I Was Breached, Now What? Most People Say: Nothing
Chances are, you have been the victim of a data breach.
Most of us have been the target of a phishing expedition, where someone tried to trick us into giving away passwords or credit card information. These days, it’s a pretty standard experience. It is also not unlikely that they succeeded. We are only human.
But leaks are not always the result of our own actions. Attacks against providers of unsafe apps and services might uncover the personal information of thousands, even millions, of individuals. A recent Swedish example is the app SportAdmin, used by thousands of sports clubs. When hacked, it exposed personal information about two million Swedish people, many of them children.
How do we feel and respond to breaches affecting us?
To find out more, I read the paper Awareness, Intention, (In)Action: Individuals’ Reactions to Data Breaches (paper) by Mayer et al. (2023).
TL;DR: In their main survey, participants showed little awareness of breaches affecting them and low concern about whether the breach would have any impact on them. In a follow-up survey, researchers showed that there is a substantial gap between the participants' intention to secure their digital lives and the act of actually doing so.
Strong Feelings, Weak Follow-Through
In the study, nearly three-quarters of participants had been affected by at least one data breach — yet they were unaware of almost three-quarters of those breaches. That means most people have had their information compromised without even knowing it.
When participants were told about specific breaches that affected them, many assumed it was their fault. They cited weak passwords, bad digital hygiene, or carelessness. Few blamed the companies that were actually breached. In short, the burden of responsibility quietly shifted to the individual.
Emotions ran high: people reported feeling upset, angry, annoyed, frustrated, and exhausted. But here’s the kicker — very few acted on those feelings. The majority said they intended to do something — change a password, freeze credit, or switch services. But when followed up later, most had done nothing.
The Intention-Action Gap Is Real
This isn’t laziness. It’s a kind of preconditioned helplessness — or at least a rational resignation. Some participants didn’t act because it felt pointless. Some forgot. Others were overwhelmed. The task of “securing your digital life” often feels complex, time-consuming, or simply too late.
This gap between intending to do something and actually doing it is well-documented in behavioral science, and this study shows how wide that gap is in cybersecurity.
If most people don’t act, the entire system suffers. Companies face less pressure to fix problems or compensate victims, and breaches become background noise.
What Needs to Change
The study doesn’t just leave us with bad news - it points to where we can do better.
For one, companies need to do more than send generic breach notices. Notifications should be clearer, more actionable, and delivered in ways that feel personal, not like spam.
Second, tools for responding to breaches (password managers, credit freezes, account audits) must be far more accessible. Right now, they’re often clunky or hidden behind technical jargon.
Finally, there’s a real opportunity for policy and design to support better defaults — automatic protections, nudges to act quickly, or even regulated responses for companies that get breached.
From Helpless to Proactive
The next time you hear about a breach that might affect you, don’t ignore it. Don’t assume you’re powerless. Use my checklist (link) to secure your digital life, but also: Act when your data is on the loose.