One quarter of data breach victims suffer identity theft

Of the 16 million people affected by data breaches in 2012, more than a quarter of those went on to suffer from identity theft, according to new research by security firm Javelin.

Those who lost payment card and Social Security number data were the worst-hit, and suffered the highest rates of fraud in the retail, financial and healthcare sectors.

In America, 4.4 million people were notified that their payment card information had been compromised in a data breach, and subsequently suffered fraud on their existing credit or debit cards. In addition, 1.26 million Americans were notified that their Social Security numbers (SSN) were compromised in a data breach and became victims of identity fraud.

Recent massive data breaches like the one at Adobe, in which as many as 3 million encrypted credit card details maybe have been compromised, have highlighted just how much data can be stolen in one go.

As many as 270,000 Americans who were notified that their online banking credentials had been compromised in a data breach last year also went on to suffer fraud on their financial accounts.

A further 324,000 subsequently became victims of fraud against their checking, savings or current accounts.

"By breaching the data stores of businesses in the financial, healthcare and retail industries, criminals can obtain the fuel they need to execute various fraud schemes, and these crimes have crippling consequences," said Al Pascual, senior analyst of security, risk and fraud at Javelin Strategy and Research.

Indeed, increasing moves towards digitisation of patient records in healthcare, and the rise of online banking, has led to a greater number of opportunities for identity thieves than ever before.

"Identifying and protecting the sensitive information typically stored by these industries is essential for mitigating the risk of a data breach and, therefore, the risk of financial loss to data custodians, consumers and third-party businesses," Pascual said.

Javelin recommended the following steps to ameliorate the troubling level of identity theft arising from data breaches:

  • Locate and identify sensitive data. This includes consumer bank account information, payment card data, SSNs and other types of personally identifiable information, as well as trade secrets.
  • Classify sensitive data accordingly. Categorise the information using a naming convention appropriate to the organization. This step can ease efforts to control the access, routing and storage of different types of data.
  • Secure data based on risk profile. Deploy security measures appropriate to the risks associated with the loss of these types of data.
  • Develop policies to mitigate future data management issues. Implement and enforce policies designed to prevent unprotected data from being stored outside of approved locations.

For now, the plague of identity theft continues, and as long as organisations make themselves such easy and lucrative targets, we can assume the amount of data breaches is only going to rise.

Image: Flickr (Paddy Buisson)