So much so, in fact, that ID Analytics co-founder Mike Cook said consumers needn’t always be notified if their personal data is compromised.
The company looked at four recent dangerous security breaches in its study — ones in which thieves uncovered sensitive information like social security numbers and other personal data — that involved roughly a half million consumers.
Although Cook would not reveal the names of the companies studied, he said one of them involved a “top five U.S. bank.”
Despite the frightening amount of potential victims, Cook said only about 1 in 1,000 ended up having their identities stolen.
Interestingly, the ID Analytics study also found that the greater the security breach, the less likely stolen data was used to compromise a person’s identity.
“If you're in a breach of 100, 200 or 250 names, there's a pretty high probability that you're identity is going to be used,” Cook said, comparing stolen information against fraudulent credit applications. “The reason for that is if you look at how long it takes a fraudster to use an identity, they can roughly use 100 to 250 in a year. But as the size of the breach grows, it drops off pretty drastically.”
Cook said the biggest hindrance to identity theft is the simple fact that most stolen credit card numbers are quickly cancelled, preventing any sustained illegal use. He also said that actually stealing someone’s identity is far more difficult than most people suspect, involving the piecing together of a long chain of disconnected data from multiple sources before identity can be fully compromised.
Because of this, the official stance from ID Analytics is that data breaches should not always be publicized, something consumers may not respond well to despite the reportedly small chance of becoming a victim.
“As far as notifications, we think there are certain instances where businesses might want to notify consumers and certain instances where they might not to inform them,” Cook said. “For instance, if they lose data, and they don't know where it is, we think too many notices may not be a good thing. They should probably monitor that and spend dollars on consumers who are actually harmed, rather than spending dollars on 10 million [likely unaffected] consumers.”
Cook’s statement flies in the face of recent moves by Sen. Arlen Specter, R-Penn., and Sen. Patrick Leahy, D-Vt., both of whom are pushing Congress to enact tougher data security and consumer notification standards in the U.S.
The study also comes less than a month after a report from Internet security firm iDefense suggested keylogger programs that record user names, passwords, credit card data and other sensitive information without a user’s knowledge are becoming much more prevalent, growing 65 percent in the last year.
But the ID Analytics study countered that many incidents involving perceived identity theft are harmless, often perpetuated by people the victims know, and do not result in financial hardships or other serious implications.