The risk level is growing for anyone whose information is stolen
in a data breach.
In 2010, you had a one in nine chance of becoming a victim of
identity theft after your financial or personal information was
swiped. Today, your odds have increased to one in three, according
to a survey of ID theft victims by the National Consumers League
(NCL) and Javelin Strategy & Research.
In the five years that Javelin has studied the link between data
breaches and identity theft, "the relationship has grown stronger
Thieves steal information to make money, says Al Pascual,
Javelin's senior analyst of fraud and security, and co-author of
the study, "
The Consumer Data Insecurity Report
Along with the risk to consumers, the financial stakes have
soared. Fraud committed with existing credit cards and debit cards
jumped from $8 billion in 2012 to $11 billion in 2013.
The bad guys no longer rely on Dumpster-diving and stealing mail
to get their hands on your personal and financial information.
Instead, they hack into computers and sell the information they
steal on the black market.
"This is a global organized-crime underground," says report
co-author John Breyault, vice president of public policy,
telecommunications and fraud at the National Consumers League
(NCL). "They collect information any way they can and monetize it
as quickly as possible."
The Target data breach that began last year -- and which
impacted up to 110 million consumers -- shone the spotlight on such
breaches, raising awareness of the risks they pose.
"We see this as the real tipping point," Breyault says.
In that incident, between 1 million and 3 million debit cards
and credit cards were sold on the black market and used to commit
fraud, according to the NCL. The cards went for between $18 and
The Target case underscores the challenge facing retailers and
other organizations that collect your personal data.
"How do you keep bad guys from getting in, and keep the good
data from getting out?" asks Bob Olson, vice president of the
global financial services unit at Unisys.
The Target breach garnered the most national attention, but the
company was far from alone. In 2013, the Identity Theft Resource
Center received 614 reports of data breaches that exposed almost 92
million personal records, ranging from credit card and debit card
numbers to Social Security numbers.
Americans are taking notice. In the
2014 Unisys Security Index
, more consumers reported they were afraid of abuse of credit card
data and identity theft than they were of war and terrorism.
The survey of more than 1,000 people found 59 percent were
"extremely" or "very" concerned about the abuse of their credit and
debit card data. That compares to 52 percent of respondents who
reported those levels of concern in the 2013 survey.
In addition, 57 percent in the 2014 survey said they were
"extremely" or "very" concerned about identity theft, up from 54
percent the previous year.
Olson says he's not surprised by the results: "It's based on
what's really on the top of your mind."
What happens to your information?
In many cases, stolen credit card and debit card numbers are used
to make purchases online, Pascual says. But rather than stocking up
on items like flat-screen TVs, crooks are using the cards for small
transactions so they "fly under the radar."
Criminals also are staying local. If card information is swiped
in Texas, it's more likely to be used in Texas than halfway around
the world. That helps crooks avoid suspicion.
Credit cards and debit cards are most valuable on the black
market before a data breach has been discovered and publicly
disclosed, Pascaul says. At that early point, "there are no
controls in place and the chance of committing fraud is
With major data breaches, two sets of bad guys are typically
involved -- the data thieves, and the buyers of stolen data, says
Michael Bachmann, associate professor of criminal justice at Texas
Christian University in Fort Worth, and an expert on
The first group of bad guys includes skilled hackers who have
the expertise to get into sites and steal your information. They do
not want to run the risk of actually using the data, so they sell
it in bulk online. Bitcoin is the currency of choice, Bachmann
The Target data breach was the first time in which more than 1
million card numbers were offered for sale in bulk on the black
market, Bachmann says.
Those buying stolen data look at the number of cards up for sale
and whether or not the credit card information is complete. To make
sure the cards will work in transactions, buyers may test the cards
by making small charges to charitable organizations, Bachmann
For example, they may do "salami slicing" -- making a series of
small transactions for less than $10 that don't come under the same
degree of scrutiny from consumers and credit card companies,
In January 2014, for example, the Better Business Bureau
of fraudulent charges of $9.84 popping up after credit card numbers
had been stolen. "The expectation is that many cardholders won't
notice the relatively small charge, and the credit card companies
won't go after such a minor sum," the BBB said.
Along with stealing credit card and debit card data, crooks also
are on the hunt for personal information. Social Security numbers
are viewed as the "keys to the kingdom," Pascual says. Social
Security numbers are used to open new accounts, and to commit tax
fraud and medical identity fraud.
As the "de facto national identification," it's almost
impossible to get your Social Security number replaced once it has
been stolen, Pascual says. Unlike credit and debit cards -- which
are canceled if fraud is discovered and cannot be resold on the
black market -- Social Security numbers can be sold repeatedly.
"Once a criminal has it, he can continue to use it on a whim,"
Bachmann says the same black market websites that sell credit
and debit card information also sell personal identification, such
as Social Security numbers, in bulk.
Criminals also can purchase passports and birth certificates at
these websites. The prices these documents command varies by the
country of origin. Documents from the United States are high-value
A false sense of security
If the bad guys get their hands on your financial or personal
information, they might not use it for months. So even if you do
not see fraud occurring within a few weeks of a data breach, that
does not mean you are in the clear. "That's sort of a false sense
of security," Olson says.
A surprising one-third of fraud victims did not take steps to
prevent further fraud, the NCL/Javelin study found. For those who
did take action, nearly one-quarter set up email or mobile alerts
on their credit cards or bank accounts. Another one-quarter set up
on their credit reports.
And if the crooks have luck hacking into a site once to get
information, they may come back again to see what else they can
pilfer, he says.
Pascual warns that if criminals get their hands on the password
for one of your accounts, they will try to use it with other
accounts, because people tend to reuse their passwords. "As the
number of accounts increases, fraud increases," Pascual says.
Rather than coming up with complex passwords with a lot of
numbers and alternative characters, he recommends using "the
longest password you can remember. Length is always your
The move is now underway to switch from issuing credit cards
to issuing cards that are chip-enabled. Chip cards store data in
microprocessors and generate unique authorization numbers for each
transaction, making the cards harder to copy or counterfeit.
However, chip-enabled cards are not a panacea. In Great Britain,
the switch to chip-enabled cards meant a decline in fraudulent use
of credit cards in person, but it did nothing to stop online
It's no silver bullet," Breyault says. "It's very difficult to
be a participant in the modern economy and have zero
"The odds are you'll be a data breach victim at some point,"
Data breach protection: 10 tips
What to expect, do after a data breach
Data breaches turn spotlight on EMV cards