Australasian Science Magazine

Despite the huge numbers of compromised accounts that come along with every data breach, most people actually indicate that they have never been notified that their private information has been compromised. Credit: Maksim Kabakou/Adobe

By Eric Jardine

While most people whose online data have been compromised report little or no financial consequences, the overall cost runs into trillions of dollars even before the loss of trust in e-commerce is factored in.

In late September 2016, we learned that Yahoo’s servers had been breached and upwards of 500 million users had bits and pieces of their private information stolen, much of which later ended up being sold in dark web marketplaces. The breach had occurred 2 years earlier, with Yahoo largely unaware that there was even a problem.

The Yahoo breach is the tip of a very, very large iceberg. Just the month before, Dropbox announced that it had also been hacked (again, some years earlier) and that user information for 68 million account holders was pilfered away. The list goes on and on, and the number of users exposed consistently reaches well into the millions.

Despite the huge numbers of compromised accounts that come along with every data breach, most people actually indicate that they have never been notified that their private information has been compromised. The 2016 CIGI/Ipsos Global Survey on Internet Security and Trust (http://tinyurl.com/jl8kzh6) makes this point plainly. Across more than 24,000 respondents in 24 different countries, only 27% of people indicated that they had ever been notified that their personal data was compromised in a data breach.

The numbers get even weirder from there. Of those who did know that their data was exposed, few suffered any serious personal financial costs. Fully 47% of people, for example, reported that they suffered zero financial cost as a result of the data breach. Another 44% reported that the financial costs amounted to a small amount, ranging from 1¢ to $999. Summed together, these numbers indicate that for upwards of 91% of people, data breaches impose only a very small personal financial cost.

With these two sets of numbers at hand, it is tempting to think that data breaches and online crime, despite being headline-grabbing stuff, are not really that large of a problem for individuals around the world. But there are at least four reasons why online crime and the theft of personal data remains a massive issue that is likely to get even worse as more and more of our daily lives shifts online.

One of the reasons is financial. A second has to do with patchy disclosure laws. Another has to do with the importance of privacy, and the last involves a somewhat more ephemeral notion of trust. Combined together, these reasons are mutually reinforcing and strongly suggest that more needs to be done by companies, individuals and governments to fight back against cybercriminals.

Let’s unpack the first of the reasons. While 47% of survey respondents indicated that the theft of their personal data did not cost them even a penny, how much these crimes cost overall matters, too. As Fen Hampson and I point out in Look Who’s Watching: Surveillance, Treachery and Trust Online, when you add up all the individual financial costs of data breaches, the result is a fairly massive price tag. Because respondents were asked to put their estimated financial loses into categories, we were able to estimate the minimum, the average and the maximum potential cumulative cost of people’s lost data. At the minimum end, assuming everyone paid the smallest amount for their indicated cost range, the price tag could still be as high USD$5.4 trillion. The average case, where some paid at the high end, some at the low end and some in the middle, worked out to a whopping USD$10.6 trillion. If we assume the worst – that everyone paid at the top end of their chosen range – then the cumulative cost of data breaches is potentially as high as USD$15.7 trillion.

Small costs, while they might seem minor in isolation, can add up very quickly when there are hundreds of millions of people being affected. Clearly, the initial idea that cybercrime might not be a huge problem financially is simply not true.

People might also not have been notified that their personal data was breached, and herein lies the second reason why a figure like 27% should not be taken as a sign that there is not a problem. Some nations have laws surrounding the disclosure of data breaches to those affected by a breach. Others don’t. Sometimes, too, those rules apply to certain sectors like, health care, but not to others, like retail. This patchwork quilt of data breach disclosure rules means that just because only 27% of people in the sample know their data has been breached does not necessarily imply that the “real” number of people that have been affected is not much, much higher. Many might simply be living in blissful ignorance, but when it comes to the online world, what you don’t know really can hurt you.

There is also a third reason why data breaches matter and why more needs to be done to stop them. Financial costs aside, data breaches involve the intimate violation of people’s privacy. Privacy is important for a range of reasons. Psychologically, people value the idea that what they do online is free from the prying (and judging) eyes of others. When the online adultery site Ashley Madison was hacked, for example, people lost their jobs, their relationships, and in some cases took their own lives. It is important that what people do in the privacy of their own homes remains private. Data breaches, given the ways in which people currently use the technologies of the internet, shakes that simple idea to its very core.

The final reason why data breaches are such a big problem is that they undermine the trust that users place in the technologies of the network and in other users. Trust matters because while the internet is a wonderful technical system, the glue holding it all together is actually social. It is based upon user perceptions that the network is trustworthy. When that trust declines, people change how they behave. Often, these changes in behaviour hit right at the heart of the ways in which the networks of the internet facilitate innovation and commerce.

Some slightly older survey data by SafeNet Inc. highlights this trend well. Fully 65% of people indicated that they would be unlikely to frequent an online service after a data breach that compromised their financial data. This average masks some interesting variation, where 53% of people in Germany and 82% of people in Japan indicated that they would not use services that lost their financial data. The new saying seems to be “once bitten, always shy”.

At first blush it might be tempting to say that the problem of personal data breaches is a lot of hype with little substance. When only 27% of people report that they have been affected by data breaches and when, among those, fully 47% have had to pay nothing financially as a result, it is alluring to conclude that the situation is actually not that bad. The trouble is that the ostrich approach to the problem of cybersecurity won’t work and is also not actually warranted by the data.

When the situation is fully thought through, the cumulative cost of data breaches is huge, the potential that the scope of the problem is incorrectly specified is large, the loss of privacy is daunting, and the erosion of user trust is damning. We all need to do better. Governments, companies and individuals need to work together to improve the state of cybersecurity. If we don’t, the problems of cybercrime and personal data breaches are only going to get worse, to the detriment of us all.