ID Analytics' First-Ever National Data Breach Analysis Shows the Rate of Misuse of Breached Identities May be Lower than Anticipated
Evidence Suggests that the Smaller the Data Breach, the Higher a Consumer's Risk
SAN DIEGO, CA, December 8, 2005—ID Analytics, Inc., the Identity Risk Management company, today announced findings from its detailed analysis of four data breaches involving approximately half a million consumer identities. As of now, the results reveal that few of the breached identities from the analysis appear to be misused for criminal financial gain.
A significant finding from the research is that different breaches pose different degrees of risk. In the research, ID Analytics distinguishes between “identity-level” breaches, where names and Social Security numbers were stolen and “account-level” breaches, where only account numbers—sometimes associated with names—were stolen. ID Analytics also discovered that the degree of risk varies based on the nature of the data breach, for example, whether the breach was the result of a deliberate hacking into a database or a seemingly unintentional loss of data, such as tapes or disks being lost in transit.
“The risk to consumers and businesses varies considerably based on the type and scope of the data breach, which is why we think assessing the degree of risk for a given breach is critical to determining the best next steps,” said Mike Cook, ID Analytics’ co-founder and vice president of product. “The good news is not only that we have technology that can measure the risk of a breach, but that we can actually distinguish which sets of breached data are actively being used to commit fraud.”
ID Analytics’ research makes it clear that identity-level breaches pose the greatest potential for harm to businesses and consumers due to fraudsters’ sophisticated methods for profiting from identity information, as compared to account-level breaches. Even so, the calculated fraudulent misuse rate for consumer victims of the analyzed breach with the highest rate of misuse was 0.098 percent—less than one in 1,000 identities.
“We feel strongly that this research provides meaningful evidence both for companies working to mitigate the risks that stem from data breaches as well as for elected officials working toward a legislative solution,” said Bruce Hansen, chairman and CEO of ID Analytics. “What’s more, we think this information can help consumers assess their relative risk if they have been a victim of a data breach.”
ID Analytics’ fraud experts believe the reason for the minimal use of stolen identities is based on the amount of time it takes to actually perpetrate identity theft against a consumer. As an example, it takes approximately five minutes to fill out a credit application. At this rate, it would take a fraudster working full-time - averaging 6.5 hours day, five days a week, 50 weeks a year - over 50 years to fully utilize a breached file consisting of one million consumer identities. If the criminal outsourced the work at a rate of $10 an hour in an effort to use a breached file of the same size in one year, it would cost that criminal about $830,000.
Another key finding indicates that in certain targeted data breaches, notices may have a deterrent effect. In one large-scale identity-level breach, thieves slowed their use of the data to commit identity theft after public notification. The research also showed how the criminals who stole the data in the breaches used identity data manipulation, or "tumbling" to avoid detection and to prolong the scam.
“Consumers need to know the level of risk that is posed if they are part of a data breach. While any data breach is cause for concern, consumers that have been impacted need guidance as to the degree of risk involved,” said Linda Foley, executive director of the Identity Theft Resource Center. “It’s not helpful for consumers to receive a generic letter in the mail telling them that they may or may not be at risk. We need to help victims of breaches understand when they need to be more vigilant and prevent them from being unnecessarily alarmed.”
This analysis was based on data breaches at four separate companies, covering approximately half a million identities. ID Analytics conducted the analysis over the past six months by analyzing this data against applications in its ID Network®, which comprises more than 3 billion identity elements contributed by its members. ID Network Members include the largest US industry leaders from across the credit card, wireless telecommunications, and instant lending industries. ID Analytics Graph Theoretic Anomaly Detection (GTAD™) technology was applied throughout this study to detect behavioral fraud patterns. ID Analytics' expert fraud analysts further qualified that selected cases of identity misuse were likely the result of specific fraud activity.
About ID Analytics, Inc.
ID Analytics is the Identity Risk Management company providing advanced analytic solutions that prevent identity fraud and manage identity risk across the customer lifecycle. ID Analytics' intelligent ID Network, the first and only real time national network built exclusively to manage identity risk, makes it possible for organizations to calculate the risk associated with an identity and balance identity risk against profit. The ID Network is in use daily by over half the credit and retail card issuer market in the US, as well as leading wireless and online consumer finance companies. To empower consumers and to help more organizations in more industries to fight identity fraud, ID Analytics has channel partners in the bankcard, credit reporting and retail banking industries.
ID Analytics is a registered trademark of ID Analytics, Inc. All other trademarks and registered trademarks are the property of their respective holders.