Industry View

Monitoring the Enemy Within: Reflections on a New Internal Data Theft Study

Who steals data, and what do they do with it? Cooper Bachman of ID Analytics scrutinizes research from a dozen data thefts resulting in 1,300 attempted instances of data misuse.

By Cooper Bachman, ID Analytics

Page 3

Although there was no evidence of distributed data, it is known that a marketplace exists for identity information. In the Data Breach Harm Analysis published in 2007, a similar study analyzed stolen identities that were readily available on the Internet. As part of this research, scientists found that exposed identities on the Internet typically had a higher rate of misuse than the average consumer. As long as the value and accessibility of personal data remains high, the threat of breached data reaching the Internet and being digitally disseminated remains.

2. Misuse Rates are Higher Among Identities Involved in an Internal Data Breach
The risk associated with targeted internal data theft is greater than accidental breaches because of the intent underlying the breach. If a laptop is stolen from an unlocked car or a tape containing sensitive information is missing, the intent to use the data for the purpose of identity fraud is low. An employee may have simply left his car unattended while a thief saw an opportunity to obtain and sell valuable hardware. On the other hand if a disgruntled employee prints out identity information on 100 consumers, the breach now represents a heightened level of risk. The employee's motive to unlawfully obtain and abuse sensitive personal data creates a riskier scenario than a lost laptop. Individuals who are part of a targeted internal data breach are far more likely to have their identities abused due to the intent of the perpetrator.

The second variable to consider when evaluating the risk exposed by an internal data breach is the number of compromised identities. Using similar examples, if an individuals' information is one of five million identities contained on a lost laptop, she is far less likely to be a victim of identity fraud in comparison to one of the 100 individuals whose information had been printed out by the disgruntled employee. Even in the unlikely event the lost laptop was acquired by an identity thief, it would take a single fraudster approximately 250 years to abuse a group of five million identities. However, a motivated fraudster with a list of 100 identities can cycle through the list rather quickly. Due to the resource limitations of fraudsters, individuals have a higher relative risk in small breaches than in large ones.

In relation to the eight incidents of internal data theft where harm was found, the rate of misuse was between 3 percent and 36 percent of the breached population. The internal breach within the highest rate of misuse (36 percent) was a targeted effort by an employee to steal data from their organization. The data contained the name and SSN for each employee and was used to fraudulently apply for wireless phones and bank cards. For the incident resulting in only 3 percent of the breached population being harmed, an employee improperly handled data in a way that exposed only a small portion of the population to identity fraud.