The human factor: the untold impact of data breaches

Eighteen months on from the establishment of Australia’s national identity theft support service, the country is for the first time starting to get a picture of the impact data breaches have on their victims.

The not-for-profit iDcare was formally established in October 2014 to offer those affected by data breaches practical response plans to mitigate the effect of a compromise.

The joint government-industry organisation splits itself down two lines. Specialists and counsellors within its case management centre build a tailored response for people who have had their personal details stolen. The centre operates online and phone-based contact services, and national reporting mechanisms like ACORN and ScamWatch refer victims to iDcare for help dealing with a breach.

At the other end of the spectrum, iDcare's national identity lab takes the data generated by the case management centre to create reports that both help its respondents better assist those in trouble, and show businesses that have been breached how the community has been affected and how they can address the damage.

IDcare operates on a measly budget of $1 million annually, provided by the government and its industry partners. Most (29) of its 32 staff are volunteers, thanks to partnerships with universities that place post-graduate behavioural science students into roles within the organisation.

“We run probably the cheapest outfit on the planet,” iDcare chief David Lacey, a speaker at next week's AusCERT 2016 conference, says.

“We don’t need a $300 million Canberra model to do this type of work.”

But this low-value approach doesn’t extend to the quality of its work.

Mental health

iDcare operates in a space others tend not to venture.

The debate around cybercrime is rarely occupied with the mental health impacts breaches have on the individuals involved - much of the attention is focused on what and how much was stolen, how the attackers managed to get in, and the ensuing impact on the organisation in question.

Only during last year’s Ashley Madison hack did we start to get a glimpse of the emotional toll a data breach can have on those involved, when several suicides were linked by police to that attack.

iDcare has spent the past 18 months responding to around 20,000 individuals annually who have fallen victim to a breach, collecting data at the same time to generate a picture of what these attacks mean to the community.

Around 8 percent of its 20,000 clients every year are referred for mental health treatment as a result of the exposure of their personal information - a statistic Lacey says he expects will surprise many in industry and government.

“We measure a lot of the psychosomatic impact on the individual. Things like anxiety and disengagement and physical vomiting and not sleeping tell us anxiety and depression are coming into play", at which point iDcare’s specialists refer the individual for expert help, Lacey sas.

At least half of the remaining 92 percent of individuals who contact iDcare each year demonstrate psychosomatic impacts like feeling physically sick and lack of sleep, he said.

There is also often a lot of blame attribution that comes from having your personal information exposed, iDcare has found, which exacerbates a person's feelings of anxiety.

Affected individuals regularly report feeling blamed by family and friends for clicking on a dodgy link that then compromises their personal data, which perpetuates the natural human instinct to not tell anyone and try to deal with the matter in silence, Lacey said - a response that can make the situation worse.

iDcare’s goal is to shift the focus of the cyber breach discourse from technical solutions and business process, to looking at the impact on the community.

Its national identity lab - backed by 12 researchers - is the “only place in town” that has any data on the community impact, Lacey says.

iDcare’s goal is not to sell this information - it’s a not-for-profit - but to use it to prompt a cultural and behavioural shift, providing research to organisations who have fallen victim to an attacker to educate them on how customers have been impacted and what they can do to address it.

“We’ve got what we call a 59/91 split - 91 percent of what we see touched 59 organisations across Australia,” Lacey said.

“Three organisations a week engage with us over experiencing a data breach. We coach them through how they should assess likely harm, what are the identifying features of what’s been impacted, what the response plan is, and we offer to engage directly with their victims.”

Read on to find out what iDcare has discovered about data breach victms...