The Cost to Consumers of a Data Breach
A new analysis of a huge data breach last year in Utah estimates that more than 120,000 cases of fraud will occur as a result of information stolen.
Javelin Strategy & Research's analysis also estimates that each incident will result in more than $3,300 in losses, on average, and each consumer who is ultimately victimized as a result of the breach will spend about 20 hours and $770 on lawyers and time lost from work to resolve the case.
Ripple effects from the incident in the spring of 2012 will also prove costly to banks and businesses that may also suffer fraud as a result of the stolen information, said Al Pascual, a security, risk and fraud analyst at Javelin.
"We all need to be aware that breaches are occurring," he said. "Breaches lead to fraud, and fraud affects all of us."
Using the specifics of the Utah breach, Javelin applied what it has learned from its prior research about the impact of such breaches — namely, that having your personal information compromised makes you more likely to become a victim of fraud. Javelin estimates that roughly one in four recipients of a data-breach letter ultimately become fraud victims. (The estimate is based on information provided by consumers themselves, rather than law enforcement.)
"These breaches are driving fraud," Mr. Pascual said. Criminals, he said, are generally not digging through trash or stealing mail to obtain personal data. "They're stealing it digitally," he said.
In the Utah case, about 280,000 Social Security numbers belonging to participants in the state Medicaid and Child Health Insurance Program were stolen from a database maintained by the Utah Department of Health. In addition, less sensitive pieces of information on another 500,000 participants were stolen.
Social Security numbers are particularly dangerous in the hands of criminals, because they can be used in combination with other information about you to create or access bank accounts and obtain credit.
The Social Security numbers were used by the department to verify eligibility for the insurance programs. But a contractor did not safeguard the server where the data was stored. The information was not encrypted and was protected only by a weak password that was easily hacked, the Javelin report said.
There may be little that individual consumers can do to prevent such a breach. But there are steps they can, and should, take to protect themselves, if they are notified that their Social Security number has been compromised in a data breach, Mr. Pascual said.
First, you should contact your bank and explain what has happened because many banks still use Social Security numbers to verify customer identity. You can ask for an alternative means of verification, like a specially assigned PIN, or a series of questions known as "dynamic" authentication. For instance, the bank may ask you about the size of recent transactions, or other details that only you would be likely to know, before allowing access to your account online or over the phone.
If the bank isn't willing or able to provide an alternate method of verification, "It may be worth looking at institutions that offer better protection," Mr. Pascual said.
Even if you haven't had your information compromised, you should make use of your bank's automatic account alerts. Such systems send you an e-mail or text message if unauthorized changes are made to your account, like the addition of a new authorized user or a new bill payment account, or a change of address. They can also notify you of significant transactions, like large withdrawals or transfers. "The consumer is going to know first whether a transaction is valid or not," he said.
If you're the victim of a breach and are offered free credit monitoring, you should take advantage of the service, he said. In the Utah case, victims were offered two years of credit monitoring and identity theft insurance.
Ultimately, banks should stop using Social Security numbers as identifiers, he said.
Have you had your personal information stolen? Did fraud occur as a result?