GAO: Data Breaches Frequent, Effects Unknown

By Martin H. Bosworth
ConsumerAffairs.com

July 5, 2007

Data Theft

• 68,000 CalOptima Members at Risk in Data Breach
• Express Scripts Extortion Scheme Widens
• Technology Could Be Key To Stopping Unauthorized Charges
• T-Mobile: No Hacking in Data Breach
• T-Mobile Confirms Data Breach
• Consumers Increasingly Concerned About Online Transactions
• Are Identity Theft Services Worth the Cost?
• Online Tools Help Spot Financial Fraud
• Financial Fraud Hits 7.5 Percent Of Americans In 2008
• Feds Charge Mortgage Broker In Potential Data Breach
• Millions of Credit Cards Exposed in Data Breach
• 2008 Data Breach Total Soars
• Bank Data Breach Threatens 248,000 in North Carolina
• GPS Not Foolproof
• Countrywide Warns Millions of Data Breach
• Thieves Steal AT&T Laptop with Employee Data
• Report: Data Breach Disclosure Laws Don't Affect Identity Theft
• Patient Information Exposed in Data Breach at Walter Reed
• Supermarket Chain Reports Data Breach
• Report: Feds Still Not Doing Enough To Secure Data
• Data Thieves Hit Georgetown University Students, Faculty
• 800,000 Job Seekers At Risk In Gap Data Breach
• TJX Data Breach Settlement Has Strings Attached
• More ...

Although breaches of data happen with alarming frequency across government and private institutions, the actual evidence of identity theft resulting from these breaches seems to be limited and hard to measure, according to a new report from the Government Accountability Office (GAO).

"Determining the link between data breaches and identity theft is challenging, primarily because identity theft victims often do not know how their personal information was obtained, and it may be up to a year or more before stolen data are used to commit a crime," the agency wrote.

"Some studies by private researchers have found little linkage between data breaches and identity theft, although our review found these studies had methodological limitations."

The GAO report supports implementing a "risk-based" standard for determining whether or not to notify affected parties in case of a breach, a position supported by the financial industry and the President's Identity Theft Task Force.

Critics have charged that letting businesses and government agencies set their own "floor" for notification would keep the public ignorant of data breaches that might affect them.

Among the GAO's findings:

• Law enforcement agencies found that identity theft that resulted from data breaches largely consisted of fraud on existing accounts rather than using stolen personal information to create new accounts. However, it was difficult to ascertain exact statistics due to the inability to directly track and link the effects of data breaches to cases of identity theft.

• 18 of the 24 largest breaches reported between 2000 and 2005 had no demonstrable incidents of identity theft as a result, but investigators again acknowledged difficulties in establishing a causal link due to lack of a clear trail between the incident and reported cases.

• Data breaches that did result in clear cases of identity theft and fraud included the 2005 sale of ChoicePoint records to Nigerian criminals, the March 2005 breach of security at the DSW shoe store chain, and the breach of millions of credit and debit card records held by payment processor CardSystems in June 2005.

• Much of the information that law enforcement agencies receive on identity theft, such as through the FTC's Identity Theft Clearinghouse and the Internet Crime Complaint Center (ICCC) is limited to self-reported complaints that can't be used to create accurate statistical pictures of the link between data breaches and identity theft.

Typical cases of identity theft, such as using existing credit or debit accounts to run up new charges, can be easily remedied thanks to federal laws that limit liability for credit card purchases, and banks' own "zero liability" policies for debit cards. But sophisticated hackers and cybercriminals have raised the stakes by selling personal data in the underground economy, and combining stolen card numbers with names, addresses, and Social Security numbers to create "synthetic identities."

These identities can be used to open new accounts and commit fraud of all kinds, and their seeming legitimacy means that the records will be attached to people's existing credit files -- and the victims won't know their information is being misused until they start receiving bills for charges they never made.

The difficulty of verifying synthetic identities versus real ones may account for the lack of accurate data linking breaches to fraud.

