Blog article
See all stories ยป

An article relating to this blog post on Finextra:

Bank of New York Mellon breach gets bigger

Over 12 million customers - three times the number originally reported - have been hit by the security breach at Bank of New York Mellon earlier this year, when a box containing unencrypted customer d...

See article

let's calm down

For months I have posted a question on my blog: Has there ever been a documented example of identity theft committed as the result of lost backup tapes? So far, no one has shown me an example. As we saw with TJX and Best Western, it is easy to blow apparent data breaches out of proportion. --Ben


Comments: (1)

A Finextra member
A Finextra member 31 August, 2008, 02:58Be the first to give this comment the thumbs up 0 likes

I have used the term 'cavalier attitude' before, so I won't now. However there are millions of victims of identity theft in the US, UK, Canada, Australia etc, who might feel that it was an appropriate description.

I suppose you could search for occasions where lost or stolen data was used for identity theft if you really wanted to know.

Of course these Russians (ex bankers) probably dived through millions of bins and dumpster trucks to steal the identity details of the millions of people that they were found in possession of when arrested.

Russian ex-banker heads identity theft ring.

The authorities were unable to recover all the data in the fraudsters possession because they used sophisticated encryption beyond the ability of the authorities to break. Of course unencrypted tapes would make it easy. but even encrypted tapes don't present much of a challenge.

One might consider that it might occur to even the less capable ID thieves that stealing the encryption password first would make the whole job a breeze. Not something that is difficult, and has really been child's play for the past decade, and probably will be for the next.

Less than .001% of identity thieves are caught and convicted and very few of those volunteer their methods to authorities, as they can often get right back to business as soon as they get out of prison. If they actually go to prison, because there is only a 50% chance of a convicted identity thief spending time in prison.

This equates to .0005% of ID thieves going to jail. I don't think that's a sufficient sample to be drawing any conclusions as to how the majority of ID theft is committed.

One could draw inferences by looking at the massive increase in ID theft and the loss of data, but most corporations didn't have a clue that their data is being/had been stolen, and only recently did they even report it if they did know, and it can take years for the outcome to be felt by the victim, and in fact many go to their grave never knowing they were a victim.

Your post has striking similarity with the defense that a lawyer would use defending a corporation in a data theft or loss damages case.

Perhaps you might use this paper to press the idea that 70% of ID theft isn't caused by corporate data breaches, but it's a very long bow, and bear in mind the small sample rate and unknown quantity of yet to occur, or yet to be uncovered, 'long tail' events.

In conclusion, unless criminals start telling us exactly how they committed their crimes, we're in the dark, nevertheless it might easily be deduced that if corporate data breaches are responsible for even 30% of ID theft, and that the event is beyond the control of the consumer and in fact the responsibility of the corporation, then if we change the corporations behaviour we can reduce identity theft by 30%. That seems to be a good place to start.