The breaches that came to light during summer of 2018 have come in all shapes and sizes. A recent breach at reservation software platform FastBooking, for instance, affected at least 400 hotels in Japan, while one at Ticketmaster UK affected 40,000 people in the U.K. Both exposed their customers’ names and contact and financial information. But a breach at Florida-based marketing and data aggregation firm Exactis exposed much, much more.
According to Wired magazine, up to 2 terabytes of data was stolen from Exactis. While the data did not include financial information or Social Security numbers, it did include contact information and marketing data on people’s personal characteristics, interests and habits.
To be sure, these breaches pose a risk of fraud for all those affected. But whether such fraud rises to the level of identity theft — the most menacing type — is another matter. Such a risk is not determined by a breach’s size and scope, but the type of data and the victims it compromises, and even the length of time since it happened.
Here’s a look at three factors that can increase the chances of identity theft risk post-breach:
1. The golden ticket: Social Security numbers
Eduard Goodman, global privacy officer at identity and data protection company CyberScout, said that Social Security numbers “really are the golden ticket” for allowing cybercriminals to open up a line of credit in someone else’s name and get access to their vital financial accounts. And while the breaches of financial information such as credit card information and of personal information like that held by Exactis can lead to financial fraud and other scams, the identity fraud risk they pose is limited.
But breaches that don’t include Social Security data can still land a company in a world of legal trouble. Exactis, for instance, is facing a class action lawsuit in Florida, which alleges theft of personal information, improper disclosure of personal information, untimely and inadequate notification of the data breach, and unauthorized charges on debit and credit card accounts.
In 2016, the U.S. Supreme Court ruled in Spokeo v. Robins that those seeking damages against breached companies must allege injury that is “particularized” and “concrete.” While it is easier to allege such injury when identity fraud comes into play, it is also possible when considering lesser types of fraud as well.
2. The identity theft time bomb?
The September 2017 breach at Equifax, which compromised the personal information of over 145 million U.S. consumers and included Social Security numbers, was one of the biggest cyber incidents in the history of the U.S.
Still, there has yet to be a tsunami of identity theft cases against Equifax. And while, according to The 2018 Identity Fraud Study released by Javelin Strategy & Research, the number of identity fraud cases in 2017 did increase to 16.7 million from 15.4 million in 2017, the 6.6% increase does not seem as high, given the sheer number of Social Security numbers compromised.
So what gives? For Goodman, the lack of a surge in identity theft is far from surprising. After all, “In all the grand scheme of things, in the criminal world, identity thieves are one of many subsets of crimes,” and are likely taking time to shift through the compromised data they have.
“What people have to remember is that there are long-term consequences,” added Justin Daniels, a shareholder at Baker, Donelson, Bearman, Caldwell & Berkowitz. “What people don’t always appreciate is that when your information gets hacked, it doesn’t mean they are going to use it right away.”
Cybercriminals may also be motivated to play the long game, given that many will be closely monitoring their credit directly following a breach, but may be less vigilant as time passes, meaning identity fraud can potentially go undetected years later.
3. Young and old, educated and rich
With a wealth of stolen personal data at their finger trips, identity thieves have the luxury of picking their targets. And usually, they go after a few key demographics who may be ill-prepared to recognize or respond to identity theft.
Carl Wright, chief revenue officer for security testing company AttackIQ, noted identity thieves will usually focus on age certain groups, such as children, seniors over the age of 50, and young adults, more than others.
Related: 5 tips to prevent and mitigate the effects of identity theft
The reasons for targeting each group varies. Children do not actively manage their personal data, but they can get access to credit cards on their parent’s accounts, meaning identity fraud can go unnoticed for a long time.
Meanwhile, young adults aged 18 to 27 “don’t have a lot of credit built up, so there is not a lot of data on these folks” to help discern fraudulent credit activity from normal activity, Wright said.
On the other hand, seniors are ripe targets because of the retirement accounts or investments they may hold. Wright noted that “the more you have going on, the easier it is for someone to do something small and go unnoticed.”
Besides targeting certain age groups, cybercriminals are also likely to steal the identities of those over a certain income level. The risk of identity theft “exponentially increase if the household makes more than $50,000 and up,” Wright said, adding that identity theft happens more in states with wealthier populations, such as New York, California, Texas, and Florida.
Related: How to protect your child from identity theft
Rhys Dipshan ([email protected]) is a New York-based legal tech reporter covering everything from in-house technology disruption to privacy trends, blockchain, AI, cybersecurity, and ghosts-in-the-machine.