The human factor: the untold impact of data breaches

Eighteen months on from the establishment of Australia’s national identity theft support service, the country is for the first time starting to get a picture of the impact data breaches have on their victims.

The not-for-profit iDcare was formally established in October 2014 to offer those affected by data breaches practical response plans to mitigate the effect of a compromise.

The joint government-industry organisation splits itself down two lines. Specialists and counsellors within its case management centre build a tailored response for people who have had their personal details stolen. The centre operates online and phone-based contact services, and national reporting mechanisms like ACORN and ScamWatch refer victims to iDcare for help dealing with a breach.

At the other end of the spectrum, iDcare's national identity lab takes the data generated by the case management centre to create reports that both help its respondents better assist those in trouble, and show businesses that have been breached how the community has been affected and how they can address the damage.

IDcare operates on a measly budget of $1 million annually, provided by the government and its industry partners. Most (29) of its 32 staff are volunteers, thanks to partnerships with universities that place post-graduate behavioural science students into roles within the organisation.

“We run probably the cheapest outfit on the planet,” iDcare chief David Lacey, a speaker at next week's AusCERT 2016 conference, says.

“We don’t need a $300 million Canberra model to do this type of work.”

But this low-value approach doesn’t extend to the quality of its work.

Mental health

iDcare operates in a space others tend not to venture.

The debate around cybercrime is rarely occupied with the mental health impacts breaches have on the individuals involved - much of the attention is focused on what and how much was stolen, how the attackers managed to get in, and the ensuing impact on the organisation in question.

Only during last year’s Ashley Madison hack did we start to get a glimpse of the emotional toll a data breach can have on those involved, when several suicides were linked by police to that attack.

iDcare has spent the past 18 months responding to around 20,000 individuals annually who have fallen victim to a breach, collecting data at the same time to generate a picture of what these attacks mean to the community.

Around 8 percent of its 20,000 clients every year are referred for mental health treatment as a result of the exposure of their personal information - a statistic Lacey says he expects will surprise many in industry and government.

“We measure a lot of the psychosomatic impact on the individual. Things like anxiety and disengagement and physical vomiting and not sleeping tell us anxiety and depression are coming into play", at which point iDcare’s specialists refer the individual for expert help, Lacey sas.

At least half of the remaining 92 percent of individuals who contact iDcare each year demonstrate psychosomatic impacts like feeling physically sick and lack of sleep, he said.

There is also often a lot of blame attribution that comes from having your personal information exposed, iDcare has found, which exacerbates a person's feelings of anxiety.

Affected individuals regularly report feeling blamed by family and friends for clicking on a dodgy link that then compromises their personal data, which perpetuates the natural human instinct to not tell anyone and try to deal with the matter in silence, Lacey said - a response that can make the situation worse.

iDcare’s goal is to shift the focus of the cyber breach discourse from technical solutions and business process, to looking at the impact on the community.

Its national identity lab - backed by 12 researchers - is the “only place in town” that has any data on the community impact, Lacey says.

iDcare’s goal is not to sell this information - it’s a not-for-profit - but to use it to prompt a cultural and behavioural shift, providing research to organisations who have fallen victim to an attacker to educate them on how customers have been impacted and what they can do to address it.

“We’ve got what we call a 59/91 split - 91 percent of what we see touched 59 organisations across Australia,” Lacey said.

“Three organisations a week engage with us over experiencing a data breach. We coach them through how they should assess likely harm, what are the identifying features of what’s been impacted, what the response plan is, and we offer to engage directly with their victims.”

Read on to find out what iDcare has discovered about data breach victms...

Who is Australia’s average data breach victim?

More females than males fall victim to a data breach, according to iDcare, and most are aged between 25 and 45. There’s an even geographic spread across the country.

Most of the time individuals directly enable the compromise of their own information, generally through a telephone or phishing scam, the organisation has found.

Almost 90 percent of those who have been breached self-detect a compromise and/or later misuse of their data, but only 3 percent report it to law enforcement.

Around half of people who have had their details compromised will have this data abused - for example their stolen credit card details are used to make purchases.

The majority of the breaches reported to iDcare involve stolen driver's licence details, either in a physical or online form, followed by bank account information, debit and credit card data, and mobile phone account information.

Of all compromises reported to iDcare, there’s a 50/50 split between online and physical breaches, the latter including things like stolen driver’s licences and mail theft.

The organisation sees a lot of the classic Microsoft telephone scam - where an attacker impersonates a Microsoft employee to gain access to a target computer - or ransomware like Cryptolocker, which Lacey says is extending from business scenarios to individuals.

However, almost all misuse scenarios - where personal data is stolen and then used in some way by the attacker - occur online. The average value of this sort of fraud is $27,267.

What to do when you've been breached?

For individual victims, iDcare looks to address how they can mitigate flow-on effects through a practical and tailored response plan. It spends an average 19 hours on each individual client.

“If your email was hacked, you might have 12 different identifying credentials in there. iDcare has a specific response measure for each of those scenarios, which we can give to you in one place,” Lacey said.

“For every hour we invest in a client, we save them 12 hours figuring out what’s within their email that they need to address, and the process and requirements the organisations will require you to address.”

Lacey says the organisation doesn’t yet have the data to identify how many cases it has successfully resolved for clients, but points to an 83 percent customer satisfaction rate, and a newly-funded research project that will map the journeys of its clients over 12 months. The study started last month.

“Once you have your identity compromised, it’s not like you can get it back,” he said.

“Success for us looks like [a client] hasn’t experienced misuse, and they’ve managed risk around compromise. We haven’t had any clients calling us back saying it’s happened again since we’ve been in operation.

“But this study should hopefully really drill into that, what [clients] look like at the 12 month, 18 month mark."

Lacey will present an insight into iDcare’s first 18 months in operation at next week’s AusCERT 2016 conference in Brisbane.