Not all Data Breaches are Created Equal
If you have not yet tripped across the phrase “data breach,” then you must have been holed up on some island or hibernating in a cave for the past few years. Data breaches have become everyday news and many times the news is sensational. According to the Identity Theft Resource Center, there have been more than 4,200 data breaches recorded reported since 2005, resulting in nearly 600 million consumer records being exposed. Since December 6, 2013 there have already been more than 50 data breaches reported in the United States, amounting to approximately 1.5 data breaches per day. Of course, there are even more than that, as many are not reported.
The most recent breaches at the nation’s largest retailers certainly are vivid in everyone’s mind with hundreds of millions of cards potentially affected. Surprisingly, there have been even larger breaches, such as at Heartland Payment Systems where 130 million cardholders were potentially compromised or at Adobe in October of 2013 when 130 million usernames and passwords were compromised.
The truth is that data breaches are happening every day and, unfortunately, they are inevitable. Sometimes data is inadvertently disclosed and, more often, it is due to a malicious or criminal attack. According to Ponemon’s 2013 Cost of Data Breach Study, 37 percent of incidents involved a malicious or criminal attack, 35 percent involved human error and 29 percent involved a system glitch. When we look at the criminal side, it is clear that we are and will continue to be under attack, whether it is the Syrian Electronic Army (who recently reported that they hacked Skype) or the four Russians and one Ukrainian who were charged with stealing 160 million credit and debit cards (reported in July 2013).
These incidents should not come as a big surprise. There is more data out there than ever before and there are sophisticated, intelligent criminals that spend their days and nights finding ways to compromise systems, identities, cards and other information that can be converted to cash. When data breaches do occur, I often receive calls from friends and colleagues asking what they should do. Should they get a credit monitoring service? Should they call their credit card companies? Should they close their accounts? My typical answer is – “it depends.”
When a data breach occurs, there is no “silver bullet” remedy. However, you would not know it from reading news stories. The typical response to a data breach is the same – to offer consumers a free credit monitoring service such as LifeLock, Equifax, Experian, Trans Union or one from your bank. While these services can help you monitor your credit report, they are not an end-all-be-all and most times do nothing to offset the breach of your information. The key question that needs to be asked is “what personal information was stolen?” While it seems obvious that different information can yield different consequences, the press is only interested in the news – the more sensational, the better.
The impact of a data breach on consumers is dependent on what data was stolen. The requirement to notify is at the state level, with all states and the District of Columbia having data breach notification requirements. While all states have different language, when coming to the definition of what constitutes personal information, the language is similar: an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
- Account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
- A social security number; or
- A state issued driver’s license or identification card.
Account or Card Numbers
Many of the largest breaches that have occurred over the past few years have been credit or debit card information, including the name, account number, expiration date and security code. Typically, this information is then used to create counterfeit cards or make “card-not-present” purchases. When this happens, the consumer contacts their credit card company to report the fraudulent activity. In the most recent Global Fraud Report from ACI Worldwide and Aite, 25 percent of consumers indicated that they had been victimized by credit, debit or pre-paid card fraud in the past five years. When this happens, the card is typically cancelled and the card is re-issued. The brunt of the damage is on the issuer, who eats the cost of the fraudulent transaction(s) and has to pay for the cost of re-issuing the card.
For the consumer, this is definitely an inconvenience, but usually the inconvenience ends once the card is cancelled. Because the criminal only has the card information, they are not able to continue to victimize the identity. However, if account passwords are compromised, this can be much more damaging especially when it is a checking or savings account. In these cases, if the criminal gains access to the victim’s account, they have the ability to drain the account quickly. Unlike credit-based accounts, with bank accounts the victim’s money is gone. Although it will be returned once the transactions are determined to be fraudulent, the consumer will not have access to their funds in the meantime.
While this is more impactful, by itself it will not lead to further victimization of the identity. As such, credit-monitoring services are of limited value. Obviously, if the company that has the breach is going to offer you free credit monitoring, then why not take the free insurance?
Social Security Numbers
Stolen SSNs can lead to much more than just inconvenience. With a name, social security number and date of birth, a criminal can wreak havoc on the victim for years. With this information in hand, a criminal can open multiple new accounts in the victim’s name without the victim even knowing it. When the accounts go unpaid and they start being reported to the credit bureaus, the victim is then put into the position of having to try to salvage their good name and credit rating.
Even if a consumer is successfully able to have fraudulent accounts removed from their credit file, these accounts many times make their way back to the report months and years later, due to how the reporting institution reports to the bureaus. These are the worst of the worst and can take weeks, months and years to correct.
According to Risk Based Security, Inc., only 14 percent of reported data breaches involved a social security number. Because of the nature of identity theft, if a consumer believes their information has been compromised, it is highly recommended that consumers contact the three major credit bureaus to get a free credit report and investigate whether putting a “freeze” on credit bureau reports might make sense to stymie further attempts by criminals to open new accounts.
Of course, a great deal of responsibility falls upon the card-issuing entities, including banks, retailers and credit card companies, to ensure data security. Nevertheless, consumers must also be diligent in staying one step ahead of fraudsters who are well versed in the “tricks of the trade.”