This will not come as a big shock: an estimated 16.7 million Americans were victims of identity theft last year, according to a survey published by the research and advisory firm Javelin Strategy & Research. And the company says this tops the previous record of 15.4 million compromised identities which occurred, not surprisingly, in 2016.
Javelin notes in its report that cyber thieves have changed tactics over the past year, which has made them more efficient and effective. They are now focusing on targeting cellphones and email accounts to obtain a person’s complete details, such as their name, address, and social security number, instead of trying to access individual pieces of personal information in order to piece together a profile.
This strategy is making it easier for cyber criminals to open fraudulent accounts and to exploit them for a longer period of time before they are discovered. The company estimates that fraud losses last year amounted to some US $16.8 billion.
In addition, nearly 1 in 3 Americans were notified of a data breach in 2017, a significant jump from 1 in 8 in 2016, Javelin reports. A major reason was the consumer credit bureau Equifax breach that was discovered on 29 July 2017, in which the personal information of 145.5 million people (130 million Americans, 15.2 million British citizens, and 8,000 Canadians) was compromised. It's unclear how many of those affected also became victims of identity theft as a result.
As if the loss of names, addresses, social security numbers, and/or birthdates wasn’t enough, Equifax quietly informed the Senate Banking Committee earlier this month that even more information had been accessed in their data breach than it first reported.
Equifax told the committee that for an unknown number of persons, email addresses, driver license numbers (including issue date and state), as well as expiration dates for credit cards, were also stolen. Furthermore, an unknown number of tax ID numbers, which are used by individuals who file taxes in the United States but who do not pay into social security, were accessed as well.
Equifax downplayed its sluggish disclosure, saying that its tardy revelation wasn’t an attempt to mislead those affected—or government investigators—about the breach. An Equifax spokesperson explained, without any hint of embarrassment, that the company never intended for anyone to think that its previous announcements were complete and comprehensive. Equifax says the information it has provided to date is “not exhaustive,” meaning more disclosures of exactly what information was stolen from Equifax could happen in the future.
One might get an inkling of what that information might be by examining another major security lapse at the end of last year involving the marketing analytics firm Alteryx, which has an appropriately ironic slogan of “Experience More Data-Ha Moments with Alteryx.”
Apparently, a configuration error left an unsecured 36 GB database online that contained personal and financial information of more than 123 million U.S. households. The database, which included data sets belonging to the credit bureau Experian (an Equifax competitor) and the U.S. Census Bureau, was discovered by the UpGuard Cyber Risk Team in October.
UpGuard posted a list of the 248 information categories it found on the unsecured database. The UpGuard blog post is worth a read if you want to know what personal information companies and credit bureaus are capturing, mining, and selling. And to make you feel even better, no one knows for sure whether someone accessed the misconfigured Alteryx database before UpGuard found it.
I don’t have data to confirm this theory, but I wouldn’t be surprised if 2017 was also a record year in class action lawsuits pursued because of data breaches. In wake of Equifax’s breach alone, more than 240 class action lawsuits have been filed against the company, with one involving all 50 states. Other suits have been filed against insurance company Aetna, restaurant chain Chipotle, and ride sharing company Uber, among many others, because of their respective data breaches. It is hard to tell how many of these class action lawsuits will be successful, although some lawyers (naturally) are optimistic in regard to the Equifax breach.
However, data breach lawsuits, especially those brought by individuals, are typically unsuccessful for two reasons. The first is that one has to prove that the information used to steal an identity actually came from some specific breach. With so many data breaches occurring, it’s likely that any one person’s data has been compromised multiple times, and trying to prove that Equifax (or anyone else) was the actual source is extremely difficult.
In fact, when the Equifax breach occurred, the head of the Internal Revenue Service, John Koskinen, said he doubted it would make any difference in tax-related ID scams because so much of the same information had already been stolen.
The second reason for not having much hope that a lawsuit, at least in the United States, will be successful is that the Supreme Court requires a person to show they suffered direct financial harm from the breach. In September, for example, a judge threw out the data breach lawsuits filed against the U.S. Office of Personnel Management in the wake of its colossal 2015 breach partly on these grounds.
Making the situation even more difficult is that many breaches are reported late or don’t reveal the entirety of the information stolen, like in Equifax’s case. The same is true for Yahoo, which announced last September that 3 billion user accounts were compromised by its 2013 cyber intrusion, not the 1 billion it originally stated in 2016. Yahoo was also late in revealing the extent of a 2014 cyber intrusion that compromised 500 million accounts. In many cases, a person may find out that they were a victim of ID theft before the breach responsible is even discovered or announced.
If it all seems like a Catch-22 situation, that’s because it is.
Finally, Equifax announced early last week that it has hired an experienced chief information security officer who helped Home Depot improve its IT security after that company’s 2014 breach of 56 million payment cards. Better late, one supposes, than never.
Contributing Editor Robert N. Charette is an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Along with being editor for IEEE Spectrum’s Risk Factor blog, Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.