Identity Fraud Rises; 61 Percent of Breaches Caused by Stolen Credentials

Last year, 13.1 million consumers suffered from identity fraud; the second highest number on record according to Javelin Strategy & Research’s 2014 Identity Fraud Report: Card Data Breaches and Inadequate Consumer Password Habits Fuel Disturbing Fraud Trends.

One of the trends includes an increase in existing card account fraud and losses. Existing card accounts refer to both account numbers and/or the actual cards for existing credit and card-linked debit accounts. Losses due to existing account fraud grew 45% to $16 billion, accounting for 88% of all U.S. fraud losses.

Online Consumer Data At Risk

According to the report, increasing online availability of consumer account information has made existing account fraud more attractive to criminals due to quicker and cheaper prospecting.

And how do criminals access consumer’s online accounts? By leveraging poor password security. One of the major factors in identity theft is the ability to use a single stolen password to access multiple accounts that store or transmit them, according to the report.

KrebsonSecurity.com reports on a healthcare vendor exploit that included the breach of a third-party payroll and HR management provider, Ultimate Software (UltiPro Services). Criminals used stolen credentials to collect patient data from health systems and other healthcare organizations in order to submit fraudulent tax refund requests. They were able to do so by stealing employee W-2s from the HR and payroll departments that used the software. Find out more about the exploit in Lax Healthcare Vendor Security Leads to Data Breaches & Tax Fraud.

And according to a different report by Javelin Strategy & Research, The Consumer Data Insecurity Report (PDF), defrauded data breach victims overwhelmingly (61%) attribute their fraud to the breach of their credentials. These findings strengthen the need for greater security around endpoint access with stronger authentication.

The National Criminal Justice Reference Service reported that government documents/benefits fraud was the most common form of reported identity theft (34%), followed by credit card fraud (17%) and phone/utilities fraud (14%).

According to the NCJRS, the majority of identity theft incidents (85%) involved the fraudulent use of existing account information, such as credit card or bank account information.

The Consumer Affect

An interesting personal account of identity theft contributed to Forbes.com Personal Finance details her discovery of ongoing theft and the aftermath. While retail organizations, hospitals, and banks suffer, so do consumers – and they’re less likely to be loyal to companies that leak their information.

Javelin Research & Strategy reports that breaches affect consumer confidence in a big way – six in 10 victims whose information was compromised in a retailer breach said their level of trust in the retailer declined significantly. Another one in five victims avoid doing business with organizations after his or her information is breached.

And retail organizations are the source of most breached data (50%), as can be seen below, with credit card issuers (22%), primary financial institutions (16%) and healthcare providers (14%).

Retail Breach Graph

Additionally, 64 percent of identity fraud victims think that they should be able to take legal action against the organization that leaked their personal information, which often happens in civil and class-action lawsuits. Nearly 60 lawsuits were filed by affected customers after the Target breach, while dozens of lawsuits brought by banks and credit unions were also filed, asking Target to pay for fraud and card replacement fees.

Another surprising fact is that victims often don’t even know where their information was compromised, nearly half at 49 percent. While there should be data breach regulations for every type of industry and in every state, it varies greatly, and in a few states, they don’t even require organizations to report breaches. As I wrote about in California Breaches Increase 30 Percent in 2014; 84 Percent Retail, 47 states have breach notification laws requiring both private companies and states to notify consumers if they’ve been breached, while three have no security breach laws – including Alabama, New Mexico and South Dakota.

With identity theft on the rise and password theft the main cause, consumers and businesses alike should focus on strengthening their authentication security to avoid becoming a statistic. Find out more about securing against modern risks in the retail industry in our new eBook, A Modern Guide to Retail Data Risks: Avoiding Catastrophic Data Breaches in the Retail Industry.

@Thu_Duo
Thu Pham
Information Security Journalist

Thu Pham covers current events in the tech industry with a focus on information security. Prior to joining Duo, Thu covered security and compliance for the infrastructure as a service (IaaS) industry at Online Tech. Based in Ann Arbor, Michigan, she earned her BS in Journalism from Central Michigan University.