Data breaches are bad for business, but the resulting fraud can be devastating to the people who’ve had their personal information compromised.
A new report from Javelin Strategy and Research released on Wednesday concludes that a single massive data breach can result in “billions of dollars” in consumer fraud losses.
“We’re trying to get the message out that this has real consequences for consumers and for other businesses that weren’t breached,” said Al Pascual, a senior analyst for security, risk and fraud at Javelin who co-authored the report.
A record number of breaches –1,611 – took place in 2012, according to the Open Security Foundation, a staggering 48 percent increase from 2011. The Javelin report analyzed the impact of this growing problem to quantify the resulting fraud.
Just look at the numbers. In 2010, if you received a data breach notification, your odds of being a fraud victim were one in nine. Last year, that jumped to one in four.
“What this tells us is criminals are relying more often on data gleaned from these breaches to commit fraud,” Pascual said. “Better than half of all fraud victims are data breach victims. It’s a glaring difference.”
What are the cyber-attackers after?
Some of these crooks want credit or debit card numbers because they can instantly buy things.
Identity thieves want Social Security numbers that can be used to “take over” existing financial accounts or open new ones in the victim’s name. That’s why the losses are higher when there’s an account takeover: $5,100 on average compared to $1,600 for a stolen credit or debit card.
Hackers were after Social Security numbers when they attacked the South Carolina Department of Revenue last year. They got 3.6 million of them. Javelin puts the total loss from this fraud at $5.2 billion dollars, making the breach one of the most costly ever.
The average fraud victim in this case will spend $776 out of pocket and take 20 hours to resolve their problems, the report estimated.
“When a Social Security number is compromised, it can haunt you for years to come,” said Karen Barney with the Identity Theft Resource Center, a non-profit that helps victims of ID theft. “You’re always on alert and you have to be constantly vigilant.”
Barney knows how creepy it can be when someone else is out there pretending to be you. She had her Social Security number stolen before going to work at the center. The ID thieves opened mobile phone accounts and made other transactions in her name for more than a year.
The Javelin report urges financial institutions to stop the use of Social Security numbers to authenticate identities. Javelin estimates most (80 percent) of the top 25 major financial institutions in the U.S allow customers to access their accounts with their Social Security number.
The report suggests other types of authenticators be used because they offer greater fraud protection, especially for breach victims – such as one-time passwords or biometrics.
Why are there so many data break-ins?
It’s impossible to prevent all data breaches, but Javelin concludes that the majority of them are “crimes of opportunity that rely on the failure of aggravatingly simple protections.”
In other words, while some businesses do a great job of protecting the personal information they collect and store, others don’t take the most basic precautions – such as using firewalls or even updating passwords needed to access their computers.
Brian McGinley is CEO of Identity Theft 911, a company that works with businesses who’ve had a data breach to help the victims. He believes many businesses don’t act appropriately because they don’t realize the severity of the threat
“It’s no longer a possibility that you’ll be attacked, it’s become a probability and darn near a certainty,” McGinley said.
What happens after the breach is critical to the victims
A company’s reputation is on the line after it’s been breached. As a result, it may try to minimize the gravity of the situation by downplaying the likelihood that the information will be misused.
That can make the situation worse if victims don’t realize they need to take steps to protect themselves.
A surprising finding: Many people who are offered free identity protection services following a breach don’t sign up for it.
Of the nearly 29 million people who received a notice in 2012 that their information was stolen, only 5.8 million took advantage of a service to reduce the risk of fraud, Javelin estimated. Why?
Brian McGinley who runs such a service at ID Theft 911 thinks “breach fatigue” could be to blame.
“People receive so many of these letters and if nothing’s happened so far, they may assume nothing’s going to happen this time,” he explained.
That’s a big mistake. Someone who’s had their data breached is 14 times more likely to become a fraud victim, McGinley told me.
There is a better way
Any company or institution that collects or stores personally identifiable information is obligated to secure that data and prevent unwanted intrusions.
Javelin recommends a number of “best practice” security procedures to achieve that goal, including universal encryption (that meets industry standards) and regular security audits to ensure that established security procedures are being followed.
Data custodians are also advised to have mechanisms in place to detect a potential security compromise and to respond aggressively when malware is discovered.
Javelin believes it should be standard practice to purge sensitive data when it is no longer needed. This reduces the cost and the potential harm from an intrusion.
Al Pascual wants everyone who stores or transmits sensitive personally identifying information to realize how hard they must work to guard it.
“If you are not protecting it like money, if you’re not putting it in a safe, you’re not being realistic,” he said.