Identity theft may be far more costly to victims than previously believed.
A study released Monday by Utica College's Center for Identify Management and Information Protection (CIMIP) found that the median actual dollar loss for identity theft victims was $31,356.
This figure is based on 470 cases out of 517 where loss data was available to Utica College researchers.
The CIMIP study is significant because it's the first time the U.S. Secret Service has allowed researchers to review its closed case files on identity theft and fraud. It is intended to provide empirical evidence that law enforcement agencies can use to combat identity theft.
A 2007 study by the Javelin Strategy and Research cited an average (not median) fraud amount of $5,720 per victim that year. A 2003 Privacy & American Business survey put the average cost per victim at $740.
One reason for the cost discrepancy between the CIMIP study and past ones may be that the previous cost figures focused on consumer losses.
But the CIMIP study shows that identity theft affects companies as well as individuals: "The findings show that the financial services industry was just as likely to be victimized as an individual," the report states.
"Most studies have focused on the individual victim," explained Gary R. Gordon, executive director of CIMIP and professor of economic crime at Utica College, in a phone interview. "In this case, we're seeing a wider range of victimization.
Because the cases examined by CIMIP were investigated by the Secret Service, the loss amounts involved are likely to be large; the Secret Service simply doesn't get involved in minor scams.
"What we're trying to do here is challenge some of the convention wisdom and provide empirical evidence rather than anecdotal evidence in looking at identity theft crimes," said Gordon.
CIMIP works with corporate, government, and academic institutions to research identity management, information sharing, and data protection. Its corporate partners include IBM, LexisNexis, TransUnion; its federal partners include U.S. Secret Service, Federal Bureau of Investigation, and the U.S. Marshals Service; and its academic partners include Carnegie Mellon University Software Engineering Institute, Indiana University's Center for Applied Cybersecurity Research, and Syracuse University's CASE Center.
One of the study's most surprising findings is that while the Internet may be helpful for identity thieves, it's not necessary.
"Analysis of the methods employed by the offenders showed that Internet and/or other technological devices were used in approximately half of the cases," the report says. "In some cases, the offenders began with a non-technological act, such as mail theft, to obtain the personal identifying information, but then used devices such as digital cameras, computers, scanners, laminators, and cell phones to produce and distribute fraudulent documents. While the use of the Internet as a criminal tool had a presence, it did not appear to be a necessity for most offenders to reach their goals."
Among the 517 cases analyzed, 102 included the use of the Internet. Nontechnological means of identity theft -- mail theft, mail rerouting, and Dumpster diving -- occurred in 106 cases.
Another unexpected finding is that in half of the identity theft cases analyzed, the crime began in a business. In 274 cases where a point of compromise could be identified, businesses accounted for 50% (137) of the breaches.
"There are a lot of cases where businesses provide the points of compromise," said Gordon.
While about two-thirds of the cases did not involve insiders, one third did. "A third of the cases involved identity theft through employment," said Gordon. "Those numbers we think are significant."
Of the 176 cases where the point of vulnerability was the offender's place of employment, 77 involved the retail industry, more than twice as many as occurred private companies, banks, or government agencies.
The report also suggests that the demographics of identity theft offenders don't conform to the conventional wisdom. "While some of the findings about the offenders may not be surprising, others seem to contradict the image that, in some ways, has been formed by default: that identity thieves are usually white males," the report says. "The results show that identity theft is a crime that minorities are just as apt to commit as whites."
According to the report, "The majority of the offenders were black: 53.8% (467). White offenders accounted for 38.3% (332); 4.8% (42) of the offenders were Hispanic and 3.1% (27) were Asian. The race for 65 of the offenders was not made available."
"We don't have an explanation; we're just reporting on the data set," said Gordon.