Study: Data Breaches Pose a Greater Risk

The risk level is growing for anyone whose information is stolen in a data breach.

In 2010, you had a one in nine chance of becoming a victim of identity theft after your financial or personal information was swiped. Today, your odds have increased to one in three, according to a survey of ID theft victims by the National Consumers League (NCL) and Javelin Strategy & Research.

In the five years that Javelin has studied the link between data breaches and identity theft, "the relationship has grown stronger every year."

Thieves steal information to make money, says Al Pascual, Javelin's senior analyst of fraud and security, and co-author of the study, "The Consumer Data Insecurity Report."

Along with the risk to consumers, the financial stakes have soared. Fraud committed with existing credit cards and debit cards jumped from $8 billion in 2012 to $11 billion in 2013.

The bad guys no longer rely on Dumpster-diving and stealing mail to get their hands on your personal and financial information. Instead, they hack into computers and sell the information they steal on the black market.

"This is a global organized-crime underground," says report co-author John Breyault, vice president of public policy, telecommunications and fraud at the National Consumers League (NCL). "They collect information any way they can and monetize it as quickly as possible."

The Target data breach that began last year -- and which impacted up to 110 million consumers -- shone the spotlight on such breaches, raising awareness of the risks they pose.

"We see this as the real tipping point," Breyault says.

In that incident, between 1 million and 3 million debit cards and credit cards were sold on the black market and used to commit fraud, according to the NCL. The cards went for between $18 and $37.50 each.

The Target case underscores the challenge facing retailers and other organizations that collect your personal data.

"How do you keep bad guys from getting in, and keep the good data from getting out?" asks Bob Olson, vice president of the global financial services unit at Unisys.

The Target breach garnered the most national attention, but the company was far from alone. In 2013, the Identity Theft Resource Center received 614 reports of data breaches that exposed almost 92 million personal records, ranging from credit card and debit card numbers to Social Security numbers.

Americans are taking notice. In the 2014 Unisys Security Index, more consumers reported they were afraid of abuse of credit card data and identity theft than they were of war and terrorism.

The survey of more than 1,000 people found 59% were "extremely" or "very" concerned about the abuse of their credit and debit card data. That compares to 52% of respondents who reported those levels of concern in the 2013 survey.

In addition, 57% in the 2014 survey said they were "extremely" or "very" concerned about identity theft, up from 54% the previous year.

Olson says he's not surprised by the results: "It's based on what's really on the top of your mind."

What Happens to Your Information?

In many cases, stolen credit card and debit card numbers are used to make purchases online, Pascual says. But rather than stocking up on items like flat-screen TVs, crooks are using the cards for small transactions so they "fly under the radar."

Criminals also are staying local. If card information is swiped in Texas, it's more likely to be used in Texas than halfway around the world. That helps crooks avoid suspicion.

Credit cards and debit cards are most valuable on the black market before a data breach has been discovered and publicly disclosed, Pascaul says. At that early point, "there are no controls in place and the chance of committing fraud is higher."

With major data breaches, two sets of bad guys are typically involved -- the data thieves, and the buyers of stolen data, says Michael Bachmann, associate professor of criminal justice at Texas Christian University in Fort Worth, and an expert on cybercrime.

The first group of bad guys includes skilled hackers who have the expertise to get into sites and steal your information. They do not want to run the risk of actually using the data, so they sell it in bulk online. Bitcoin is the currency of choice, Bachmann says.

The Target data breach was the first time in which more than 1 million card numbers were offered for sale in bulk on the black market, Bachmann says.

Those buying stolen data look at the number of cards up for sale and whether or not the credit card information is complete. To make sure the cards will work in transactions, buyers may test the cards by making small charges to charitable organizations, Bachmann says.

For example, they may do "salami slicing" -- making a series of small transactions for less than $10 that don't come under the same degree of scrutiny from consumers and credit card companies, Bachmann says.

In January 2014, for example, the Better Business Bureau warned of fraudulent charges of $9.84 popping up after credit card numbers had been stolen. "The expectation is that many cardholders won't notice the relatively small charge, and the credit card companies won't go after such a minor sum," the BBB said. Along with stealing credit card and debit card data, crooks also are on the hunt for personal information. Social Security numbers are viewed as the "keys to the kingdom," Pascual says. Social Security numbers are used to open new accounts, and to commit tax fraud and medical identity fraud.

As the "de facto national identification," it's almost impossible to get your Social Security number replaced once it has been stolen, Pascual says. Unlike credit and debit cards -- which are canceled if fraud is discovered and cannot be resold on the black market -- Social Security numbers can be sold repeatedly. "Once a criminal has it, he can continue to use it on a whim," Pascaul says.

Bachmann says the same black market websites that sell credit and debit card information also sell personal identification, such as Social Security numbers, in bulk.

Criminals also can purchase passports and birth certificates at these websites. The prices these documents command varies by the country of origin. Documents from the United States are high-value targets.

A false sense of security If the bad guys get their hands on your financial or personal information, they might not use it for months. So even if you do not see fraud occurring within a few weeks of a data breach, that does not mean you are in the clear. "That's sort of a false sense of security," Olson says.

A surprising one-third of fraud victims did not take steps to prevent further fraud, the NCL/Javelin study found. For those who did take action, nearly one-quarter set up email or mobile alerts on their credit cards or bank accounts. Another one-quarter set up fraud alerts on their credit reports.

And if the crooks have luck hacking into a site once to get information, they may come back again to see what else they can pilfer, he says.

Pascual warns that if criminals get their hands on the password for one of your accounts, they will try to use it with other accounts, because people tend to reuse their passwords. "As the number of accounts increases, fraud increases," Pascual says.

Rather than coming up with complex passwords with a lot of numbers and alternative characters, he recommends using "the longest password you can remember. Length is always your friend."

The move is now underway to switch from issuing credit cards with magnetic stripes to issuing cards that are chip-enabled. Chip cards store data in microprocessors and generate unique authorization numbers for each transaction, making the cards harder to copy or counterfeit.

However, chip-enabled cards are not a panacea. In Great Britain, the switch to chip-enabled cards meant a decline in fraudulent use of credit cards in person, but it did nothing to stop online fraud.

It's no silver bullet," Breyault says. "It's very difficult to be a participant in the modern economy and have zero vulnerability."

"The odds are you'll be a data breach victim at some point," says Pasqual.

See related: Data breach protection: 10 tips, What to expect, do after a data breach, Data breaches turn spotlight on EMV cards