Connecting the Dollars: Data Breaches and Identity Fraud

Posted by Pete Jun.19, 2014 in Passwords & Security

fb-post29We get all sorts of questions from people asking about passwords and online security. Not surprisingly, after a data breach occurs we get a lot of email about what to do next. Some of the more cynical folks want proof that fraud is related to data breaches.

To us, it seems intuitive: when hackers go to a lot of effort to steal the personal data (addresses, passwords, credit card details – you name it) of thousands, and even millions of people, they are doing it for a reason. There’s a “what’s in it for me?” factor that can’t be ignored.

Usually, that factor is money.

The recent example of hackers stealing the customer data of over 600,000 Domino’s Pizza customers in Belgium and France is out of the ordinary for allowing us to see the money connection in such a straightforward way. The hackers demanded a ransom of €30,000 (approximately $41,000) for the data. That works out to less than 5¢ per customer account, but it’s still a lot of nickels! (While Domino’s France acknowledged that a break-in had occurred the previous week, a spokesman indicated that financial information hadn’t been stolen and that they would not pay the ransom.)

Most often, quantifying the connection between a data breach and the resulting fraud is much harder. The financial component of how much the bad guys actually made because of the hack (through use of stolen credit cards, use of new cards created with stolen identities, and even the selling of stolen data to other bad guys) doesn’t link directly to how much the individuals whose data was stolen actually lost plus how much they had to pay out to recover from the hack (e.g. bank fees or penalties). You can see how complicated it gets.

Study shows that breaches do lead to increased identity fraud.

Even though it’s very difficult to make the direct connection between what the bad guys managed to steal and the financial damage to the injured parties, we can look at some interesting numbers that shed light on the impact of data breaches on the people whose data has been stolen.

That’s where a report by Javelin Research & Strategy comes in. They have released their 2014 Data Breach Fraud Impact Report: Consumers Shoot the Messenger and Financial Institutions Take the Bullet.

As reported by Eva Velasquez of the Identity Theft Resource Center, the report shows that:

  • “data breach victims are almost 8 times more likely to suffer from existing card fraud than those consumers who have not been a victim of a data breach.”
  • “over 9% of consumers who have had their US Social Security Number (SSN) compromised in a data breach suffered a new account being opened using their personal info as compared to 0.5% of those who had not had their SSN stolen.”

These numbers clearly show that hackers do indeed act with malice upon the data they steal.

What can you do to mitigate the risks?

It’s important to pay attention to news of new breaches. In order to be able to do anything to protect yourself, you need to be aware of what’s happening out there.

If you hear of a breach at a store or restaurant (like the recent breach at P.F. Chang’s) or eshop that you frequent, make sure you understand what type of data you have with that vendor. Then take quick action. Where applicable, change passwords and let your bank know that your cards are at risk. With SSN and other national ID numbers, it’s harder to change anything, so at the very least make sure you protect your IDs and don’t give them out unless absolutely necessary.

A big thanks to the Identity Theft Resource Center for bringing the report to our attention.