COMMENTARY | CYBEREYE
Identity crisis: The threat of bulk thefts
Small thefts are reported most often, but identities online are still at risk
- By William Jackson
- Nov 19, 2009
According to a recent report on identity theft from the Travelers Companies, identity theft was up 22 percent last year and expected to jump again this year. This comes as no surprise to anyone who has been listening to the steady drumbeat of reports on data breaches in the news. But the Travelers report also notes that “despite recent headlines and growing fears about online security and data breaches, old-fashioned theft is the most popular way thieves steal identities.”
Based on 2008 claims data, 78 percent of reported cases resulted from the thefts of wallets, purses, personal documents or computers. Only 14 percent were the result of online data breaches.
However, those figures represent only cases reported by the victim and in which fraud occurred. In terms of the sheer bulk of data available online to be exploited, corporate and government servers and computers remain the most attractive targets for identity thieves.
According to the Identity Theft Resource Center, as of Nov. 10, there were 426 data breaches reported this year, exposing a staggering 220,427,887 personal records.
Of course, those exposures do not each represent a case of identity theft or fraud. But the potential for exploiting such bulk theft is huge.
The breaches run the gamut from lost laptop PCs and hard drives to systematic intrusions for the purpose of stealing data. Many breaches exposed only a handful of records, but some exposed hundreds of thousands, and a few whoppers involved tens of millions or hundreds of millions.
The second-largest incident of the year occurred when the National Archives and Records Administration returned a defective hard drive to the vendor, part of a database array containing records on 76 million veterans, without first scrubbing the drive to destroy the data. Assuming that the vendor receiving the drive handled it in a responsible and professional manner, it is possible that no one exploited those records. But who can say for sure?
But the year’s largest breach, involving the Heartland Payment Systems, is frightening for two reasons. The first is the sheer number of records involved, perhaps as many as 130 million. The second is that they were intentionally stolen over a four-month period by someone who had compromised the card processor’s system. This incident was clearly the work of bad guys, stealing data so they could use it. There is no way to say with any certainty how many accounts have been or could be exploited by this breach, and some victims might never know for sure if they have been ripped off. But the potential is staggering.
It is no joke to lose your wallet or purse and have someone empty an account or start charging purchases on your card. But an entire underground economy had sprouted around harvesting of personal data, either in bulk or one record at a time through networks of compromised computers. The data is bought, sold and traded in wholesale and retail lots, and theft and fraud resulting from this might not become evident for years.
By all means, keep your hand on your wallet or purse, but don’t forget that adequate cybersecurity is essential to stem the leakage of personal data from our information technology systems.
William Jackson is freelance writer and the author of the CyberEye blog.