By Bruce V. Bigelow
UNION-TRIBUNE STAFF WRITER
December 8, 2005
A computerized analysis of four data breaches that compromised
personal information on some 500,000 people suggests the alarm that
often accompanies electronic break-ins may be largely unwarranted.
On the other hand, the study also suggests that publicity can help
deter fraudsters from using the stolen data.
The analysis, conducted over the past six months by San Diego's ID
Analytics, is believed to be the first to calculate just how much
fraud occurred after each security breach.
Such incidents frequently generate worries about identity theft, a
crime in which fraudsters use stolen personal data to get credit cards
and loans to make purchases under someone else's name.
Previous studies have suggested that up to one in 70 Americans has
fallen victim to identity theft, said Fred H. Cate, director of
Indiana University's Center for Applied Cybersecurity Research.
In the analysis done by ID Analytics, however, the highest rate of
misuse of the four data breaches was calculated at 0.098 percent - or
less than one in 1,000 identities. The company provided no specifics
on the security breaches it studied.
The low rate was surprising even at ID Analytics, which uses
sophisticated computer technology to analyze consumer payments and
applications for credit cards, loans and cellular telephone accounts
for telltale signs of fraud.
A survey in January by a market research firm, Javelin Strategy and
Research, found the total cost of identity theft and credit card fraud
to be $52.6 billion a year. Javelin also counted 9.3 million new
victims of identity theft. With the U.S. population at 281.4 million,
that works out to about 3.3 percent - or more than 30 times the rate
calculated by ID Analytics.
One reason ID Analytics' findings may be at odds with other studies on
identity theft is that it focused narrowly on breaches that involved
four electronic databases, said James Van Dyke, Javelin's founder and
"No one should project the results of their good work on the overall
problem," Van Dyke said. "Most of the new account identity theft fraud
is not due to data breaches."
Van Dyke explained: "You are more likely to become a victim of
identity fraud from somebody who knows you personally. The list could
include estranged relatives, neighbors, friends or somebody hired to
work around the house."
As part of its business, ID Analytics uses its network to analyze some
40 million consumer applications a month, scoring the risk of fraud as
part of a service provided to its customers, which include major
financial institutions and wireless service providers.
"No breach is good," said Mike Cook, a co-founder and vice president
of product at ID Analytics. "But there are different risks associated
with different types of breaches."
The company, which plans to release its findings today, conducted its
analysis over the past six months - comparing the compromised data
from each breach with its proprietary neural network technology. Such
technology searches for patterns that could include customer accounts
with multiple names and different addresses and telephone numbers.
Cook reviewed the results of ID Analytics' analysis just days after
the University of San Diego notified almost 7,800 individuals that
hackers gained access to computers containing their personal
income-tax data. In the past year or so, similar breaches have hit
more than a dozen organizations, including ChoicePoint, LexisNexis,
GMAC Financial Services, Science Applications International Corp. and
the University of California Berkeley.
"Breaches are everybody's problem," Cook said. "But the incidence of
occurrence is much higher with educational institutions and government
Among other things, the company found that:
* Deliberate data breaches that target detailed customer information,
including names, Social Security numbers, addresses and birth dates
pose the highest potential for fraud.
* A big data breach poses a lower risk that any single person will be
defrauded. If it takes five minutes to fill out an illicit credit
application, it could take even a diligent fraudster more than 50
years to make use of a database holding 1 million consumer
* By the same token, the smaller the data breach, the chances of fraud
are higher for each consumer whose personal data were compromised.
* Notifying consumers about a data breach may provide a deterrent
effect on fraudsters. But such notifications can be costly, and they
often needlessly alarm consumers when the risk of fraud is low.
Avivah Litan, a Gartner research director for payments and fraud, said
ID Analytics' findings were important for three reasons.
"What it told me, number one, was that disclosure is a good thing.
Publicity stopped the thieves immediately. Number two, it showed that
the theft of a credit card is not necessarily going to lead to
identity theft. And number three, that you can't really conclude that
anything will happen from the theft of a laptop computer."
Cate, of Indiana University, said ID Analytics' study suggests that
laws requiring institutions to notify consumers of data breaches may
be unnecessary - at least in cases where the costs of notification are
high and the risks of fraud are low.
"It turns out that almost all the data are telling us that these
breaches aren't that big of a deal," Cate said. "Statistically, you
are no more likely to be a victim of identity theft the day after a
breach than you were the day before."
Earn your Master's degree in Information Security ONLINE
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.