Analysis of data breaches at four separate companies, covering
approximately half a million identities, revealed that few of the
breached identities were misused for criminal financial gain.
The study distinguishes between “identity-level” breaches, where
names and Social Security numbers are stolen and “account-level”
breaches, where only account numbers – sometimes associated with
names – are stolen.
According to ID Analytics, identity-level breaches pose the
greatest potential for harm to businesses and consumers, because of
the sophisticated methods used by fraudsters in carrying out the
attacks. Even so, the research found that less than one in 1,000
identities was likely to be an ID theft victim as a result of this
sort of data breach.
The reason for the minimal use of stolen identities is based on
the amount of time it takes to actually perpetrate identity theft
against a consumer, says ID Analytics, pointing out that it takes
approximately five minutes to fill out a credit application.
At this rate, it would take a fraudster working full-time –
averaging 6.5 hours day, five days a week, 50 weeks a year – over
50 years to fully utilise a breached file consisting of one million
consumer identities. If the criminal outsourced the work at a rate
of $10 an hour in an effort to use a breached file of the same size
in one year, it would cost that criminal about $830,000, explains
the firm.
Another factor useful in assessing the degree of risk, is the
nature of the data breach suffered – whether, for example, it is
the result of a deliberate hacking into a database or a seemingly
unintentional loss of data, such as tapes or disks being lost in
transit.
The firm also indicates that in certain targeted data breaches,
notices may have a deterrent effect.
In one large-scale identity-level breach, thieves slowed their
use of the data to commit identity theft after public notification.
The research also shows how the criminals who stole the data used
identity data manipulation, or "tumbling," to avoid detection and
to prolong the scam.
“Consumers need to know the level of risk that is posed if they
are part of a data breach. While any data breach is cause for
concern, consumers that have been impacted need guidance as to the
degree of risk involved,” said Linda Foley, executive director of
the Identity Theft Resource Center. “It’s not helpful for consumers
to receive a generic letter in the mail telling them that they may
or may not be at risk. We need to help victims of breaches
understand when they need to be more vigilant and prevent them from
being unnecessarily alarmed.”
