Compared to how they felt a year ago, 57% of American adults are more concerned that their personal information will be compromised in a data breach—and with good reason! The Privacy Rights Clearinghouse reports there have been 8,068 data breaches since 2005, involving close to 11 billion records. In 2017 alone, we saw several high-profile breaches that exposed names and social security numbers for millions of Americans. Widespread data breaches will unfortunately continue to happen, so it is important for consumers and businesses alike to understand what happens to personal information once it gets breached. In this blog post, we’ll walk through one potential route—from data breach to fraudulent use.
Stage 1: Breach
A data breach occurs when a criminal successfully extracts sensitive information from a business. They may research the company’s systems, looking for a weakness, or attack with a spear phishing campaign to steal login credentials.
Stage 2: Sale on the Dark Web
Once the data is breached, criminals sell the stolen personally identifiable information (PII) in bulk on the Dark Web, a collection of websites that grant users anonymity. The more “complete” the identity information is, the more valuable that data is to fraudsters. In-depth, complete identity data (called “FULLZ” on the Dark Web) can include a disturbing amount of PII – including name, SSN, address, credit card numbers, bank account numbers, car make and model, email address, and passwords.
Step 3: Fraud
With purchased PII in hand, fraudsters set to work. Research by the FTC shows that criminals attempted to use stolen PII within 9 minutes of it being posted online. They can extract value from all types of data: credit card numbers are used for quick purchases before they are deactivated; PII is used to open accounts and apply for loans; log-in credentials are used to drain accounts.
Once a data breach is recognized by a company, the value of the compromised identities falls quickly. It’s a race against the clock to use the data before consumers and businesses deactivate breached accounts, cancel cards, and change passwords. Some fraudsters, however, may opt for a long con. A growing form of fraud called synthetic identity fraud involves a mixture of real and fake data to create a brand-new identity that belongs to no one. Fraudsters may take months or even years building up a credit profile for a synthetic identity before “busting out” by maxing out credit lines and disappearing.
Businesses can add additional safeguards to their system to help protect consumer’s identities with robust identity verification and fraud prevention methods. Providing employees with the means to securely verify the identity of a caller or customer also helps ensure that legitimate customers can access accounts while fraudsters are turned away. Finally, putting a response plan into place will allow a business to minimize damage and restore security in the event of a breach.