The impacts of Data Breaches: Using UX to move forward.

In 2022 a major Australian Telecommunications company had a data breach. Nearly 10 million customers — roughly 40% of the population had their personal data stolen in what it calls a “cyber attack”

Another survey done on 1000 Australian participants, an overwhelming majority of respondents said they had “never” considered how much their online data would be worth to a cyber criminal.

Using UX research, my team and I developed a streamlined solution to mitigate the impacts of the breach and assist users in moving forward.

Learning from this background information, our goal is to create a digital experience that:

• Helps affected people with moving forwards post data breach.
• Supports them by identifying their current issues by providing appropriate information.
• Accelerates the process to gain new replacement documents if necessary.
• Assists in the prevention of vulnerabilities created by the data breach.

By utilizing the double diamond approach, we used several methods of user research and synthesis to fully understand the problem space and define a solution.

As a team we conducted 13 user interviews with individuals affected by the recent data breach. Our goal in conducting these interviews was to understand the concerns and frustrations faced by users in relation to the recent data breach. All 13 users we interviewed were affected by the data breach.

From this research synthesis, we noticed key patterns in user behaviours start to emerge. The users we interviewed fell into two distinct groups; those who were reactive to the data breach and those who were proactive.

We found that reactive users dealt with the problems as they arose, hence they felt the need to have a clearer communication and direction. All users interviewed mentioned the lack of speed and response to the situation taken by the phone provider, which led to gaps in communication of the implications of the breach. This led to them feeling more concerned about the breach due to their lack of understanding.

Proactive users aimed for prevention of future attacks and had a desire to learn more about the situation. Although they were less aware of the consequences, they had a desire to improve on their knowledge and educate themselves on the consequences of the breach to help themselves and those around them.

When questioned about the consequences of the data breach, these users felt uninformed due to the lack of communication but remained proactive in wanting to know more about protecting their private information online now that this breach has happened. We found that with this information, users could feel more informed by providing educational content around cyber security.

While we understand that the number of user interviews conducted does not allow for an accurate persona to be created, we created these two pseudo personas to reflect the two distinct schools of thought, the reactive and proactive person, as seen below:

The Customer Journey

Drawing from this research, we began to unpack the users journey through the experience.

Awareness: Upon becoming aware of the situation by receiving multiple emails and text messages from the phone provider, Bob and Rhonda felt a high level of concern given the lack of clarity provided. They did not know what personal information had been breached, but they were aware that they had been breached.

Initial Response: By the time they received an initial response in the form of official government websites and an informational page made by the phone provider, users felt overwhelmed by the back and forth redirection of the hyperlinks and disappointed by the insufficient information.

Absorbing the Information: Already feeling annoyed and fed up by the lack of direction and clarity they were receiving, when it came to absorbing the information and attempting to follow information, users said that the information was spread across multiple websites and that the resources lacked clarity.

Taking Action: By the time it was time to take action and attempt to replace their compromised documents, users were annoyed at the lack of updates provided after submitting their forms to replace their documents. Additionally, they stated that the information provided in regards to cyber education was too dense or too much information to read.

Receive Clarity: By the end of their journey and instead of feeling less confused or frustrated, they only appear more lost and drained as they are unaware of their next steps in the process.

Pain Points to Opportunities

From this journey mapping we ascertained the pain points of the journey and what improvements we can make to the user experience.

Pain points

• Poor direction
• Lack of clarity
• Disconnected information
• Insufficient Resources

Opportunities

• Direction of next steps
• Clarity of information
• Education

Solution Interface

When deciding which way to take our solution, our team was split between constructing a mobile app and a mobile website. To validate our direction, we undertook validatory research asking the same users we interviewed, what form of solution they would prefer.

Out of the 12 responses, 67% preferred a mobile website due to the ease of use and accessibility involved. Secondly, we asked our users to rank their preference of solution which were: Direction of Next Steps, Clarity of Information and Education, with the most important first.

From here we shared our ideas on broad solutioning with ideas ranging from tiktok dances to chatbots

Our key ideas revolved around 4 themes:

• Gamification through fast educational quizzes.
• Education pages.
• Clear filtering and sorting of information.
• Community collaboration to create a sense of reassurance.

Final Solutions

From our research, we created 4 key solutions for the website; a next steps quiz, news updates, a cyber security quiz, and a community group.

• Next Steps Quiz
  A recurring theme in our research was the need for clear and direct communication about the steps and direction to take post breach. The quiz function allows for users to have clear steps and actions on how to move forward post breach by filtering and personalizing the presented information.
• News Updates
  From our research, there was a clear need for timely updates and notifications. To address this we included a page showing the chronological news and updates to convey a clear timeline of the events taking place both past and present.
• Cybersecurity Quiz
  Through our analysis of the more reactive user behaviors we wanted to provide a resource which would be a fast and gamified way to relay information with the cyber security quiz. This quiz would test the user on common cyber security practices giving them a score and explaining the information behind answers. UX research shows that this method can improve focus, enhance learning, and increase engagement with the community.
• Community
  From our user research we ascertained that a sense of community surrounding the breach was highly helpful to ease concern and help find solutions when communication was lacking. However, based upon our testing, we noted that users do not trust social platforms, especially after a data breach. Hence, we have currently included the subheading to explain the benefits of having a moderated community platform, however this would continue to be a future iteration project moving forward.

Lofi and Hifi Prototype

To adequately validate concepts and test our designs before moving forward we completed a round of usability testing on the Lofi prototype whilst working up the structure of our Hifi.

From this testing we found there were several UI and copy elements that were having a negative impact on the experience and usability. Mainly on the homepage the content of our CTA, “Have you been breached”, was stressful and misleading as the user will not be aware of this problem until they have either been notified or noticed suspicious activities.

The menu styles, such as accordions, lists and icons were also creating an information overload on the users, given that there were so many unique paths for each individual state and territory. In the Hifi version we created a more visual system with a carousel for each state/territory, creating a break in visual style on the homepage and reducing the sense of prioritisation of different states.

We completed 3 rounds of usability testing before reaching submission day allowing us to iron out the major kinks but there are still plenty more iterations to be made.

Thanks for taking the time to read this case study and have a look at our final prototype on this link!