The year 2005 certainly will go down in history as "the year of the breach." In just that one year, a broad array of organizations, including banks, transaction processors and retailers, announced almost 100 breaches affecting more than 50 million consumers.
These breaches sparked consumer fears about an impending surge in identity theft because criminals can use compromised personal data to commit identity and transaction fraud. However, consumers, industry advocates and regulators rarely have discerned between the different types of data breaches, so little was known about the likelihood of resulting identity theft from each breach type.
To address this gap in information, ID Analytics recently examined publicly available information about data breaches and actual data-breach files from four separate incidents representing approximately 500,000 breached consumer identities. Over a six-month period, our company analyzed the information against applications in its network, which contains more than 3 billion identity elements contributed by leaders from across the credit card, wireless telecommunications and instant-lending industries.
One of the key findings was that data breaches vary significantly depending on the type of information stolen and the intent behind the breach. Breaches involving identity-level information, such as Social Security numbers, names, addresses and phone numbers, tended to be more harmful to consumers and to the affected industry than were those involving credit card account numbers.
The research showed that account-number breaches do not appear to lead to subsequent fraudulent openings of new accounts for credit or services. However, account-number data breaches are significant because they can cause harm to consumer victims and to the organizations responsible for their accounts. But data breaches of accounts do not warrant the same scrutiny-or alarm-as do identity-level data breaches.
Another finding from the analysis entailed deducing a "misuse rate," or the proportion of unique identities harvested from a breach that crooks subsequently used to attempt fraud. Because the number of breached consumer identities and the number of unique identities that were used to attempt fraud were known quantities, we were able to calculate the actual portion of breached identities resulting in attempted identity theft. The actual misuse rate for the breach analyzed was very small, just slightly more than one in 1,000 breached identities.
A possible reason for the minimal use of breached identities is the amount of time it takes to perpetrate identity theft against a consumer. As an example, it takes about five minutes to fill out a credit application. At this rate, it would take a fraudster working 6.5 hours per day, five days a week, 50 weeks a year more than 50 years to fully utilize a file consisting of 1 million consumer identities.
While it is reassuring to know that the risk of identity theft from an account-data breach appears to be low, any financial institution affected by such a breach is advised to take every possible step to protect its customers-and its brand-from misuse resulting from the breach. In every case, the breach data should be analyzed and monitored for potential misuse over time.
Mike Cook is vice president of product and co-founder of ID Analytics Inc., a San Diego-based identity risk-management company. With 20 years of experience working in risk and fraud prevention, Cook has conducted extensive research on the methods and schemes of fraudsters on behalf of ID Analytics and its clients. He can be reached at mcook
(c) 2006 Cards&Payments and SourceMedia, Inc. All Rights Reserved.
Authoritative analysis and perspective for every segment of the payments industry
Authoritative analysis and perspective for every segment of the industry
Have an account? Sign In