The Price of Fraud
By Chris Metinko
NEW YORK (MainStreet)--A singular data security breach could result in more than 120,000 cases of fraud -- with each incident costing more than $3,000, according to new analysis by Javelin Strategy and Research.
In the spring of 2012, Utah's Department of Health had its test server with government health care participants' data breached by Eastern European hackers. The attack led 280,000 Social Security numbers to be compromised and 500,000 other participants to have slightly less sensitive personal information stolen.
The analysis said this one breach will lead to an estimated 122,000 fraud cases, with each incident resulting in $3,327.87 of loss. It also is estimated to cost each Utahan whose information is illegally used $770.49 and 20 hours to resolve their case.
"Data breaches are becoming more of a contributor of fraud ever year," said Al Pascual, a security, risk and fraud analyst at Javelin. "In 2010, there was a one in nine chance that if a consumer received a data breach notification that they would also be a victim of fraud -- that correlation jumped to one in four as of 2012."
Pascual said theft of personal data is now a digital endeavor -- with hackers now being better at identifying targets and mining data.
"Criminals no longer root through the trash or steal mail to collect personally identifiable information," Pascual said. "Fraudsters know where to go to get it."
The Utah case, however, also provides important data storage lessons, according to Javelin. First, all data must be managed "from cradle to grave," meaning that from the time a server is brought online to when it is decommissioned, all steps must be followed in securing the server and its data. Lastly, all data should be encrypted. While this costs money, the research points out Utah officials will spend between $2 million to $10 million to clean up the 2012 breach.
Pascual offers this advice to people concerned with fraud or those who think their personal information may have been compromised:
- For less sensitive information such as login credentials, including passwords, consumers should take an inventory of where they may have used the same credentials elsewhere. Consumers should immediately change their login credentials for any sites where the same or similar information has been used, especially sites where financial data is stored. "Hackers have programs that can bounce variations of those credentials off of hundreds of financial institutions' sites at a time," Pascual said.
- In the case of financial account information, consumers should be taking advantage of account alerts that can be delivered to their e-mail or mobile device. At the very least, a fraud alert should be placed on credit reports to decrease the chance a new credit product can be obtained with the stolen information.
- When the most sensitive of information such as a Social Security number is lost, consumers need to do everything possible -- and quickly. If any identity protection is offered to them as a result of the breach, consumers should certainly take advantage. Pascual compares Social Security numbers to Twinkies, in the sense they have an indefinite shelf life and are nearly impossible to replace.
- Finally, consumers should contact their financial institution, as nearly half of account takeover victims had their Social Security number compromised, and many institutions still allow consumers to be authenticated with Social Security numbers.
"Account takeovers are the most expensive type of identity fraud," Pascual said. "It is important to know if their financial institution allows the use of the Social Security number to access their account, and if their financial institution can offer an alternative means of authentication to protect their account."