Don’t let your guard down: Identity theft getting worse

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Rodi­ka Tollef­son, Third­Cer­tain­ty

One bil­lion data records were com­pro­mised in 2014, a 78 per­cent increase from 2013, accord­ing to a recent­ly released report by SIM card mak­er Gemal­to.

Accord­ing to Gemalto’s Breach Lev­el Index, the num­ber of major data breach­es — involv­ing 100 mil­lion or more records — dou­bled in 2014. The num­ber of total breach­es grew as well, by 49 per­cent from 2013, to a total of more than 1,500.

That trans­lates into an aver­age of 2.8 mil­lion records lost or stolen every day last year.

The data over the past two years clear­ly shows two trends: Data breach­es are grow­ing in terms of their fre­quen­cy and their size,” said Tsion Gonen, vice pres­i­dent of strat­e­gy for iden­ti­ty and data pro­tec­tion at Gemal­to, which makes SIM cards used in mobile phones and cred­it cards.

Info­graph­ic: See which indus­tries lose the most data

The company’s find­ings are based on a glob­al data­base of breach­es as they hap­pen. Among the top breach­es it list­ed were Home Depot (109 mil­lion records stolen), JP Mor­gan Chase (83 mil­lion) and eBay (145 mil­lion).

The report found that 76 per­cent of all inci­dents impact­ed North Amer­i­ca, with the retail sec­tor suf­fer­ing the largest num­ber of breached records, 55 per­cent. Mali­cious out­siders were the source in 55 per­cent of inci­dents, while acci­den­tal data loss con­tributed in 25 per­cent of cas­es, and mali­cious insid­ers in 15 per­cent.

One notable trend found by the Breach Lev­el Index is an increased shift toward iden­ti­ty vs. finan­cial theft. The report said that 54 per­cent of all data breach­es were relat­ed to iden­ti­ty theft.

Iden­ti­ty theft is crime of choice

Gonen said that growth would con­tin­ue because the win­dow of oppor­tu­ni­ty with finan­cial records is small — cred­it card com­pa­nies can move in quick­ly to can­cel accounts, pro­vid­ing lia­bil­i­ty pro­tec­tion, or an insur­ance of sorts.

For stolen iden­ti­ties, there’s no insur­ance. Once the per­son­al infor­ma­tion is stolen, it is very dif­fi­cult for an indi­vid­ual to get their iden­ti­ty back, and cyber­crim­i­nals have more time and oppor­tu­ni­ties to mon­e­tize,” he said.

The thieves also are find­ing new ways of mon­e­tiz­ing, said Johannes B. Ull­rich, founder of DShield.org and dean of research for SANS Tech­nol­o­gy Insti­tute.

Increased sophis­ti­ca­tion in automat­ing and mon­e­tiz­ing is a new trend,” he said. “The speed will con­tin­ue to increase, which makes it more dan­ger­ous because there’s a risk of a cat­a­stroph­ic loss.”

He not­ed that the large major­i­ty of breach­es come down to sim­ple exploits, like some­one installing mal­ware or click­ing on a phish­ing link.

There’s a lot of issues with basic human behav­ior,” he said. “It’ real easy to get inside even a big com­pa­ny.”

Adam Levin, a nation­al­ly rec­og­nized expert on iden­ti­ty theft and cred­it, said a data breach for any com­pa­ny is a mat­ter of when, not if. All a hack­er has to do is find one weak­ness that can be exploit­ed.

Any secu­ri­ty sys­tem is as strong as the weak­est link, and his­tor­i­cal­ly humans are the weak­est link,” said Levin, founder of IDT911, which spon­sors Third Cer­tain­ty.

Con­sumers need new mind-set

What this means for enter­pris­es is a shift in men­tal­i­ty — accept­ing the inevitabil­i­ty of a breach and focus­ing on pro­tect­ing the data itself.

The prob­lem is that the way we pro­tect data and iden­ti­ties has not changed much in the last decade,” Gonen said.

He said data is mov­ing faster than before and is nev­er stored in one place, so secu­ri­ty should be attached to the data itself instead of try­ing to build a wall around it.

That is why more busi­ness­es need to use stronger authen­ti­ca­tion meth­ods such as mul­ti­fac­tor authen­ti­ca­tion,” he said.

Con­sumers should change their think­ing in the same way, Levin said.

You can do every­thing right, but if you’re on the wrong data­base at the wrong moment and the wrong per­son gains access, you’re in trou­ble,” he said.

Con­sumers should accept the new real­i­ty and make sure they’re mon­i­tor­ing their cred­it and trans­ac­tions. Levin also rec­om­mends using a dam­age con­trol ser­vice like iden­ti­ty theft insur­ance, which many peo­ple already have avail­able through their insur­ance com­pa­nies or oth­er avenues.

A recent report by Javelin showed a slight decrease in the num­ber of iden­ti­ty theft vic­tims in 2014 — 12.7 mil­lion com­pared to 13.1 mil­lion the year before.

The report, based on a sam­ple of 5,000 con­sumers, also esti­mat­ed a decrease in the dol­lar dam­age to $16 bil­lion from $18 bil­lion.

Levin is skep­ti­cal of those num­bers but even assum­ing those extrap­o­lat­ed num­bers are cor­rect, he said that “all bets are off” for 2015.

Just based on all the infor­ma­tion that was breached in 2014, more peo­ple are at risk,” he said. “With the Anthem breach, we are for sure at risk, going for­ward.”

More:
Pro­tect­ing your dig­i­tal foot­print in the post pri­va­cy era
Why deb­it cards are riski­er than cred­it cards
Impen­e­tra­ble encryp­tion locks down Inter­net of Things

 Secu­ri­ty & Pri­va­cy News Roundup: Stay informed of key pat­terns and trends

 


Posted in Identity Theft, News & Analysis