Hackers steal more data but get less money

Better bank controls have impeded hackers to some extent

Published: March 03, 2015 08:00 AM
Home Depot was one of many businesses hit by a big data breach in 2014.

Hackers stole more than 85 million records in 783 reported data breaches in 2014, according to a report by the Identity Theft Resource Center. Several of the breaches impacted high-profile businesses, including Home Depot, JPMorgan Chase, Nieman Marcus, and Kmart. But hackers had a tough time turning all the data they stole into cash, according to an annual study of identity fraud released today.

Last year, 12.7 million U.S. consumers were victims of identity fraud, down 3 percent from 13.1 million in 2013, according to Javelin Strategy & Research, a consulting firm that has tracked this crime since 2003. The dollar amount stolen dropped even more—11 percent—to $16 billion last year from $18 billion in 2013. And, thanks to strong consumer protections, 89 percent of victims lost nothing out-of-pocket to existing-account fraud, which makes up the bulk of this crime and involves stolen debit and credit card account numbers.

What explains the decline in pilfered money?

"There was an extraordinary response by banks and businesses to stem the losses," says Al Pascual, director of fraud and security at Javelin. Payment-card transaction limits were lowered and false declines were cranked up on the compromised payment-card accounts; identity-protection services were offered free to most victims; and 95 percent of the cards compromised in the late-2013 breach of Target were replaced. 

Banks also stepped up their analytics when they found fraud on, say 1,000 credit cards, to determine if there was a common retailer where those cards had been used before the spree of unauthorized transactions. That strategy can reveal as-yet-unreported breaches, which, in turn, can prompt banks to put other cards used at that retailer on watch.

Although Javelin's findings provide welcome relief after a year of non-stop breach headlines, Pascual advises consumers not to let their guard down, because of the rise in the number of stolen Social Security numbers, thanks to this year's theft of 80 million Social Security numbers in the breach at Anthem, the nation's second-largest health insurer. "Stolen payment card data has a very limited shelf life, because those accounts get shut down, but SSN breaches leave you with a lifetime of exposure to new-account fraud," Pascual warns.

Last year, new-account fraud hit an historic-low incidence rate of just 0.29 percent of all consumers per year. But as credit card issuers replace today's easily counterfeited debit and credit cards with new EMV encrypted chip cards, identity thieves are expected to commit more new-account fraud, in which they use your SSN to open new credit lines, earn taxable income, and tap insurance and other benefits in your name, but without your knowledge.

Unfortunately, banks also make existing account fraud easy. "Two-thirds of the top 50 financial institutions use SSNs to let customers gain access to their checking accounts. A thief with your SSN can thus drain your account," says Pascual. 

5 ways to protect yourself from account fraud

  1. Place a security freeze on your credit reports at all three credit reporting agencies, Equifax, Experian, and TransUnion. A freeze shuts off access to your credit history by potential lenders you don't already have a relationship with. If a crook applies for a loan in your name, the creditor is less likely to approve it if she can’t see your credit file.
  2. Monitor your credit reports for free. A security freeze should reduce your need to become obsessive about monitoring your credit reports, but you should still keep an eye on them regularly. Get at least 15 free credit reports per year by starting with the three you're entitled to annually from each of the big three credit bureaus via annualcreditreport.com. You also have a right to a free credit report from each bureau each time you file a 90-day fraud alert, which you can and should do every three months if your financial information was stolen in a breach or you have a reasonable suspicion that you’re about to become a victim of identity fraud. These days, that would be about everyone. Opt for 90-day fraud alerts, not the seven-year extended fraud alert.
  3. Check your bank accounts daily for unauthorized activity by signing up for Internet access to your bank and credit-card accounts or by using a mobile-banking app. Because daily monitoring can be tedious, automate some of the chore with free account alerts that send e-mail or a text message when potentially fraudulent activities occur.
  4. Protect your mutual fund and retirement investment accounts. This is a relatively rare crime right now, but as easy credit card fraud gets harder, your investment accounts will become a bigger target. Why wait to take precautions? Get one step ahead of the crooks now.
  5. Consider requesting a replacement Social Security number as soon as you find evidence that a stranger is using your card to open new accounts in your name, access your bank deposit or investment accounts, or file fraudulent tax returns to steal your refunds. Our sources say the Social Security Administration rarely grants such requests, but here's how to get it done.

—Jeff Blyskal (@JeffBlyskal on Twitter)

E-mail Newsletters

FREE e-mail Newsletters! Choose from cars, safety, health, and more!
Already signed-up?
Manage your newsletters here too.

Money News


Cars Build & Buy Car Buying Service
Save thousands off MSRP with upfront dealer pricing information and a transparent car buying experience.

See your savings


Mobile Get Ratings on the go and compare
while you shop

Learn more