Analysis of data breaches at four separate companies, covering approximately half a million identities, revealed that few of the breached identities were misused for criminal financial gain.
The study distinguishes between “identity-level” breaches, where names and Social Security numbers are stolen and “account-level” breaches, where only account numbers – sometimes associated with names – are stolen.
According to ID Analytics, identity-level breaches pose the greatest potential for harm to businesses and consumers, because of the sophisticated methods used by fraudsters in carrying out the attacks. Even so, the research found that less than one in 1,000 identities was likely to be an ID theft victim as a result of this sort of data breach.
The reason for the minimal use of stolen identities is based on the amount of time it takes to actually perpetrate identity theft against a consumer, says ID Analytics, pointing out that it takes approximately five minutes to fill out a credit application.
At this rate, it would take a fraudster working full-time – averaging 6.5 hours day, five days a week, 50 weeks a year – over 50 years to fully utilise a breached file consisting of one million consumer identities. If the criminal outsourced the work at a rate of $10 an hour in an effort to use a breached file of the same size in one year, it would cost that criminal about $830,000, explains the firm.
Another factor useful in assessing the degree of risk, is the nature of the data breach suffered – whether, for example, it is the result of a deliberate hacking into a database or a seemingly unintentional loss of data, such as tapes or disks being lost in transit.
The firm also indicates that in certain targeted data breaches, notices may have a deterrent effect.
In one large-scale identity-level breach, thieves slowed their use of the data to commit identity theft after public notification. The research also shows how the criminals who stole the data used identity data manipulation, or "tumbling," to avoid detection and to prolong the scam.
“Consumers need to know the level of risk that is posed if they are part of a data breach. While any data breach is cause for concern, consumers that have been impacted need guidance as to the degree of risk involved,” said Linda Foley, executive director of the Identity Theft Resource Center. “It’s not helpful for consumers to receive a generic letter in the mail telling them that they may or may not be at risk. We need to help victims of breaches understand when they need to be more vigilant and prevent them from being unnecessarily alarmed.”
