Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:30 PM
Connect Directly

Small Data Breaches Pose Big Identity Theft Risks

That's because of the limited number of identities a criminal can actually put to use in a set amount of time, a new study says.

Consumers whose financial and personal information is stolen are more likely to be victimized if the data breach is small, a study of four data disclosures reported Thursday.

ID Analytics, a San Diego-based identity risk management company, analyzed four data breaches that revealed approximately half a million identities, comparing the IDs against credit card, wireless service, and instant loan applications.

The smaller the size of the breach, the higher a consumer's risk of identity theft, ID Analytics concluded. That's because of the limited number of identities a criminal can actually put to use in a set amount of time.

It takes approximately five minutes to fill out a credit application, noted the study, meaning that a fraudster working full-time--6.5 hours a day, five days a week--could exploit fewer than 400 identities in a week. To fully utilize a breach of a million identities, the fraudster would have to work for more than 50 years.

Although criminals sometimes parcel out smaller blocks of identities from a large breach -- selling or "outsourcing" the actual identity theft work to others--that practice would probably be prohibitively expensive, added ID Analytics. To outsource 100,000 identities at a work rate of $10 an hour would run a criminal about $83,000 in labor costs, and require 64 "employees" to process that many names in one month.

In fact, said the company's analysis, the risk is quite low overall. Even the most dangerous kind of data breach--one that reveals names and Social Security numbers as well as account information--poses a risk to fewer than one in every 1,000 identities.

"This information can help consumers assess their relative risk if they have been a victim of a data breach,” said Bruce Hansen, ID Analytics' chief executive, in a statement.

The study also found that evidence notices sent by the breached data company to consumers may deter criminals. In one large-scale breach ID Analytics analyzed, thieves slowed their use of the data after potential victims were notified.

Some 20 states, including California, have notification laws on their books, but several federal bills once thought sure to pass are now stalled in Congress, and unlikely to get approval until 2006.

Register for Bank Systems & Technology Newsletters
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.