Occurrences of Actual Identity Theft or Other Fraudulent Activity
Of the 330 reported incidents occurring in 2007, only 7 (2%) seem to have resulted in actual cases of identity theft or other fraudulent activity. Several hundred individuals were victimized by these incidents, generally due to the theft of credit card numbers and associated card holders’ names. Four of these incidents (57%) were perpetrated by employees or former employees with malicious intent; three incidents were caused by hackers. Ironically, therefore, although “malicious insiders” were the least frequent cause of breach incidents, they were responsible for the majority of breaches that resulted in actual identity theft.
Two of the four incidents involving “malicious insiders” were unrelated to electronic records; rather, these breaches involved theft of papers containing sensitive information. For example, the waitress of a café specializing in hamburgers retained copies of customers’ credit card transactions and then used the account numbers, names, and signature information to perpetrate fraud. Between 6 and 40 persons were victimized, and approximately $16,000 in illegal transactions resulted from her activities.
None of the breaches due to lost or stolen equipment—despite the high numbers of these incidents—resulted in actual fraud. Also, incidents caused by the exposure of sensitive information to the Internet, by inappropriate disposal of records, or by other accidental disclosures led to cases of real identity theft or fraud.
The next part of this article will examine the significance of these findings for risk assessment, security policy, priorities for security controls to reduce the likelihood of breaches, and the role of information security in the breach prevention process.
Popularity: 1%
One Comment
Why use PRC for the data when they get their data from Attrition.org’s DataLoss project?