Data breaches: A pause, then life goes on?
Michigan News 8/21/19
What can matchmaking site data tell us about how consumers respond to major credit card and other data breaches? Quite a lot, actually.
Looking at the effects of a data breach on a website for those seeking extramarital affairs, University of Michigan researchers found that users were less active in searching or messaging on the site and saw a notable increase in the probability of deleting photos.
This sounds reasonable, but do people differ in their reactions? And also, do the effects stay for long enough to affect the company?
The research on how to measure the behavioral changes that occur after a data breach was conducted by Dana Turjeman, a doctoral student in marketing at the Ross School of Business, and Fred Feinberg, a marketing and statistics professor at Ross.
Data breaches have become almost commonplace. Breaches at Target, eBay, Equifax and Uber are well known, but many others occur each year. In 2018, some 1.37 billion records were compromised. These breaches cost more than individual financial losses—they pose individual risk, privacy violations and a loss of trust.
“While firms typically publicize how they are responding to a data breach, little is known about whether individual consumers change how they interact with the company or continue with business as usual,” Turjeman said.
The matchmaking site breach was announced by the hackers indicating they had downloaded detailed personal information of all users of the website, including credit card information, preference for affair types and other potentially identifying or socially embarrassing elements.
Turjeman and Feinberg studied the activity of de-identified profiles of 43,000 paying male users of the matchmaking site from the United States before and after the breach.
Even though data of all users were hacked, which is a challenge in causal inference, the researchers used an advanced AI causal inference method to measure a reduction in messages and searches and a short-time increase in deletion of photos.
The researchers then investigated what can predict whether users will change their behaviors differently than others. They looked at marital status (67% of users were attached, 33% single) and whether the user’s public profile included a photo (85% had public photos and 15% required reciprocity in sharing their photos).
“Many married men may have had their data go public, including photos, and had more to lose than others, which explains why the site saw a surge in photo deleting in the first week after the breach,” Feinberg said.
Feinberg and Turjeman found that married people were more extreme in their reactions, but were surprised to see that users who didn’t have a public photo had smaller effects. This might be because they did not realize that being private on the website means the data was not hacked, they said.
Despite the evidence of reduction of messages—which is the financial source of income of the company—the level of post-breach average activity reduction was surprisingly modest, given the nature of the website and the media storm that followed.
“While some users are initially upset and reduce their activity, in relatively short order we see a hint of life returning to normal,” Turjeman said.
The researchers said that much more needs to be done to protect customers and firms from data breaches, and that the ability to measure the change in users’ behavior is just a small step toward better and more secure online communities.