Don’t let your guard down: Identity theft getting worse
By Rodika Tollefson, ThirdCertainty
One billion data records were compromised in 2014, a 78 percent increase from 2013, according to a recently released report by SIM card maker Gemalto.
According to Gemalto’s Breach Level Index, the number of major data breaches — involving 100 million or more records — doubled in 2014. The number of total breaches grew as well, by 49 percent from 2013, to a total of more than 1,500.
That translates into an average of 2.8 million records lost or stolen every day last year.
“The data over the past two years clearly shows two trends: Data breaches are growing in terms of their frequency and their size,” said Tsion Gonen, vice president of strategy for identity and data protection at Gemalto, which makes SIM cards used in mobile phones and credit cards.
Infographic: See which industries lose the most data
The company’s findings are based on a global database of breaches as they happen. Among the top breaches it listed were Home Depot (109 million records stolen), JP Morgan Chase (83 million) and eBay (145 million).
The report found that 76 percent of all incidents impacted North America, with the retail sector suffering the largest number of breached records, 55 percent. Malicious outsiders were the source in 55 percent of incidents, while accidental data loss contributed in 25 percent of cases, and malicious insiders in 15 percent.
One notable trend found by the Breach Level Index is an increased shift toward identity vs. financial theft. The report said that 54 percent of all data breaches were related to identity theft.
Identity theft is crime of choice
Gonen said that growth would continue because the window of opportunity with financial records is small — credit card companies can move in quickly to cancel accounts, providing liability protection, or an insurance of sorts.
“For stolen identities, there’s no insurance. Once the personal information is stolen, it is very difficult for an individual to get their identity back, and cybercriminals have more time and opportunities to monetize,” he said.
The thieves also are finding new ways of monetizing, said Johannes B. Ullrich, founder of DShield.org and dean of research for SANS Technology Institute.
“Increased sophistication in automating and monetizing is a new trend,” he said. “The speed will continue to increase, which makes it more dangerous because there’s a risk of a catastrophic loss.”
He noted that the large majority of breaches come down to simple exploits, like someone installing malware or clicking on a phishing link.
“There’s a lot of issues with basic human behavior,” he said. “It’ real easy to get inside even a big company.”
Adam Levin, a nationally recognized expert on identity theft and credit, said a data breach for any company is a matter of when, not if. All a hacker has to do is find one weakness that can be exploited.
“Any security system is as strong as the weakest link, and historically humans are the weakest link,” said Levin, founder of IDT911, which sponsors Third Certainty.
Consumers need new mind-set
What this means for enterprises is a shift in mentality — accepting the inevitability of a breach and focusing on protecting the data itself.
“The problem is that the way we protect data and identities has not changed much in the last decade,” Gonen said.
He said data is moving faster than before and is never stored in one place, so security should be attached to the data itself instead of trying to build a wall around it.
“That is why more businesses need to use stronger authentication methods such as multifactor authentication,” he said.
Consumers should change their thinking in the same way, Levin said.
“You can do everything right, but if you’re on the wrong database at the wrong moment and the wrong person gains access, you’re in trouble,” he said.
Consumers should accept the new reality and make sure they’re monitoring their credit and transactions. Levin also recommends using a damage control service like identity theft insurance, which many people already have available through their insurance companies or other avenues.
A recent report by Javelin showed a slight decrease in the number of identity theft victims in 2014 — 12.7 million compared to 13.1 million the year before.
The report, based on a sample of 5,000 consumers, also estimated a decrease in the dollar damage to $16 billion from $18 billion.
Levin is skeptical of those numbers but even assuming those extrapolated numbers are correct, he said that “all bets are off” for 2015.
“Just based on all the information that was breached in 2014, more people are at risk,” he said. “With the Anthem breach, we are for sure at risk, going forward.”
Security & Privacy News Roundup: Stay informed of key patterns and trends