Data breaches have become a sad fact of life for financial institutions. But a U.S. Government Accountability Office (GAO) report issued in July indicates that while the amount of information lost or stolen is disturbing, it's difficult to prove that these breaches lead to identity theft.
The GAO examined the 24 largest (in terms of number of records compromised) data breaches reported in the news from January 2000 through June 2005, as well as five breaches that involved federal agencies, but found that the extent to which data breaches resulted in identity theft is not well known. Even if someone is the victim of identity theft, it's difficult to figure out how that individual's personal information fell into the wrong hands.
Of the 24 breaches GAO studied, three included evidence of resulting fraud on existing accounts, while only one included evidence of unauthorized creation of new accounts. The agency could not find clear evidence of any link to identity theft for 18 of the breaches, and information about the remaining two breaches was inconclusive.
This may come as small consolation to the 2.3 million customers of Fidelity National, an arm of Fidelity National Information Services (Jacksonville, Fla.), whose bank account and credit card information may have been stolen. Fidelity announced at the beginning of July that a former senior-level database administrator was fired for taking and selling the information to several direct marketing companies.
The low ratio of identity theft per stolen data is difficult to explain given the lack of information. According to the GAO, identity theft victims often don't know how their personal information was obtained. In addition, law enforcement officials told the agency that in some cases, stolen data may be held for a year or more before being used to commit identity theft. Add to this the fact that issues of privacy and confidentiality make it difficult for organizations to conduct comprehensive studies of data breaches and identity theft.
A Growing Problem
While the correlation between data breaches and identity theft is unclear, there's no mistaking that data breaches are a growing problem. More than 570 data breaches were reported in the news media from January 2005 through December 2006, the GAO found.
And law enforcement is feeling the strain. The FBI's Cyber Division told the GAO that it's currently working on more than 1,300 pending cases of computer or network intrusions in which data breaches resulted from unauthorized electronic access to computer systems, such as hackings. The Secret Service in 2006 alone opened 327 cases involving network intrusions or data breaches, specifically in which financial information was lost or stolen.
Courtesy of InformationWeek, a CMP Technology property