So much stolen data, so little time

By

Data breaches have, so far, been rarely used for financial fraud, a new study on recent incidents has shown.

ID Analytics announced findings from a survey on four recent data breaches involving a half-million identities and said that "the calculated fraudulent misuse rate for consumer victims of the analyzed breach with the highest rate of misuse was 0.098 percent – less than one in 1,000 identities."


The San Diego-based company said it separates breaches into different categories: identity-level breaches, where names and Social Security number have been stolen, and account-level breaches, which involve the theft of account numbers.

ID Analytics said the degree of risk involved depends on whether the data breach was the result of a hacking incident by a malicious user trying to gain access to data or an unintentional loss of data, such as lost tapes.

The company found that it may not be cost effective for criminals to attempt financial fraud after a breach. Because it takes about five minutes to fill out a credit application, according to the company, it would take a fraudster working full-time over 50 years to fully use a confiscated file containing a million identities.

Mike Cook, company co-founder and vice president of product, said better educated criminals could lead to a higher percentage of misuse in the future.

"As there becomes more awareness, an offshoot is that we are also educating the fraudsters," he said. "If someone were to obtain data and sell it in packages on the internet, there would be a lot more people working on the data."

Bruce Schneier, Counterpane founder and chief technology officer, said on his "Schneier on Security" weblog that the results are "something I've been saying for a while."

Schneier, the author of "Applied Cryptography," said that, although breach notifications can have a "boy who cried wolf" effect on some people, they're valuable because of the financial deterrent they present to companies.

"The main security value of notification requirements is the cost. By increasing the cost to companies of data thefts, the goal is for them to increase their security," he said. "Direct fines would be a better way of dealing with the economic externality, but the notification law is all we've got right now. I don't support eliminating it until there's something else in its place."

www.idanalytics.com www.schneier.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Melbourne dev finds gift card PINs can be brute-forced

Melbourne dev finds gift card PINs can be brute-forced

"Widespread data theft" hits Salesforce customers via third party

"Widespread data theft" hits Salesforce customers via third party

Zero-click Apple and WhatsApp bug combo used to drop gov spyware

Zero-click Apple and WhatsApp bug combo used to drop gov spyware

Western Sydney University targets file-sharing sites hosting stolen data

Western Sydney University targets file-sharing sites hosting stolen data

Log In

  |  Forgot your password?