Although 2014 was the year of the data breach, losses weren't as bad as consumers might expect. But that's not a good thing.
The number of data breaches hit a record high last year with 783 recorded, according to a January report from the Identity Theft Resource Center. Just a few of the big-name victims: JPMorgan Chase, Home Depot, eBay, the U.S. Postal Service. Last week, the Federal Trade Commission announced that identity theft was its most-complained-about category in 2014, accounting for 13 percent of complaints.
Despite that high total, both the number of victims and fraud losses declined from 2013, according to Javelin Strategy & Research's 2015 Identity Fraud Study, released Tuesday. Thieves stole $16 billion from 12.7 million U.S. consumers last year, they said, down 11 percent from the previous year's $18 billion. The number of victims fell 3 percent, from last year's 13.1 million.
"It's actually not an encouraging story whatsoever," said Al Pascual, director of fraud and security for Javlin. Last year saw an "extraordinary response" from regulators, businesses, financial institutions and consumers to quickly stem breach losses, he said—including swiftly replacing impacted cards, installing monitoring systems to catch fraud quickly and adding account alerts to notify consumers of suspicious activity.
Looked at that way, those coordinated efforts should have produced a bigger drop. "It's about a victim every two seconds in the United States, so it's still a very large rate," said Stephen Coggeshall, chief scientist of monitoring service LifeLock, which sponsored the Javelin study.
Overall, 5.2 percent of Americans were victims of credit card fraud, identity theft or similar issues last year, according to the study. The bulk of those cases involved credit card fraud, with victims of data breaches three times as likely as the general population to be a fraud victim. In cases where a breach exposed Social Security numbers, those victims were twice as likely to be a victim of identity theft or fraud.
Instances of new-account fraud—where a criminal uses your personal information to obtain new loans, credit cards and other accounts—fell from $3 billion to $2 billion this year, affecting 0.29 percent of consumers. "It's the lowest it's been in the report's history," said Pascual.
But it's more likely to go unnoticed: 13 percent of victims of this kind of fraud don't notice the misuse for more than a year.
That kind of identity theft is likely to be even more prevalent as banks roll out more-secure EMV credit cards this year. The embedded computer chips generate a unique transaction code with each use helping prevent fraud. "The criminals will have to find something else to focus on," said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse. Without the low-hanging fruit of card fraud, he said, breaches targeting more sensitive information like Social Security numbers may be the next avenue.
Case in point: Tax-refund fraud is expected to hit $21 billion by 2016, up from just $6.5 billion two years ago, according to the IRS. "We're probably just seeing the tip of the iceberg right now," said Stephens.