Prior to 2016, the majority of data breaches in the headlines involved the large-scale theft of credit card numbers from major retailers. As the theft of credit card data reaches an apex, however, data-focused thieves are targeting more than what is in your wallet — they are looking to exploit your identity in much deeper and sophisticated ways. We witnessed this sea change in 2016, when billions of pieces of personal and private information were stolen from commercial enterprises and governments alike. Some of these data breaches involved the theft of email addresses and associated passwords. Others involved the theft of significant amounts of individual health information. Still others involved the theft of credit reports and other valuable personal financial information. This kind of information enables data thieves to pursue what they believe will deliver more lucrative payoffs, such as tax return refunds, medical insurance reimbursements, and retirement account looting.
When compared with the loss of credit card data, identity-focused data theft can be much more damaging to consumers because it is more difficult to detect. In addition, the theft of such data can have a longer lifecycle that makes it harder to address early on, and remediating its impact can require a substantial time commitment and be more expensive. Similarly, businesses are also finding that the costs of investigating and responding to the loss of such highly personal information, as opposed to credit card data, often can be much higher.
Make no mistake, the theft of personal data is a lucrative criminal enterprise that is not going away. We anticipate that the targeting of individuals, businesses, and governments will become more pronounced in the coming years. This is not necessarily a product of the number of records potentially compromised, but rather that our lives have become so intertwined digitally that our personal and business “attack surfaces” continue to expand. Put simply, our personal data is increasingly scattered in a variety of ways, and this creates opportunities for motivated thieves to steal it.
Supporting this viewpoint are some key cyber security findings from Kroll’s recently released Global Fraud & Risk Report, which was based on a survey of executives and businesses worldwide.
- 85% of executives surveyed reported their company suffered at least one cyber incident over the past 12 months.
- Email-based phishing attacks were reported among the top three types of cyber attacks, along with viruses and data deletion.
- Cyber attacks most often targeted customer records (51%), followed by trade secrets (39%), and employee records (39%).
These developments demonstrate the changing digital environment in which we all live and the growing risks within it. Unfortunately, criminals see the situation clearly and have a bigger target for stealing and exploiting data for financial gain.
The Most Valuable Information for an Identity Thief
In this article, we describe why certain kinds of data — as well as certain targets — are increasingly attractive to identity thieves. We also provide practical steps that individuals and businesses can take to avoid or minimize the danger from these crimes.
EMAIL AND PERSONAL ACCOUNT INFORMATION
The theft of email account login information can occur a number of ways. One of the most common ways involves the use of phishing emails. The content and structure of a phishing email is designed to trick or socially engineer the unsuspecting recipient of the email into providing his/her email address and password. In other cases, hackers are able to obtain a list of usernames and passwords by breaching a website.
The potential danger:
Because email has become such an essential and trusted form of communication, when criminals gain access to an email account, there are several different ways that they can exploit the information. The same email addresses are often used across financial and banking accounts. Unfortunately, people often reuse passwords, so once hackers have accessed one email account and its password, they can exploit this generic information to gain access to other individual email or web accounts. From there, crimes can run the gamut from authorizing money transfers, to creating new online banking, brokerage, or retirement accounts, to ordering new credit and debit cards shipped to a new address. Depending on their tenacity and persistence, criminals with access to an email account — particularly one associated with an online financial account, social media account, or online shopping site — can do a significant amount of damage, which can be difficult and time-consuming to overcome.
Exacerbating the problem is the fact that data obtained from breaches of personal information provides an attacker with a much broader view of the targeted victim. With a more complete profile of a victim, attackers can pivot to gain more information and create greater damage. For example, a credit report can contain names, addresses, email accounts, and family member information. Oftentimes, these intimate details actually form the basis for account security questions that are used as part of many account password reset processes: What was your first car? The name of the street you grew up on? Your high school mascot? An attacker with access to an enriched view of personal and credit data can easily answer these questions through a few online searches or educated guesses.
