On April 7, the emails started to roll in with something new, something we had never heard of before here at the Identity Theft Resource Center.
Although we keep abreast of all issues related to identity theft — which includes information security — all of the daily email blasts we received that day had the same word in the subject line. That word was Heartbleed.
So we did what the ITRC does best and learned everything we could to educate consumers when they started calling with their concerns.
We waited…and waited…and waited some more for a deluge of public concern that was surely going to coming in at any minute. But the calls never came. In fact, there was no increase to the ITRC call center at all. How could this be, we asked ourselves? How could the announcement of this bug, which information security specialists called “the dreaded Heartbleed vulnerability that shook the foundations of the Internet” and “possibly the most severe security bug in the history of the Internet,” not send consumers stampeding to protect their online information?
Apparently we were not alone. A new YouGov/Huffington Post survey of 1,000 U.S. adults asked people whether they had checked to see whether any websites they used were affected. A whopping 77% had said no, they had not checked. Then they asked whether they had changed any passwords online because of the Heartbleed bug. Only 6% said they had changed “all of them” while 62% said they had changed “none of them,” despite knowing the risks.
Information Fatigue to Blame?
We believe the lack of consumer concern is due to information fatigue. After all, consumers have been hit left and right recently with data breaches at their favorite retailers (for example, Michaels craft stores just revealed that 3 million customers had their information stolen), their schools, and their places of employment. With every breach, the media has been saturated with warnings about how unsafe your personal information is and facts about how bad identity theft has become. There is only so much the average consumer can hear about the dangers of having their information hacked into before they throw their hands up in defeat.
This is a shame because the Heartbleed bug was far more destructive than any breach in which only your credit card number and name were stolen. A data breach incident involving payment card information is generally pretty easy to resolve for the consumer.
On the other hand, the potential compromises with the Heartbleed bug are more serious. But people have had just about enough hearing about the “next big blow” to the security of their information. Perhaps, as the warning emails about Heartbleed continue to increase, people will become more concerned about determining whether their information has been compromised and how they can further protect themselves.
In the meantime, we are giving the following advice to those few who seem to be as concerned as we are.
- First, don’t think that Heartbleed won’t affect you because you don’t put private information on your home computer. In fact, Heartbleed is affecting web servers. So this goes beyond your own computer or use of the Internet. Your bank and credit card companies have servers, your doctor’s office probably has one, and you or your child’s school has one. In other words, any number of outlets which have your personal information could be affected.
- Second, assume that your accounts have already been compromised. This programming error is two years old but has only just been discovered. Treat this situation as though you just got confirmation that your passwords to all of your accounts just got shared on the Internet.
- Third, change your passwords. You have probably begun to get warning notifications via email from your favorite companies. Why? As PRIVATE WiFi CEO Kent Lawson recently reported, the bug could expose your private passwords to hackers, which is why these sites (including Netflix, Facebook, Instagram, Tumblr, Yahoo!, Gmail, and many more) now recommend that you change your password.
- Fourth, and finally, stay calm. We remind consumers to never panic about these things. Rather, always be prepared and take measures to protect yourself and your information. A bug in your computer is not unlike a bug in your body and an ounce of prevention is worth a pound of cure.