Link Between Data Breaches And ID Theft Unclear, GAO Reports - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Information Management

Link Between Data Breaches And ID Theft Unclear, GAO Reports

Even if someone is the victim of identity theft, it's difficult to figure out how that person's sensitive personal information fell into the wrong hands, the agency said.

Data breaches have become a sad fact of life for any organization that uses, stores, or trades in digital information. But a Government Accountability Office report issued Thursday indicates that, while the amount of information lost or stolen is disturbing, it's very difficult to prove that these breaches often lead to identity theft.

In fact, the GAO examined the 24 largest -- in terms of number of records compromised -- data breaches reported in the news from January 2000 through June 2005, as well as five breaches that involved federal agencies, but found that the extent to which data breaches resulted in identity theft is not well known. Even if someone is the victim of identity theft, it's difficult to figure out how that person's sensitive personal information fell into the wrong hands.

Of the 24 breaches GAO studied, three included evidence of resulting fraud on existing accounts, while only one included evidence of unauthorized creation of new accounts. The agency could not find clear evidence of any link to identity theft for 18 of the breaches, and information about the remaining two breaches was inconclusive.

This may come as small consolation to the 2.3 million customers of Fidelity National, an arm of Fidelity National Information Services, whose bank account and credit card information may have been stolen. A former senior-level database administrator was fired for taking and selling the information to several direct marketing companies. Fidelity made this announcement earlier in the week, just before the July 4 holiday.

This low ratio of identity theft per stolen personal data could be explained in any number of ways, according to the GAO. Identity theft victims often don't know how their personal information was obtained. In addition, law enforcement officials told the agency that in some cases, stolen data may be held for a year or more before being used to commit identity theft. Add to this the fact that issues of privacy and confidentiality make it difficult for organizations to conduct comprehensive studies of data breaches and identity theft.

While the correlation between data breaches and identity theft is unclear, there's no mistaking that data breaches are a growing problem. More than 570 data breaches were reported in the news media from January 2005 through December 2006, and often the incidents varied significantly in size and occurred across a wide range of entities, including federal, state, and local government agencies; retailers; financial institutions; colleges and universities; and medical facilities, the GAO found.

Law enforcement is feeling the strain. The FBI's Cyber Division told the GAO that it's currently working on more than 1,300 pending cases of computer or network intrusions where data breaches resulted from unauthorized electronic access to computer systems, such as hackings, at public and private organizations. The Secret Service in 2006 alone opened 327 cases involving network intrusions or data breaches, specifically where financial information was lost or stolen.

Legislators have been working at the state level to protect citizens from identity theft resulting from a data breach. As of April, at least 36 states had enacted some form of law requiring that affected individuals be notified in the event of a data breach; California's law, enacted in 2002, was the first such state requirement. There is no federal law that specifically addresses breach notification.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
IBM Puts Red Hat OpenShift to Work on Sports Data at US Open
Joao-Pierre S. Ruth, Senior Writer,  8/30/2019
IT Careers: 10 Places to Look for Great Developers
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/4/2019
Cloud 2.0: A New Era for Public Cloud
Crystal Bedell, Technology Writer,  9/1/2019
White Papers
Register for InformationWeek Newsletters
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
Flash Poll