ID theft from security breaches
How much identity fraud or theft actually comes from breaches involving the disclosure of personal identity information?
This is an important question because of increased publicity around high profile breaches. The fiasco in UK involving 25 million records is an obvious one but also, according to Privacy Rights Clearinghouse, over the past three years there were about 217 million known records containing sensitive personal information involved in security breaches in the US.
The study looked at over a dozen data breaches involving more than ten million consumer identities. ID Analytics found five separate cases where breached identity data was misused by fraudsters, with two of those cases resulting from employee theft of data.
Very few identities were misused following a data breach.
Smaller breaches had a higher misuse rate than larger breaches. Misuse of personal data ranged from 1 in 200 identities for breaches of fewer than 5,000 individuals to a misuse rate of less than 1 in 10,000 identities for breaches of more than 100,000 individuals. So, data breaches that get major press coverage, generally falling in the latter category, have a misuse rate of under 0.01%.
Therefore, there is some evidence that identity fraud or theft that actually comes from breaches involving the disclosure of personal identity information is quite low. A greater danger comes from internal breaches than external ones.
Hopefully, this will inform a rational debate on the nature of public disclosure for data breaches.