Has anyone besides me noticed that when data breaches are reported, we see an official statement that the information hasn’t been used by identity thieves?
After thinking on that one for awhile, it makes sense that criminals would stop using the information from a data breach after it has been reported.
So far as information used before the breach is discovered, it’s pretty hard to prove where the information came from in an identity theft case. With so much compromised information out there, it’s nearly impossible to figure out where the point-of-compromise is in any individual case.
When a data breach occurs, a lot of accounts are closed down and everyone who has been compromised runs out and checks their credit reports. Most of the time, free identity theft monitoring is made available to those who have been breached, also.
My guess is that once the stolen information is made public, it’s probably dangerous to use. At the very least, it probably doesn’t hold the same profit value that it had when no one knew it had been stolen.
For the past week, the news has been awash with the year end statistics on data breaches. By all the recent news accounts, 2007 was a record year.
While reporting data breaches is painful and costly, reporting them probably makes the information a lot harder to exploit for criminal purposes.
Although 2007 was a record number for reported data breaches, very few of criminals stealing the information got caught. Organizations losing the information are starting to be held accountable, but it would be nice to see more of criminals stealing the information brought to justice.
Another thing to consider is that data breaches aren’t putting organizations out of business. True, they are costly, but in the end the cost is normally passed on to everyone using their services.
In the end, we are all paying for the cost of fixing data breaches.
And while a record number of data breaches were reported, there would have to be some that no one (except the criminals) know about.
My guess is that there is a lot information theft that is never detected. I would also surmise that this is considered the most valuable information being sold and used by criminals.
Compromised information is normally most effective when the person who it belongs to doesn’t know it’s being used.
Until we impact both sides of the equation — the people losing information and punishing the people stealing it — we are probably going to see news reports reflecting record statistics on the amount of data breaches occurring.
To do this, we need to focus more resources on catching the people stealing the information and enact laws that make it hurt when they get caught.
The last statistic I saw was that less than 1 percent of them get caught, and if they do, they normally get a slap on the wrist. A lot of the reasons for this are insufficient resources to investigate fraud and a lot of cases that are never reported by both organizations and individuals.
AP article (courtesy of the Washington Post) on 2007 data breach trends, here.
Update: Dissent from the Chronicles of Dissent and PogoWasRight left a good comment on this post pointing out that a lot of people did get caught this year. He is right and I did posts on a number of them.
The people out there catching the crooks stealing the data would be able to do a lot more if they were given more resources!
The Chronicles of Dissent has an excellent article on this subject that I highly recommend to anyone interested in the phenomenon of data breaches, here.