Finally, a report that looks much more accurate with regard to how much identity theft costs the VICTIMS of a privacy breach. Most reported victim costs that I have seen in the past seemed much too low considering all the time that victims talked about trying to repair and recover from identity theft, and how much resources it took, the many years it often takes, and so on.
An InformationWeek article, “Identity Theft: Costs More, Tech Less” reports, “the median actual dollar loss for identity theft victims was $31,356.”
Much higher than the $740 – $5,720 ranges per victim that other researchers have typically cited.
This is based upon research of 470 U.S. Secret Service cases, so the data is not as subjective as most such reports which often rely upon best guesses and estimates…often from the company that caused the breach and not from the victims themselves, or from any other consumer-focused resources.
Here’s a very interesting and revealing passage from the report:
“”Analysis of the methods employed by the offenders showed that Internet and/or other technological devices were used in approximately half of the cases,” the report says. “In some cases, the offenders began with a non-technological act, such as mail theft, to obtain the personal identifying information, but then used devices such as digital cameras, computers, scanners, laminators, and cell phones to produce and distribute fraudulent documents. While the use of the Internet as a criminal tool had a presence, it did not appear to be a necessity for most offenders to reach their goals.”
Among the 517 cases analyzed, 102 included the use of the Internet. Nontechnological means of identity theft — mail theft, mail rerouting, and Dumpster diving — occurred in 106 cases.
Another unexpected finding is that in half of the identity theft cases analyzed, the crime began in a business. In 274 cases where a point of compromise could be identified, businesses accounted for 50% (137) of the breaches.
“There are a lot of cases where businesses provide the points of compromise,” said Gordon.
While about two-thirds of the cases did not involve insiders, one third did. “A third of the cases involved identity theft through employment,” said Gordon.
“Those numbers we think are significant.”
Of the 176 cases where the point of vulnerability was the offender’s place of employment, 77 involved the retail industry, more than twice as many as occurred private companies, banks, or government agencies.”
Something that I, along with many other privacy proponents, have often pointed out about privacy breaches is that:
* Many identity theft cases are not performed via technology. I’ve blogged about this many times, such as here and here.
* Poor controls at the workplace allow malicious employees to take advantage of their coworkers and customers and commit crime and fraud with their PII. I’ve also blogged about this, such as here and here.
Tags: awareness and training, disposal, identity theft, Information Security, insider threat, IT compliance, policies and procedures, privacy, risk management