Yesterday, Bruce Schneier's blog's entry Most Stolen Identities Never Used pointed to a much needed reality check about data breaches involving "personal" data. The entry pointed to the reported findings
of by ID Analytics, Inc.'s analysis of four data breaches involving
approximately half a million consumer identities. They found that
relatively few of the identities breaches were exploited for criminal
financial gain. [PDF of the full report] I'll get back to the ID Analytics report shortly, but
first some roundabout comments.

In
the recent months, hardly a week goes by without reports of businesses'
databases  being breached and their customers' personal data being
exposed to fraud. Taking the Privacy Rights Clearinghouse's chronology of US data breaches
since the 15 Feb 2005 Choice Point incident, it would appear that over
51.5 million Americans have had their personal information compromised.
That's almost one in six Americans! The 51.5 million is the total
number of individuals whose record were reportedly breached. Not clear
how much of an overlap there may be. (I.e.; how many peoples' data was
exposed in more than one breach.) The number of individual affected in
a given breach ranges from a little over a hundred to 40 million. One
incident, an intrusion into CardSystem's data represents almost four-fifths of the 51.5 million total.

But
snarfing of one's data in these breaches doesn't automatically mean
that the culprits are exploiting everyone's data. It's nothing new.
Years ago, there was much media to-do over Kevin Mitnick having nicked 20,000 credit card numbers
from Netcom. But not so often mentioned was that there was the absence
of any indication he exploited any of the numbers for financial gain.
It appears that the 20K cc #'s were treated as a hacking trophy in
their own right rather than the raw material for financial
exploitation. I am not saying that the data breach is not a problem but
let's not confuse the possession of the data with the actual
exploitation of the data. The possession, yes, provides the potential
for fraud but the possession itself is not the fraudulent exploitation.

Going
back to the ID Analytics findings, I see they support that difference
between breached data possessed and the ultimate financial exploitation
of the data. The ID Analytics press release notes,

ID Analytics’ fraud experts believe
the reason for the minimal use of stolen
identities is based on the amount of
time it takes to actually perpetrate
identity theft against a consumer.
As an example, it takes approximately
five minutes to fill out a credit application.
At this rate, it would take a fraudster
working full-time – averaging 6.5 hours
day, five days a week, 50 weeks a year – over
50 years to fully utilize a breached
file consisting of one million consumer
identities. If the criminal outsourced
the work at a rate of $10 an hour in
an effort to use a breached file of
the same size in one year, it would
cost that criminal about $830,000.

ID
Analytics noted it appears that the individual's risk of fraud is
higher if one's data was in a small breach compared to a massive one.
Another significant factor may be the degree of clear indication that
the data itself was targeted. For example, a systems crack to get
account data points to the data itself being the target. But the loss
of backup tapes or a stolen computer might be an accident or theft for
the computer as a resaleable device.

ID Analytics findings also
remind us there is a difference between identity fraud and account
fraud. The former is the criminal use of one's identity info to create
new accounts or illicitly obtain benefits due to oneself. Account
fraud, a more common crime, is the fraudulent use of existing accounts
via stolen data. This is why I prefer the term "identity-linked fraud"
over "identity theft" as catch-all term. Real identity theft is
relatively uncommon and more devastating to the victims than account
fraud.

Yet to fully exploit my own identity,
J.D. Abolins