Consumers whose financial and personal information is stolen are more likely to be victimized if the data breach is small, a study of four data disclosures reported Thursday.
ID Analytics, a San Diego-based identity risk management company, analyzed four data breaches that revealed approximately half a million identities, comparing the IDs against credit card, wireless service, and instant loan applications.
The smaller the size of the breach, the higher a consumer's risk of identity theft, ID Analytics concluded. That's because of the limited number of identities a criminal can actually put to use in a set amount of time.
It takes approximately five minutes to fill out a credit application, noted the study, meaning that a fraudster working full-time--6.5 hours a day, five days a week--could exploit fewer than 400 identities in a week. To fully utilize a breach of a million identities, the fraudster would have to work for more than 50 years.
Although criminals sometimes parcel out smaller blocks of identities from a large breach -- selling or "outsourcing" the actual identity theft work to others--that practice would probably be prohibitively expensive, added ID Analytics. To outsource 100,000 identities at a work rate of $10 an hour would run a criminal about $83,000 in labor costs, and require 64 "employees" to process that many names in one month.
In fact, said the company's analysis, the risk is quite low overall. Even the most dangerous kind of data breach--one that reveals names and Social Security numbers as well as account information--poses a risk to fewer than one in every 1,000 identities.
"This information can help consumers assess their relative risk if they have been a victim of a data breach,” said Bruce Hansen, ID Analytics' chief executive, in a statement.
The study also found that evidence notices sent by the breached data company to consumers may deter criminals. In one large-scale breach ID Analytics analyzed, thieves slowed their use of the data after potential victims were notified.
Some 20 states, including California, have notification laws on their books, but several federal bills once thought sure to pass are now stalled in Congress, and unlikely to get approval until 2006.