By Martin H. Bosworth
ConsumerAffairs.com
July 5, 2007
Although breaches of data happen with alarming frequency across government and private institutions, the actual evidence of identity theft resulting from these breaches seems to be limited and hard to measure, according to a new report from the Government Accountability Office (GAO).
"Determining the link between data breaches and identity theft is challenging, primarily because identity theft victims often do not know how their personal information was obtained, and it may be up to a year or more before stolen data are used to commit a crime," the agency wrote.
"Some studies by private researchers have found little linkage between data breaches and identity theft, although our review found these studies had methodological limitations."
The GAO report supports implementing a "risk-based" standard for determining whether or not to notify affected parties in case of a breach, a position supported by the financial industry and the President's Identity Theft Task Force.
Critics have charged that letting businesses and government agencies set their own "floor" for notification would keep the public ignorant of data breaches that might affect them.
Among the GAO's findings:
• Law enforcement agencies found that identity theft that resulted from data breaches largely consisted of fraud on existing accounts rather than using stolen personal information to create new accounts. However, it was difficult to ascertain exact statistics due to the inability to directly track and link the effects of data breaches to cases of identity theft.
• 18 of the 24 largest breaches reported between 2000 and 2005 had no demonstrable incidents of identity theft as a result, but investigators again acknowledged difficulties in establishing a causal link due to lack of a clear trail between the incident and reported cases.
• Much of the information that law enforcement agencies receive on identity theft, such as through the FTC's Identity Theft Clearinghouse and the Internet Crime Complaint Center (ICCC) is limited to self-reported complaints that can't be used to create accurate statistical pictures of the link between data breaches and identity theft.
Typical cases of identity theft, such as using existing credit or debit accounts to run up new charges, can be easily remedied thanks to federal laws that limit liability for credit card purchases, and banks' own "zero liability" policies for debit cards. But sophisticated hackers and cybercriminals have raised the stakes by selling personal data in the underground economy, and combining stolen card numbers with names, addresses, and Social Security numbers to create "synthetic identities."
These identities can be used to open new accounts and commit fraud of all kinds, and their seeming legitimacy means that the records will be attached to people's existing credit files -- and the victims won't know their information is being misused until they start receiving bills for charges they never made.
The difficulty of verifying synthetic identities versus real ones may account for the lack of accurate data linking breaches to fraud.
Criminals will also take card numbers and encode them on blank cards, such as stolen hotel key cards, and use them for multiple small purchases that do not trigger fraud detection at banks and retailers.
The massive breach of data at the TJX retail store chain was connected to cases of fraud at Wal-Mart stores in Florida.
The criminals used the stolen TJX data to create "clone" credit and debit cards, which they in turn used to purchase gift cards from Wal-Mart, which were then used to purchase high-end consumer electronics and other goods.
The inability to easily track clone cards, combined with the massive amounts of data available for sale on the black market, makes it difficult to establish any perfect trail leading from a data breach to a case of identity theft.
