Some data breaches can’t be prevented. But too many occur when data-storage companies fail to use “aggravatingly simple protections,” a new Javelin Strategy & Research report says.

Ultimately, such failures can lead to a single massive data breach that can result in billions of dollars in consumer fraud losses, according to Javelin’s 2013 Data Breach Fraud Impact Report.

Besides surveying data breach victims and using Federal Trade Commission methods to categorize fraud, Javelin based its report on analysis of four major data breaches — the South Carolina Department of Revenue, Northwest Florida State College, processor Global Payments and the Utah Department of Health.

Javelin estimates the Global Payments breach that started in 2011 will result in $708 million in losses from 428 fraud cases, averaging $1,654 each. Global Payments had originally stated that data from only 1.5 million cards was exposed, but MasterCard and Visa declared the number closer to 10 million payment cards, the report states. Global Payments has explained the difference by saying it reported a larger number of card accounts to the card brands than were actually exposed to “cast a wide net” for fraud prevention.

In 2012, up to 134 data breaches occurred in an average month, or 1,611 for the year, the report says.

In stressing the danger of having personal or payment data compromised, the Javelin report indicates that more than half of consumers who became identity fraud victims also were victims of a data breach.

“In doing this research, you understand that criminals start with the low-hanging fruit,” says report author Al Pascual, a senior fraud analyst for Javelin.

“They pay attention to the folks with the weakest controls, and they can end up walking away with millions of credentials,” Pascual says.

In most cases, the fraudster’s initial intrusion can be rated as “low difficulty,” the report states.

If a company uses strong passwords for system access and conducts regular checks of administrative settings, it “would shut the door” on many crimes of opportunity, Pascual says.

A significant problem unfolds when companies leave sensitive data unencrypted, he continues.

“The only way fraud is going to occur is for the criminal to use the full [payment] card number from unencrypted data,” Pascual says. “Encrypting data is relatively simple, and data-storage companies should be doing this anyway.”

Intrusions in all of the cases studied went undiscovered until the data had already been stolen, signifying that proper detection mechanisms were not in place, the report says.

Companies also should be forthcoming with information after a breach. Businesses and institutions that refuse to release details “are doing a general disservice” to consumers, government and other businesses by failing to provide them a chance to put their own fraud-prevention tools into action, the report says.

Security in layers is a time-tested strategy proven to work the best, Pascual says. But each layer has to be proven strong, he notes.

“Good defenses can be in place, but maybe not followed by company employees,” Pascual says. “Human error and human complacency come into play.”

Javelin recommends that companies conduct regular security audits to review security. That should include confirming access rights are appropriate and paying special attention to recently dismissed employees.

Companies should purge sensitive data that’s not necessary for compliance or business, while making sure to encrypt sensitive data with advanced encryption standards.

Improving authentication and avoiding simple passwords provides extra security, the report states. In addition, companies should react quickly when they discover malware.

“Simple mistakes [seem] to be the consistent element in this research,” Pascual says.

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry