ID theft from security breaches

December 10, 2007 at 9:52 pm 2 comments

How much identity fraud or theft actually comes from breaches involving the disclosure of personal identity information?

This is an important question because of increased publicity around high profile breaches. The fiasco in UK involving 25 million records is an obvious one but also, according to Privacy Rights Clearinghouse, over the past three years there were about 217 million known records containing sensitive personal information involved in security breaches in the US.

The question is also important given the moves to introduce guidelines or laws for data breach notifications, in both New Zealand and Australia.

There isn’t a lot of hard data to go by. That makes the recent study by US firm ID Analytics interesting.

The study looked at over a dozen data breaches involving more than ten million consumer identities. ID Analytics found five separate cases where breached identity data was misused by fraudsters, with two of those cases resulting from employee theft of data.

Very few identities were misused following a data breach.

Smaller breaches had a higher misuse rate than larger breaches. Misuse of personal data ranged from 1 in 200 identities for breaches of fewer than 5,000 individuals to a misuse rate of less than 1 in 10,000 identities for breaches of more than 100,000 individuals. So, data breaches that get major press coverage, generally falling in the latter category, have a misuse rate of under 0.01%.

Therefore, there is some evidence that identity fraud or theft that actually comes from breaches involving the disclosure of personal identity information is quite low. A greater danger comes from internal breaches than external ones.

Hopefully, this will inform a rational debate on the nature of public disclosure for data breaches.

Entry filed under: Aus, data_breach, fraud, identity, NZ, personal_info, security, UK, USA.

AKILL, the Kiwi botmaster Good and bad CAPTCHAs

2 Comments Add your own

  • 1. Eric Norman  |  December 11, 2007 at 5:16 pm

    So, might it be possible that the high-profile press coverage of major breaches actually inhibits misuse?

  • 2. Vikram  |  December 11, 2007 at 7:23 pm

    Hi Eric,
    The fact that major/big data breaches tend to get press coverage while having a lower misuse rate does not necessarily imply a causal relationship between the two. The study itself doesn’t really lay out reasons.
    It may be possible that press coverage inhibits misuse but I’m not convinced that is the case.
    My guess is that the nature of small and large breaches differ and that leads to the difference in misuse rates. Looking at the breaches reported by Privacy Rights Clearinghouse, at the risk of over-simplification, it seems that smaller breaches are more targeted while larger ones are more accidental, e.g. loss of a laptop or backup tapes.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter


%d bloggers like this: