Reflections on a new internal data theft study

Analytics' analysis of internal data theft covers methods of misuse, case studies, and preparing for the challenges of data breaches

Identity fraud is different than account fraud. Identity fraud deals with stolen or fabricated identity elements (for example, Social Security number, name, and address). One way to detect identity fraud is to examine new account initiations across companies and industries. In cases of fraud, many new accounts of multiple types are opened across different institutions. Account fraud is the misuse of an existing account that is discovered examining transactions. Account fraud only affects a single institution and a single account. The harm is financial loss, and it is easily reconciled by closing the account and issuing new cards.

It is important to note that this analysis is focused on the use of stolen identities being utilized to open new credit, retail, and wireless accounts. This study did not include takeover of existing accounts such as direct deposit account (DDA) or new openings of collateralized loans (mortgages and automotive finance).

Specifically, the study analyzed the change in identity relationships within each internally breached population looking for anomalous linkages. For example, if a group of consumers had no prior relationships with one another, and then suddenly began applying for credit cards and wireless phones at a single address, this would be viewed as a suspicious or anomalous relationship change. Then, each suspicious case was analyzed in depth and reviewed for possible misuse of identity data. The time periods analyzed ranged from 10 months to more than 30 months after the date of the internal data theft.

Methods of misuse

The study performed temporal and relational analysis on over 1,300 cases of misuse. From these, four common patterns were highlighted.

1. Misuse of data occurred within 20 miles of the internal data source

The data analysis found a geographic relationship between where the data was stolen and where it was used. In some cases, the misuse was occurring as little as two to five miles from the place where the data was removed. It is important to note that the research did not include local lenders such as credit unions or community banks. The misuse identified was based on information from national credit card issuers, retail lenders, and wireless organizations.

If the data has in fact been purchased by a national identity fraud ring, it is expected to see pockets of misuse in geographic areas much farther from the data source. However, all misuse occurred locally relative to where the data was removed and indicates the individuals who obtained the data were either abusing it themselves or providing it to other perpetrators in their local area.

Although there was no evidence of distributed data, it is known that a marketplace exists for identity information. In the Data Breach Harm Analysis published in 2007, a similar study analyzed stolen identities that were readily available on the Internet. As part of this research, scientists found that exposed identities on the Internet typically had a higher rate of misuse than the average consumer. As long as the value and accessibility of personal data remains high, the threat of breached data reaching the Internet and being digitally disseminated remains.