The second variable to consider when evaluating the risk exposed by an internal data breach is the number of compromised identities. Using similar examples, if an individuals' information is one of five million identities contained on a lost laptop, she is far less likely to be a victim of identity fraud in comparison to one of the 100 individuals whose information had been printed out by the disgruntled employee. Even in the unlikely event the lost laptop was acquired by an identity thief, it would take a single fraudster approximately 250 years to abuse a group of five million identities. However, a motivated fraudster with a list of 100 identities can cycle through the list rather quickly. Due to the resource limitations of fraudsters, individuals have a higher relative risk in small breaches than in large ones.
In relation to the eight incidents of internal data theft where harm was found, the rate of misuse was between 3 per cent and 36 per cent of the breached population. The internal breach within the highest rate of misuse (36 per cent) was a targeted effort by an employee to steal data from their organization. The data contained the name and SSN for each employee and was used to fraudulently apply for wireless phones and bank cards. For the incident resulting in only 3 per cent of the breached population being harmed, an employee improperly handled data in a way that exposed only a small portion of the population to identity fraud.
For several of the incidents of internal data theft the ultimate size of the beached file was unknown. For example, if an employee with access to identity data siphoned out information and the company was unable to track data access, the 'breached population' is unknown. For these cases the entire population in the relevant database was analyzed for misuse. Even so, identities exposed to one of these internal breaches were up to twenty-four times more likely to have their identity abused than the average consumer.
3. Wireless Phones are Becoming More Popular Targets
In previous research, fraudsters have demonstrated a preference for bank cards over retail cards or wireless phones when fraudulently applying for goods and services after a data breach. While activity related to bank cards did not completely dissipate, this study revealed a new trend of fraudsters using internal data to apply for wireless phones. After analyzing over 1,300 cases of data misuse stemming from the eight instances of harm, 69 per cent of the total applications targeted the wireless industry. In two of the incidents, the research found over 95 per cent of the fraudulent applications were for mobile phones.
In another study released by Javelin Strategy and Research in early 2008, researchers further highlighted the shift towards mobile technology and reported fraudulent wireless account openings have increased from 19 per cent to 32 per cent of new account fraud since last year. A possible explanation for this is a combination of the growing popularity of higher tech handsets and the competitive nature of the wireless industry.
As demand for smart phones and mobile Internet access increase, wireless providers are offering discounts on hardware to attract customers into new annual contracts. Individuals who have acquired personal data from an organization are able to exploit mark-downs by applying for new accounts, receiving a free or discounted smart phone, and then reselling the hardware for a profit of several hundred dollars per handset. The disgruntled employee has no intention of ever paying the recurring monthly bill and the account eventually charges off.
Evidence suggests this trend may continue.