CREDIT REPORT INFORMATION
Credit reports are an incredibly rich source of information. While most people are familiar with their “FICO” or credit score, a full credit report can include a tremendous amount of personal data about an individual consumer. Depending on the provider and the type of report, the report will contain varying types and degrees of information. These reports may include current as well as past addresses; bank accounts, including bank name and account balances; and information on outstanding loans and corresponding balances. Some providers also enrich these reports with data about relatives, email addresses, and even vehicles owned.
The potential danger:
The first move a criminal is likely to take with this information is to perpetrate “new account” fraud, i.e., taking the information to create new credit accounts. Very often, these are small online accounts that the attacker will use to purchase goods and services and never pay the bill. This can affect the consumer months or years down the road when they have negative credit marks or even collection requests for accounts they never even established.
One of the trends that we have seen lately is the establishment of new credit accounts with individual retailers. Many retail outlets offer a credit account that can only be used to purchase merchandise from that particular store. These accounts are typically easier to open than a major credit card, so it is not uncommon to see a single stolen identity used to open over a dozen such accounts.
PERSONAL HEALTH INFORMATION
Health care providers and insurance companies compile personal health information records that are rich in credit-related data as well as confidential or sensitive health-related data on patients and insureds. Because many families are insured under one family member’s health care plan, stolen personal health information may include Social Security numbers, names, birth dates, addresses, and other data of all family members, including children. Data related to flexible spending or health savings accounts (FSAs or HSAs) may also be linked to this information.
The potential danger:
Armed with this information, a criminal can try to exploit accounts that have already been created, such as an FSA or HSA, or the information could be used to create new accounts in the victim’s name. Children can be particularly impacted, because they typically do not have a credit file that is being monitored and one established using a child’s information can go undetected.
Personal health information may also include confidential data on illnesses, diseases, mental health, and various treatments. This information is very private and sensitive and is protected by law to prevent discrimination. As we have seen in cases involving several prominent celebrities, perpetrators can try to use the information for extortion or to embarrass the victim.
Businesses, particularly small and medium-sized (SME) ones, are ripe for targeting by sophisticated identity thieves. By taking over email accounts of executives or finance team members, or by creating fake email accounts intended to impersonate these people, criminals can socially engineer either the financial team or the company’s bank into sending out a bank transfer. Established businesses often have a routine for initiating these types of bank transfers, and those can be very basic. For example, a single person may be authorized to initiate transfers from an online account or via an email or phone call to the bank. While banks should verify the transfer, sometimes they do not in an effort to provide more personal customer service and to foster a relationship of trust. New businesses on the other hand, especially those that are growing quickly, can run into trouble when their sales outpace the back-end support. Defense regimes such as information security measures and financial controls are often not fully funded or fully developed to prevent fraud.
The potential danger:
These attacks have been successful with both well-established businesses as well as with new and fast-growing enterprises. The financial loss is immediate, often reaching into the millions of dollars, and such funds can be impossible to recover.
Tip: Did you know that LegalShield offers the most comprehensive identity theft protection for individuals and families. If you need support, please reach out! WIBN Community Members save!
Willi Shillinglaw, an Independent Associate of LegalShield, is a passionate advocate for access to affordable legal advice and identity theft protection. Willi was a founding member bringing the much-needed service to the Ontario market in 1999.
Willi has worked her way to the Director level as an Independent Associate of LegalShield where she promotes awareness and educates individuals and business owners on how they can take action to protect themselves against the risk of identity theft and timely legal services.
Willi has been a small business owner and entrepreneur for over 25 years. Willi also served as one of the founding board members and director of Emily’s House – the first children’s hospice in Toronto. Her experience includes establishing a successful franchise operation in the Personal Image Consulting industry, and growing the enterprise from a small home-based business to an exciting enterprise with 8 franchisees in GTA. When Willi is not working, you will find her volunteering at various churches and charities and spending time every second she can with her grandchildren and family. Connect with Willi on Twitter and Linkedin and at her website http://wshillinglaw.com