that each and every datum belonging to nearly half the country’s population will end up in the hands of an identity thief?
It’s a perverse sense of safety in numbers. If everybody’s naked, nobody’s naked.
Others are simply playing the odds
Financial advisors and cybersecurity experts counsel otherwise. At the bare minimum, they recommend that people cancel or switch up credit cards or bank accounts, call financial institutions, and maybe even contract with one of the dozens of services designed to help prevent the possible consequences of leaked personal information.
Yet it can still be tempting to simply reassure oneself with sheer mathematical odds. That tendency can sometimes mean that the bigger a given breach is, the fewer consumers take precautionary measures, according to Kit Yarrow, a consumer psychologist at Golden Gate University in San Francisco who’s informally surveyed victims.
“I don’t know if I’d call it a head in the sand, but there’s sort of a way where since this last breach in particular was so massive, they do figure, ‘Well, why would they want my stuff? They’ll go for a rich person’s things—why would they pick on me?’’” Yarrow said.
But this gambler’s mindset can often belie a deeper sense of fear and helplessness in the face of a daunting and unknowable technical dilemma.
“Our villains today are invisible. It was just so much simpler when we were fighting bears.”
“Psychologically, [this] invisibility is also part of why they have resignation,” Yarrow said. “There’s just a sense of ‘I’m a human being without a means of protecting myself. I don’t have the tools and power that I need.’”
“Our villains today are invisible. It was just so much simpler when we were fighting bears,” she added.
A survey of 1,000 American adults from consumer reference site CompareCards last week found that nearly eight in ten had not taken the preliminary security step of freezing accounts, only a quarter have alerts set up on their credit or debit cards, and just 22 percent have signed up for a credit monitoring service.
More than half of a slightly smaller group polled by around the same time said they had not yet even checked to see if they were victims. Research firm Morning Consult found similar stats.
As a whole, each of the surveys have concluded, people are woefully underprepared against identity theft—even two weeks after the attack. But one thing about which they aren’t hesitant, many surveys unsurprisingly find, is their anger at Equifax for putting them in this situation.
Equifax’s messy initial relief efforts certainly haven’t given them much cause to temper this feeling. People were understandably wary from the get-go of entering their identifying information into the status-checking feature on the website of a company that had just announced a massive meltdown in its security systems.
I look forward to future hackers stealing all my data from that time I went to Equifax to determine they hadn’t stolen my data.
— Alex Konrad (@alexrkonrad) September 7, 2017
That perception worsened when news later broke that those who signed up for Equifax’s temporarily complimentary personal protection service could be waiving their right to take part in a lawsuit against the company. The next week it was revealed that Equifax had in fact been directing people to a scam version of the site it set up to deal with the fallout rather than the real thing.
Dozens of one-star reviews filed on Consumer Affairs since the hack describe the teeth-grating frustration of using services Equifax did actually provide.
“After this circus managed to share our details with whomever, their website offers a way to do a credit freeze. I tried FIVE times,” wrote one exasperated customer in Washington. “I am not surprised that this Mickey Mouse operation was hacked.”
Given the torrent of unflattering news around the bumbling way in which Equifax has tried to contain its mess, can anyone be blamed for taking Equifax’s word with a giant grain of salt?
“I was sketched out about giving Equifax more info to confirm if I was a victim, didn’t seem worth it… I just kind of assume I am.”
“I was sketched out about giving Equifax more info to confirm if I was a victim, [it] didn’t seem worth it,” the Los Angeles Equifax customer said. “I just kind of assume I am.”
Yarrow said around half of the people she’s interviewed anecdotally cop to this sort of resigned attitude. Many of them have been victims of other types of breaches in the past and lost faith in the overall security capabilities of their financial institutions.
“This is just one more and who cares because nothing’s safe anymore,” Yarrow said. “They have kind of a weary, guarded resignation and they don’t see any reason to do anything because it won’t matter anyway.”
There are all kinds of other reasons people might opt to throw up their hands too, of course: an all-time low public trust in the news media and other institutions that offer remedies, a lack of popular understanding of the esoteric technical nature of the issues at hand, procrastination—the list goes on.
But as warranted as these feelings might be, cybersecurity experts see the risk here as much more pressing than the layperson might be able to comprehend. If you’re truly at wits’ end with Equifax, the rest of the nebulous credit monitoring industry, and media reports, experts say it’s worth calling upon a trusted financial advisor or or other knowledgable source to help navigate the fallout.
“If people haven’t done it already, something has to be the impetus. And let’s hope that that arrives before something bad happens,” Yarrow said. “In a situation where people don’t trust the impetus, it has to feel like someone you do trust.”
“I really hope that people do it,” she adds.