Not All Data Breaches the Same, Study Finds

SAN DIEGO – A study of major data breaches suggests that financial institutions not view all such breaches as being of the same security risk and that the risk from some of the breaches may be quite small. The study was conducted by ID Analytics, a leading risk management company working against card and identity fraud. After its survey of four major card breaches, which the firm has not yet identified, ID Analytics broke data breaches into “identity level” breaches in which consumer names and social security numbers were stolen and “account level” breaches in which only account numbers were stolen. The firm also discovered that the degree of risk varies based on the nature of the data breach, for example, whether the breach was the result of a deliberate hacking into a database or a seemingly unintentional loss of data, such as tapes or disks being lost in transit. “The risk to consumers and businesses varies considerably based on the type and scope of the data breach, which is why we think assessing the degree of risk for a given breach is critical to determining the best next steps,” said Mike Cook, ID Analytics’ co-founder and vice president. “The good news is not only that we have technology that can measure the risk of a breach, but that we can actually distinguish which sets of breached data are actively being used to commit fraud.” In other good news, the firm’s study also revealed that the breaches they studied which had been “identity breaches” had resulted in fraud only at the rate of one instance per 1000 identities stolen or compromised. “We feel strongly that this research provides meaningful evidence both for companies working to mitigate the risks that stem from data breaches as well as for elected officials working toward a legislative solution,” said Bruce Hansen, CEO of ID Analytics. “What’s more, we think this information can help consumers assess their relative risk if they have been a victim of a data breach.” ID Analytics estimated the reason for the minimal use of stolen identities is based on the amount of time it takes to actually perpetrate identity theft against a consumer. As an example, the firm pointed out that it takes approximately five minutes to fill out a credit application. At that rate, ID Analytics argued, it would take a fraudster working full-time – averaging 6.5 hours day, five days a week, 50 weeks a year – over 50 years to fully utilize a breached file consisting of one million consumer identities. If the criminal outsourced the work at a rate of $10 an hour in an effort to use a breached file of the same size in one year, it would cost that criminal about $830,000, the firm said. This varying of impact from data breaches would help consumers, a noted consumer advocate has noted. “Consumers need to know the level of risk that is posed if they are part of a data breach. While any data breach is cause for concern, consumers that have been impacted need guidance as to the degree of risk involved,” said Linda Foley, executive director of the Identity Theft Resource Center. “It’s not helpful for consumers to receive a generic letter in the mail telling them that they may or may not be at risk. We need to help victims of breaches understand when they need to be more vigilant and prevent them from being unnecessarily alarmed.”