http://www.signonsandiego.com/news/business/20051208-9999-1b8identity.html By Bruce V. Bigelow UNION-TRIBUNE STAFF WRITER December 8, 2005 A computerized analysis of four data breaches that compromised personal information on some 500,000 people suggests the alarm that often accompanies electronic break-ins may be largely unwarranted. On the other hand, the study also suggests that publicity can help deter fraudsters from using the stolen data. The analysis, conducted over the past six months by San Diego's ID Analytics, is believed to be the first to calculate just how much fraud occurred after each security breach. Such incidents frequently generate worries about identity theft, a crime in which fraudsters use stolen personal data to get credit cards and loans to make purchases under someone else's name. Previous studies have suggested that up to one in 70 Americans has fallen victim to identity theft, said Fred H. Cate, director of Indiana University's Center for Applied Cybersecurity Research. In the analysis done by ID Analytics, however, the highest rate of misuse of the four data breaches was calculated at 0.098 percent - or less than one in 1,000 identities. The company provided no specifics on the security breaches it studied. The low rate was surprising even at ID Analytics, which uses sophisticated computer technology to analyze consumer payments and applications for credit cards, loans and cellular telephone accounts for telltale signs of fraud. A survey in January by a market research firm, Javelin Strategy and Research, found the total cost of identity theft and credit card fraud to be $52.6 billion a year. Javelin also counted 9.3 million new victims of identity theft. With the U.S. population at 281.4 million, that works out to about 3.3 percent - or more than 30 times the rate calculated by ID Analytics. One reason ID Analytics' findings may be at odds with other studies on identity theft is that it focused narrowly on breaches that involved four electronic databases, said James Van Dyke, Javelin's founder and president. "No one should project the results of their good work on the overall problem," Van Dyke said. "Most of the new account identity theft fraud is not due to data breaches." Van Dyke explained: "You are more likely to become a victim of identity fraud from somebody who knows you personally. The list could include estranged relatives, neighbors, friends or somebody hired to work around the house." As part of its business, ID Analytics uses its network to analyze some 40 million consumer applications a month, scoring the risk of fraud as part of a service provided to its customers, which include major financial institutions and wireless service providers. "No breach is good," said Mike Cook, a co-founder and vice president of product at ID Analytics. "But there are different risks associated with different types of breaches." The company, which plans to release its findings today, conducted its analysis over the past six months - comparing the compromised data from each breach with its proprietary neural network technology. Such technology searches for patterns that could include customer accounts with multiple names and different addresses and telephone numbers. Cook reviewed the results of ID Analytics' analysis just days after the University of San Diego notified almost 7,800 individuals that hackers gained access to computers containing their personal income-tax data. In the past year or so, similar breaches have hit more than a dozen organizations, including ChoicePoint, LexisNexis, GMAC Financial Services, Science Applications International Corp. and the University of California Berkeley. "Breaches are everybody's problem," Cook said. "But the incidence of occurrence is much higher with educational institutions and government agencies." Among other things, the company found that: * Deliberate data breaches that target detailed customer information, including names, Social Security numbers, addresses and birth dates pose the highest potential for fraud. * A big data breach poses a lower risk that any single person will be defrauded. If it takes five minutes to fill out an illicit credit application, it could take even a diligent fraudster more than 50 years to make use of a database holding 1 million consumer identities. * By the same token, the smaller the data breach, the chances of fraud are higher for each consumer whose personal data were compromised. * Notifying consumers about a data breach may provide a deterrent effect on fraudsters. But such notifications can be costly, and they often needlessly alarm consumers when the risk of fraud is low. Avivah Litan, a Gartner research director for payments and fraud, said ID Analytics' findings were important for three reasons. "What it told me, number one, was that disclosure is a good thing. Publicity stopped the thieves immediately. Number two, it showed that the theft of a credit card is not necessarily going to lead to identity theft. And number three, that you can't really conclude that anything will happen from the theft of a laptop computer." Cate, of Indiana University, said ID Analytics' study suggests that laws requiring institutions to notify consumers of data breaches may be unnecessary - at least in cases where the costs of notification are high and the risks of fraud are low. "It turns out that almost all the data are telling us that these breaches aren't that big of a deal," Cate said. "Statistically, you are no more likely to be a victim of identity theft the day after a breach than you were the day before." _________________________________________ Earn your Master's degree in Information Security ONLINE www.msia.norwich.edu/csi Study IA management practices and the latest infosec issues. Norwich University is an NSA Center of Excellence.
This archive was generated by hypermail 2.1.3 : Thu Dec 08 2005 - 23:05:28 PST