SAN DIEGO — Obscured by headlines about millions of possibly breached identities is the simple fact that the actual act of fraud may be relatively rare.
An analysis of more than a dozen data breaches affecting more than 10 million identities by ID Analytics Inc. found that, in fact, the chances can be downright miniscule, and when they do occur, it's often credit cards sent to specific addresses following an internal data theft that's to blame.
San Diego-based ID Analytics provides identity scoring technology to a range of clients, including government agencies, wireless carriers and credit card issuers. The company also operates the ID Network, which it calls the nation's only real-time, cross-industry compilation of identity information used to spot and prevent identity fraud.
Recommended For You
Organizations spanning multiple industries provide the network its 3 billion identity elements–names, addresses, Social Security numbers and phone numbers–that are studied "to gain a quantitative understanding of the nature of identity fraud," according to Thomas Oscherwitz, the company's chief privacy officer and vice president of government affairs and author of a new report on its analysis of the data leaks.
"Concerns about data breaches remain high," Oscherwitz says. "This new research shows the latest trends about the harm resulting from data breaches and how criminals are actually using the data.
"Our intention is to help organizations understand which types of data breaches pose the greatest risk, and how to best respond."
The company found an inverse relationship between the size of the breach and how often a stolen identity was actually used to obtain a credit card or other goods or services.
Only five of the breaches study resulted in fraud, Oscherwitz says, and "smaller breaches had a higher misuse rate than larger breaches. Misuse of personal data ranged from one in 200 identities for breaches of fewer than 5,000 individuals to a misuse rate of less than one in 10,000 identities for breaches of more than 100,000 individuals."
ID Analytics also found no evidence of fraudsters broadly selling data obtained from the breaches or distributing them over the Internet, although the Internet was the preferred channel to use to fraudulently obtain credit cards.
"This finding is significant because one of the greatest potential risks of data breaches is the broad dissemination of personal information to others with criminal intent," Oscherwitz says.
The study also found that the identity thieves worked through the data quickly, using a breached identity for no more than two weeks before moving on to another one, and that the stolen data tended to be used local to the scene of the crime.
"Fraudsters tended to link the breached personal data to a limited set of new phone numbers or addresses, meaning they worked to associate these identities with particular phone numbers for verification purposes and with addresses where they could receive credit cards, wireless phones or other merchandise ordered using the breached identity data," Oscherwitz says.
As for the inside jobs, "it was also notable that the ID Analytics research team uncovered a geographic link between the site of the internal data breaches and the locations where these employees actually used identity information to commit fraud," the ID Analytics executive says.
In those five cases "of organized misuse resulting from data breaches," Oscherwitz says, "it was apparent that fraudsters were targeting repositories of personal data and were deliberate in their usage of this information to commit fraud."
The findings this time around were consistent with a national breach analysis the firm did two years ago. That includes the realization that fraudsters face physical and knowledge constraints on how quickly they can use the data to successfully file false credit applications.
The bottom line?
"Based on these results, ID Analytics asserts that the risks of data breaches should be put into context," Oscherwitz concludes. "A breach of data does not necessarily result in identity fraud."
© Touchpoint Markets, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more inforrmation visit Asset & Logo Licensing.
