How data breaches lead to fraud risk
By understanding the type and severity of data breaches, agencies can see where they should focus their efforts to curb identity fraud and prevent further victimization.
Medical identity theft tops a list of five fraud trends that state, local and federal agencies must prioritize protecting.
Overall, the personally identifiable information (PII) of more than 22 million Americans was exposed in data breaches during the last quarter of 2022, according to “Public Sector Breach Intelligence Dashboard,” a report by TransUnion, a national consumer reporting company, and Sontiq, which TransUnion acquired in 2021. To produce the report, researchers analyzed data since 2020 from Sontiq’s BreachIQ solution, an artificial intelligence algorithm that looks at more than 1,300 data points based on information from publicly reported data breaches, fraud risk patterns and feeds from the Dark Web and online criminal forums.
“It was surprising to me to see that number so high,” said Jeff Huth, senior vice president of TransUnion’s public-sector business. “The other [surprising] thing for me was just the sheer volume and increasing volume of the number of breaches, including the high-risk data breaches,” he said. “High-risk data breaches are the ones that have multiple kinds of personally identifiable information that is exposed, that can indicate where some of the biggest harms come from.”
More than 14 million people were affected by 144 data exposures where PII may be used in medical identity theft, according to the study, released March 2. It recommends that state health officials increase their vigilance because “without the proper safeguards in place to verify identities and authenticate users in every service channel, exposed identities can facilitate access to prescription drugs or fraudulent claims submissions to health insurers.”
The second biggest area of concern is law evasion, according to the report. Almost 6 million consumers’ identities are at increased risk of being used to avoid arrest or incarceration, an increase from 5.2 million in the third quarter of 2022. Alabama, Colorado, Ohio and Oklahoma had the most incidents, the study adds.
Tax fraud came in a close third (4.9 million people affected), followed by fraud related to phone and utilities (3.1 million) and government documents (1.4 million).
“The other one that stood out to me, even though for this quarter, it wasn’t the highest one reported, was document fraud,” Huth said. “We’re not as high as we were back in 2021, [but] they’re still increasing significantly since 2020, and that’s one where people can use identities and they can gain access to government services.”
For each of the five trends, the report explains the potential impact on government agencies, but all of them call for increased protections. A good approach, Huth said, is zero trust. “It’s really [about] strengthening their identity verification, looking at multichannel ways of where the attacks can come from and looking at not just can this individual accurately report the kind of information that they have, but also, where’s the attack coming from what’s a digital footprint that it's coming from,” he said.
He also said that the pandemic anti-fraud proposal that the Biden administration issued last week will help public-sector organizations. The plan calls for $1.6 million in funding to achieve three goals: supporting law enforcement agencies in pursuing fraudsters, investing in fraud and identity theft protection, and helping victims.
“Pandemic fraud … highlighted for us the need for these kinds of things going forward,” Huth said. The Labor Department’s Office of Inspector General estimates that $163 billion in unemployment benefits alone could be improper.
Agencies need to know “what are the types of information that get exposed that could then be weaponized against public-sector agencies,” he said.
They also need to act to combat the risks as soon as possible, he added. “The trends are not declining across any category,” Huth said. That “represents not only a persistent threat, but a growing threat.”
That urgency applies to all levels of government; none is at less risk than another. He pointed to the 2015 cyber hack of the IRS, which exposed PII from more than 700,000 taxpayer accounts. IRS increased its cybersecurity, so fraudsters shifted their focus to the states. Overall, the Identity Theft Tax Refund Fraud Information Sharing and Analysis Center, which works with IRS, states and industry on fraud reports, saw an increase from 2 million reports in 2021 to more than 8 million in 2022.
Huth said that this was the first time TransUnion tackled a report like this, but the company plans to publish them more regularly, with the goal of helping public-sector organizations understand the risks that breaches pose.
“If we don’t really know where we might be exposed or where the risk might be coming from, we don’t really know how to prepare for it,” Huth said. “This [report] is helping those agencies get a sense of the type and severity of data breaches, so they know where they should focus their efforts to curb fraud and prevent further victimization.”
Stephanie Kanowitz is a freelance writer based in northern Virginia.