Tuesday, January 01, 2008

Discovering a record amount of information theft only solves half the problem

Has anyone besides me noticed that when data breaches are reported, we see an official statement that the information hasn't been used by identity thieves?

After thinking on that one for awhile, it makes sense that criminals would stop using the information from a data breach after it has been reported.

So far as information used before the breach is discovered, it's pretty hard to prove where the information came from in an identity theft case. With so much compromised information out there, it's nearly impossible to figure out where the point-of-compromise is in any individual case.

When a data breach occurs, a lot of accounts are closed down and everyone who has been compromised runs out and checks their credit reports. Most of the time, free identity theft monitoring is made available to those who have been breached, also.

My guess is that once the stolen information is made public, it's probably dangerous to use. At the very least, it probably doesn't hold the same profit value that it had when no one knew it had been stolen.

For the past week, the news has been awash with the year end statistics on data breaches. By all the recent news accounts, 2007 was a record year.

While reporting data breaches is painful and costly, reporting them probably makes the information a lot harder to exploit for criminal purposes.

Although 2007 was a record number for reported data breaches, very few of criminals stealing the information got caught. Organizations losing the information are starting to be held accountable, but it would be nice to see more of criminals stealing the information brought to justice.

Another thing to consider is that data breaches aren't putting organizations out of business. True, they are costly, but in the end the cost is normally passed on to everyone using their services.

In the end, we are all paying for the cost of fixing data breaches.

And while a record number of data breaches were reported, there would have to be some that no one (except the criminals) know about.

My guess is that there is a lot information theft that is never detected. I would also surmise that this is considered the most valuable information being sold and used by criminals.

Compromised information is normally most effective when the person who it belongs to doesn't know it's being used.

Until we impact both sides of the equation -- the people losing information and punishing the people stealing it -- we are probably going to see news reports reflecting record statistics on the amount of data breaches occurring.

To do this, we need to focus more resources on catching the people stealing the information and enact laws that make it hurt when they get caught.

The last statistic I saw was that less than 1 percent of them get caught, and if they do, they normally get a slap on the wrist. A lot of the reasons for this are insufficient resources to investigate fraud and a lot of cases that are never reported by both organizations and individuals.

AP article (courtesy of the Washington Post) on 2007 data breach trends, here.

Update: Dissent from the Chronicles of Dissent and PogoWasRight left a good comment on this post pointing out that a lot of people did get caught this year. He is right and I did posts on a number of them.

The people out there catching the crooks stealing the data would be able to do a lot more if they were given more resources!

The Chronicles of Dissent has an excellent article on this subject that I highly recommend to anyone interested in the phenomenon of data breaches, here.


Dissent said...

By my count, there were 135 people who were arrested, indicted, or convicted during 2007 for 52 incidents that occurred this year or last year. That's based on news stories reported in PogoWasRight.org news, and does not include all the immigration-related cases involving stolen SSN numbers which are not covered on PogoWasRight.org. Nor does this number include many small local arrests that are not reported in PogoWasRight.org news due to lack of sufficient information in the media report or just lack of interest on my part.

I think we need to keep in mind that in many of the big cases, we don't hear anything in the media at all until there is an indictment and press release. When I look at some of the indictments issued, it is clear that it may take well over a year for investigators and law enforcement to build a case.

They got the four involved in the Stop-N-Shop incident. They got the guy in Certegy/Fidelity and are investigating those who bought the stolen data. They indicted the Kenyan ring that stole the identities of over 300 nursing home residents, they've busted up a number of ID theft rings.

So as with the number of incidents, I think there was actually some progress this year in terms of law enforcement catching and prosecuting perpetrators. Yes, they need more resources, but this seemed to be a better year than 2006 in terms of arrests, prosecutions, and convictions.

Ed Dickson said...

I totally agree with the statement that we are improving so far as catching these people.

I'm hoping that this will become a growing trend and that in 2008, we can report a record amount of them getting caught!