In association with heise online

12 July 2007, 13:24

Major data breaches don't always lead to fraud

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Despite recording a high incidence of major leaks of personal data by corporates over the last few years, the USA Government Accountability Office (GAO) has established only a limited correlation between such leaks and subsequent identity-related fraud. In an exhaustive but extremely cautiously worded and expressly non-advisory report (PDF) entitled "Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited", the GAO has summarised large-scale breaches of personal data from year 2000 onwards and compared these with evidence of associated identity fraud. The findings are something of a surprise, typically: "consequences of data breaches are not fully known, but clear evidence of identity theft has been found in relatively few breaches".

The report comments on requirements for notification of those whose information has been leaked: "Requiring affected consumers to be notified of a data breach may encourage better security practices and help mitigate potential harm, but it also presents certain costs and challenges." This relatively neutral position recapitulates the GAO position in several previous documents, notably PRIVACY - Lessons Learned about Data Breach Notification (April 2007) (PDF) despite some high profile information leaks caused, for example, by laptops stolen from the Department of Veterans Affairs.

There is currently no US Federal law mandating disclosure to affected individuals, although The E-Government Act does require agencies to make privacy impact assessments publicly available "if practicable", and some individual Federal departments, notably the Department of Defense have implemented their own mandatory policies. Some states, for example California, also have their own statutes requiring disclosure. However the national consensus currently seems to be that disclosure should be subject to risk assessment in individual cases. Nevertheless there are growing calls for Federally driven mandatory disclosure, despite suggestions that there might be adverse side effects such as public panic or habituation due to the number of leaks occurring.

The report highlights the notional costs to business of cleanup after such breaches, a major component of which is informing customers whose credentials have been leaked. These costs can apparently exceed US$50 per customer, a factor that must loom large in risk assessments.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit