CONSUMER NEWS RECALLS COMPLAINT FORM SCAM ALERTS

Small Claims Guide \| Class Actions \| Lemon Law \| FAQ \| Resources \| Newsletters \| Spanish
Automotive Education Electronics Family Finance Health Homeowners Shopping Travel

GAO: Data Breaches Frequent, Effects Unknown

By Martin H. Bosworth
ConsumerAffairs.com

July 5, 2007

Data Theft
• Supermarket Chain Reports Data Breach
• Report: Feds Still Not Doing Enough To Secure Data
• Data Thieves Hit Georgetown University Students, Faculty
• 800,000 Job Seekers At Risk In Gap Data Breach
• TJX Data Breach Settlement Has Strings Attached
• More ...

Although breaches of data happen with alarming frequency across government and private institutions, the actual evidence of identity theft resulting from these breaches seems to be limited and hard to measure, according to a new report from the Government Accountability Office (GAO).

"Determining the link between data breaches and identity theft is challenging, primarily because identity theft victims often do not know how their personal information was obtained, and it may be up to a year or more before stolen data are used to commit a crime," the agency wrote.

"Some studies by private researchers have found little linkage between data breaches and identity theft, although our review found these studies had methodological limitations."

The GAO report supports implementing a "risk-based" standard for determining whether or not to notify affected parties in case of a breach, a position supported by the financial industry and the President's Identity Theft Task Force.

Critics have charged that letting businesses and government agencies set their own "floor" for notification would keep the public ignorant of data breaches that might affect them.

Among the GAO's findings:

• Law enforcement agencies found that identity theft that resulted from data breaches largely consisted of fraud on existing accounts rather than using stolen personal information to create new accounts. However, it was difficult to ascertain exact statistics due to the inability to directly track and link the effects of data breaches to cases of identity theft.

• 18 of the 24 largest breaches reported between 2000 and 2005 had no demonstrable incidents of identity theft as a result, but investigators again acknowledged difficulties in establishing a causal link due to lack of a clear trail between the incident and reported cases.

• Data breaches that did result in clear cases of identity theft and fraud included the 2005 sale of ChoicePoint records to Nigerian criminals, the March 2005 breach of security at the DSW shoe store chain, and the breach of millions of credit and debit card records held by payment processor CardSystems in June 2005.

• Much of the information that law enforcement agencies receive on identity theft, such as through the FTC's Identity Theft Clearinghouse and the Internet Crime Complaint Center (ICCC) is limited to self-reported complaints that can't be used to create accurate statistical pictures of the link between data breaches and identity theft.

Typical cases of identity theft, such as using existing credit or debit accounts to run up new charges, can be easily remedied thanks to federal laws that limit liability for credit card purchases, and banks' own "zero liability" policies for debit cards. But sophisticated hackers and cybercriminals have raised the stakes by selling personal data in the underground economy, and combining stolen card numbers with names, addresses, and Social Security numbers to create "synthetic identities."

These identities can be used to open new accounts and commit fraud of all kinds, and their seeming legitimacy means that the records will be attached to people's existing credit files -- and the victims won't know their information is being misused until they start receiving bills for charges they never made.

The difficulty of verifying synthetic identities versus real ones may account for the lack of accurate data linking breaches to fraud.

Criminals will also take card numbers and encode them on blank cards, such as stolen hotel key cards, and use them for multiple small purchases that do not trigger fraud detection at banks and retailers.

The massive breach of data at the TJX retail store chain was connected to cases of fraud at Wal-Mart stores in Florida.

The criminals used the stolen TJX data to create "clone" credit and debit cards, which they in turn used to purchase gift cards from Wal-Mart, which were then used to purchase high-end consumer electronics and other goods.

The inability to easily track clone cards, combined with the massive amounts of data available for sale on the black market, makes it difficult to establish any perfect trail leading from a data breach to a case of identity theft.

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

May 17 2008

READER SERVICES

Print, Email & More

Free consumer newsletters
Sign up now!

Back to the top |

Terms of Use Your use of this site constitutes acceptance of the Terms of Use

Advertisements on this site are placed and controlled by outside advertising networks. ConsumerAffairs.com does not evaluate or endorse the products and services advertised. See the FAQ for more information.

Company Response Welcome If complaints about your company appear on our site, we welcome your response. Please see the Response Form for more information.

For more information, see the FAQ and privacy policy. The information on this Web site is general in nature and is not intended as a substitute for competent legal advice. ConsumerAffairs.com Inc. makes no representation as to the accuracy of the information herein provided and assumes no liability for any damages or loss arising from the use thereof.