Security Watch | Matt Hines » Data most at risk via smaller breaches

November 07, 2007 | Comments: (0)

Data most at risk via smaller breaches

TAGS: Security

TJX Companies customers, sit tight!

Well, maybe not that tight, especially since there have already been several concrete instances where data stolen from the retailer has been misused by fraudsters (and arguably that's how the company originally discovered the breach anyway).

However, according to a new study published by software vendor ID Analytics, people whose information is stolen in smaller batches are far more likely to be victimized by criminals than those whose data is leaked among larger groups of records.

Perhaps that deduction seems obvious -- as people's information that is mixed in among only a few hundred names would appear to also be victims of the numbers game when it comes time for ID thieves to carry out their scams -- but the conclusion does make the notion of rating breaches on their sheer size, as we in the media have been wont to do, seem fairly pointless.

In that sense, we might want to cover smaller, targeted breaches more closely than larger incidents going forward -- at least in terms of the potential impact for the involved victims. If you buy into the theory, the theft of 100 accounts from a financial services company should be consider much worse for those involved than TJX-like breaches of millions of IDs.

According to the study -- which is based on the company's analysis of more than 10 million records that have already been involved in breach incidents -- ID Analytics researchers found that the rate of misuse of stolen personal data ranged from one in 200 identities for breaches of fewer than 5,000 records, to a misuse rate of less than one in 10,000 identities for breaches of more than 100,000 records.

Overall, the company said that it only discovered five incidents where the breached identities it was tracking were victimized by criminals among all of the records it studied.

Two of those cases were involved with incidents where company employees were found to be guilty of carrying out the data theft. In both cases, the resulting misuse was linked to identities geographically close to the site of the employee theft, ID Analytics reported.

So, when it comes to ID theft it would seem that there's safety in numbers, especially if the breach was carried out by third party attackers.

Among the other findings of the report is the conclusion that fraudsters who are participating in "organized misuse of breached identity data" tend to churn through personal records very quickly.

ID Analytics said that criminals typically exploit a stolen identity for no more than two weeks before moving on.

So, there's a good chance that by the time you are informed that your data has been stolen by someone, it may have already been exploited, or it may never be, as companies typically tend to wait at least a few weeks before informing their customers of any incident where their ID information is put at risk.

Further -- in a conclusion that stands at odds with much that has been written and said about the underground economy that has sprung up around the trade of stolen personal records -- the vendor submits that there is no evidence that fraudsters misusing breach data have been selling the information broadly, or distributing it over the Internet.

"This finding is significant because one of the greatest potential risks of data breaches is the broad dissemination of personal information to others with criminal intent," the report said.

I'm not sure what to make of that conclusion. Almost every data security expert you talk to will tell you that these underground ID data marketplaces exist, but, clearly in the case of the 10 million records that ID Analytics researched, there wasn't much evidence of this trend.

Finally, and to no one's surprise, the ID Analytics report found that criminals tend to link breached personal data to a limited set of phone numbers or addresses to carry out fraud.

The firm concludes that this means that criminals work to associate identities with a small group of phone numbers and addresses for verification purposes to carry out their misdeeds and receive the ill-begotten goods they ordered in somebody else's name.

So, the idea there is that researchers and law enforcement officials should conceivably be able to more effectively track down more identity thieves if they can uncover some of this relatively small pool of numbers and locations to which a lot of the fraudulent activity that was observed can be linked.

The company said this conclusion also ties into the trend toward misuse of information stolen by employees in their local environments.

"These findings show new insights into the workings of internal data theft, particularly how fraudsters may favor those identities that represent easier access to physical addresses where the perpetrator could receive or intercept credit cards, stolen goods and bank statements," the report contends.

See you at TJ Maxx!

Posted by Matt Hines on November 7, 2007 02:53 PM

RATE THIS ARTICLE: