November 20, 2008

More than one in 10 consumers have had sensitive personal data, such as bank or credit card account details, exposed, according to Javelin Strategy & Research. And while banks typically are not the source of the breach, the onerous task of informing consumers of a breach likely falls to their banks. How the institutions do that, stresses Javelin analyst Rachael Kim, is key to how they will be perceived by their customers.

Kim, who authored an October report on best practices for responding to a data breach, tells BS&T that an online survey of 441 victims of financial data breaches conducted by Javelin revealed that 40 percent "lose confidence" in their financial providers. "One of five fraud victims will switch financial institutions," she adds. Pointing to Javelin's November 2007 annual fraud survey, on which she overlaid her recent report, Kim notes that of the 11 percent of the U.S. population that suffered breaches, just 0.6 percent had money stolen.

According to Kim, merchants are the most likely source of a data breach, responsible for 37 percent of incidents; financial institutions are responsible for just 12 percent of all breaches -- although that's a jump from 7 percent in 2007.

Similar ideas emerged in a Nov. 5 BS&T webcast on how banks can improve their online security (which is available online at banktech.com/cybersecurity). According to John Summers, leader of dynamic site solutions for Akamai Technologies, which sponsored the webcast, banks are fourth on the list of where most breaches occur but second (after the government) of those hit by identity theft of customers. "There's a real path to profit [in] stealing credentials," Summers said. "The No. 1 item for sale on hacker forums today is bank accounts."

Through its 35,000 Web servers, Akamai delivers about 20 percent of all Internet traffic. Summers reported during the webcast that the Cambridge, Mass.-based firm has seen a big increase in attempted hacks this year.

Indeed, the Identity Theft Resource Center, a national nonprofit organization based in San Diego, says data breaches in the first nine months of this year already exceeded those for all of 2007. And as of Nov. 4, 2008, the organization tells BS&T, roughly 30 million consumers had had sensitive personal data stolen in some 550 reported data breaches.

Javelin's Kim notes that while most states now require that consumers be told when their data has been breached, consumers typically are told that a breach occurred, but not where it originated; and many breaches may never be reported. Further, other states merely report total incidents of breaches so that the affected individuals might never know they were reflected in the statistics, she adds.

Javelin Strategy & Research report offers banks best practices.

Read more from BS&T’s
Special Report: Data Security

Protecting Customer Data Is Small Banks’ Top Tech Concern

Fighting Fraud With Texts

Fraud Hits Too Close to Home

ABOUT THE AUTHOR