Criminals will also take card numbers and encode them on blank cards, such as stolen hotel key cards, and use them for multiple small purchases that do not trigger fraud detection at banks and retailers.

The massive breach of data at the TJX retail store chain was connected to cases of fraud at Wal-Mart stores in Florida.

The criminals used the stolen TJX data to create "clone" credit and debit cards, which they in turn used to purchase gift cards from Wal-Mart, which were then used to purchase high-end consumer electronics and other goods.

The inability to easily track clone cards, combined with the massive amounts of data available for sale on the black market, makes it difficult to establish any perfect trail leading from a data breach to a case of identity theft.

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

FREE CONSUMER NEWSLETTERS
The Daily Consumer Afternoons M-F Sign up now!	Consumer News & Alerts Every Sunday Sign up now!

CONSUMER NEWS

SAFETY RECALLS

MOST-VIEWED PAGES

NEW COMPLAINTS

Garden Ridge
Green Home Energy Solutions, Allentown, PA
Ray of Hope Counseling
Sensa Weight Loss
Pure Fitness, Phoenix
Wizz Air
Spark Energy Gas and Electricity
Alibris Books
Aquatraders.com
911TacticalDirect.com
New Comfort Auto Sales, ;Dade City, FL
Route 60 Hyundai, Vero Beach, FL
Arizona Fleet Service Phoenix, AZ
Quick Response Towing, Baltimore
Coral Springs Nissan, Coral Springs, FL

Back to the top |

Custom Search

AUTOMOTIVE
• Dealers
• Manufacturers
• Service
• Extended Warranties
• Lemon Laws
• Recalls
• Tires
• Transporters

FAMILY
• Aging
• Children, Parenting
• Recalls
• Dating
• Education
• Entertainment
• Pets
• Weddings

FINANCE
• Annuities
• Banks
• Credit Cards
• Debt Collection
• Debt Counseling
• Insurance
• Investing
• Loans
• Mortgages
• Payday Loans
• Student Loans
• Tax Prep

HEALTH
• Doctors
• Drugs, Pharmacies
• Health Clubs
• Hearing Care
• Hospitals
• Nursing Homes
• Nutrition, Diets
• Vision Care
• Weight Loss

HOUSE & HOME
• Appliances
• Cookware
• Furniture
• Home Improvements
• Lawn & Garden
• Movers
• Pools & Spas
• Realtors, Rental Agents
• Recalls
• Utilities

ELECTRONICS
• Cable TV/DBS
• Cameras
• Cell Phones
• Computers
• Home Electronics
• Internet Access
• Local Phone Service
• Long Distance
• VoIP

SHOPPING
• In-Home
• Online
• Retail Stores
• Sporting Goods
• Supermarkets
• Telemarketers

TRAVEL
• Airlines
• Bus Lines
• Car Rental
• Cruises
• Hotels
• Travel Agents
• Trains

RESOURCES
• Class Actions
• Complaint Form
• Small Claims Guide
• Lemon Laws

CONSUMER NEWS
• Latest News
• Automotive
• Telecom
• Financial
• Health
• Homeowners
• Scams
• Seniors
• Travel
• More ...

RECALLS
• Automotive
• Children's Products
• Drugs
• Food
• Household Products
• Sporting Goods

ABOUT US
• FAQ
• Privacy Policy
• Advertise With Us
• Newsroom
• Syndication
• Terms of Use

Terms of Use Your use of this site constitutes acceptance of the Terms of Use

Advertisements on this site are placed and controlled by outside advertising networks. ConsumerAffairs.com does not evaluate or endorse the products and services advertised. See the FAQ for more information.

Company Response Welcome If complaints about your company appear on our site, we welcome your response. Please see the Response Form for more information.

For more information, see the FAQ and privacy policy. The information on this Web site is general in nature and is not intended as a substitute for competent legal advice. ConsumerAffairs.com Inc. makes no representation as to the accuracy of the information herein provided and assumes no liability for any damages or loss arising from the use thereof.