First comes the notification that your personal data have been compromised in a data breach. And as sunset follows sunrise, increasingly that notification is followed by actual dollar losses in fraud on personal accounts, said Javelin Strategy and Research in its recently released 2013 DATA BREACH FRAUD IMPACT REPORT: Mitigating a Rapidly Emerging Driver of Fraud.
Wrote Javelin: “A single massive data breach can result in billions of dollars in consumer fraud losses. Data breach victimization has been increasingly correlated with fraud incidence over the past three years, with a walloping 23% of data breach victims in 2012 becoming fraud victims.”
Worse news: data breaches are multiplying as cyber crooks recognize that credit and debit card numbers are as good as cash and, increasingly, they are easily stolen from poorly protected data caches.
In an interview, Javelin risk expert Al Pascual said that, generally, financial institutions are doing a good job protecting account numbers and the rest of the information coveted by cyber crooks.
But other kinds of businesses – from online merchants to bricks and mortar retailers, hotels and restaurants – are not necessarily as thorough in safeguarding their account data and they are under attack by skilled hackers.
Usually, said Pascual, the company whose data cache is hacked may suffer reputational losses but the hard dollar losses are suffered by individual consumers and also by financial institutions that, in many cases, absorb their customers’ losses.
Advised Pascual: “You have to make it more difficult for the fraudster. We are not saying you can stop every breach. But big breaches often are the result of simple mistakes.”
Mistakes – careless handling of data – are commonplace, observed Pascual. He noted that 80% of the 25 largest banks “still allow use of Social Security numbers for authentication,” a practice he advised be discontinued.
“The Social Security number is the key to the kingdom for criminals. It can lead to account takeover and identity theft,” Pascual said.
Javelin recommended that enterprises take simple steps to better protect account data. Included in the recommendations are: Conduct regular security audits; don’t store data unnecessarily: encrypt data; and assess risk annually.
“The fixes for the data breach problem are fairly obvious,” Pascual said.