A significant finding from the research is that different breaches pose different degrees of risk. In the research, ID Analytics distinguishes between "identity-level" breaches, where names and Social Security numbers were stolen and "account-level" breaches, where only account numbers-- sometimes associated with names -- were stolen. ID Analytics also discovered that the degree of risk varies based on the nature of the data breach, for example, whether the breach was the result of a deliberate hacking into a database or a seemingly unintentional loss of data, such as tapes or disks being lost in transit.
The research makes it clear that identity-level breaches pose the greatest potential for harm to businesses and consumers due to fraudsters' sophisticated methods for profiting from identity information, as compared to account-level breaches. Even so, the calculated fraudulent misuse rate for consumer victims of the analyzed breach with the highest rate of misuse was 0.098 percent -- less than one in 1,000 identities.
ID Analytics' fraud experts believe the reason for the minimal use of stolen identities is based on the amount of time it takes to actually perpetrate identity theft against a consumer. As an example, it takes approximately five minutes to fill out a credit application. At this rate, it would take a fraudster working full-time -- averaging 6.5 hours day, five days a week, 50 weeks a year -- over 50 years to fully utilize a breached file consisting of one million consumer identities. If the criminal outsourced the work at a rate of $10 an hour in an effort to use a breached file of the same size in one year, it would cost that criminal about $830,000.
Another key finding indicates that in certain targeted data breaches, notices may have a deterrent effect. In one large-scale identity-level breach, thieves slowed their use of the data to commit identity theft after public notification. The research also showed how the criminals who stole the data in the breaches used identity data manipulation, or "tumbling" to avoid detection and to prolong the scam.
"Consumers need to know the level of risk that is posed if they are part of a data breach. While any data breach is cause for concern, consumers that have been impacted need guidance as to the degree of risk involved," said Linda Foley, executive director of the Identity Theft Resource Center. "It's not helpful for consumers to receive a generic letter in the mail telling them that they may or may not be at risk. We need to help victims of breaches understand when they need to be more vigilant and prevent them from being unnecessarily alarmed."
Research Methodology
This analysis was based on data breaches at four separate companies, covering approximately half a million identities. ID Analytics conducted the analysis over the past six months by analyzing this data against applications in its ID Network, which comprises more than 3 billion identity elements contributed by its members. ID Network Members include the largest US industry leaders from across the credit card, wireless telecommunications, and instant lending industries. ID Analytics Graph Theoretic Anomaly Detection (GTAD) technology was applied throughout this study to detect behavioral fraud patterns. ID Analytics' expert fraud analysts further qualified that selected cases of identity misuse were likely the result of specific fraud activity.
