Case Study #2
An entirely different direction was taken by the individuals perpetrating identity fraud in this next case. An employee gained access to a number of identities through improper data management within the organization. Several of the office locations had issued thumbdrives to subordinates and transferred sensitive employee and associate information between offices. Moreover, a large portion of the organization had access to sensitive identity information on a daily basis, with limited to no access controls established. Data contained on the thumbdrives were not encrypted. The perpetrators involved in this activity sent out 44 applications to one address using 31 identities over a one year span. In one case, the address used was linked to a single family home only 4.7 miles from the data source.
As opposed to applying for bank cards, the identity thieves focused primarily on targeting the wireless industry. Ninety-six per cent of the applications were for wireless handsets, 68 per cent of which targeted one specific carrier. This behavior suggests identity thieves may be beginning to target the wireless industry in greater volumes. Combined with the growing popularity of the handset and the ease of obtaining a phone (through contract renewals, in-store promotions, online discounts, etc), industry experts suggest this trend may continue.
Learning, Preparation & Taking Action
After assessing identity data provided by breached organizations spanning industries and sectors, this internal data theft study succeeded in providing a better understanding of the behavior associated with stolen identities and the level of risk associated with internal data theft.
Together, these findings illustrate the unique challenges faced by companies operating in a data-rich environment. Business leaders desire an unparalleled customer experience while trying to maintain the appropriate balance between data access and personal privacy. Compounded with the need to protect sensitive personal data and the rising probability of an internal data leak, reactive approaches to a breach event are becoming less feasible.
Organizations should implement internal and external mechanisms to proactively address data security needs, including ongoing monitoring that detects early evidence of misuse within customer and employee data, without interfering with daily business processes. In addition, if organizations suspect that they may already be a victim of a data breach, they must take immediate action to gauge the magnitude of the breach event.
Cooper Bachman is a product analyst at ID Analytics, a provider of on-demand identity intelligence solutions based in the US.