Utah Breach: The Potential CostsHacking Incident Might Lead to Massive Fraud, Researcher Says
In the March 2012 incident, hackers from Eastern Europe broke into a Utah state server containing data for the Department of Health. The compromised data on 780,000 individuals included 280,000 Social Security numbers (see: Post-Breach: Utah Boosts Info Security).
"We haven't learned very much from law enforcement about [fraud] activities connected to this breach," Pasqual acknowledges in an interview with Information Security Media Group. But financial fraud resulting from a breach can take a long while to play out as criminals use Social Security numbers to open new lines of credit or commit other forms of fraud, such as account takeover, the researcher says.
Pascual projects that, based on Javelin's research on the impact of other major breaches involving Social Security numbers, the Utah incident could eventually result in 122,000 cases of fraud. And that fraud could have a total financial impact of as much as $406 million, much of that hitting retailers and the financial industry, he contends. That's based on Javelin's estimate of an average financial impact of $3,327 for each fraud victim after a breach of this nature.
"Consumers will be on the hook for about $94 million," he predicts. In addition to certain direct costs of fraud, those costs to consumers include victims taking time off from work to address the fraud, including filing police reports, securing a lawyer and child care services, he says.
Series of Reports
The Utah breach is the first study of four major incidents that Javelin is analyzing for potential fraud costs in a series of reports.
The fraud cost projections for the Utah breach are based on the research methodology and correlations used by Javelin in its recent study, 2013 Identity Fraud Report: Data Breaches Becoming A Treasure Trove for Fraudsters. That annual study has surveyed 48,200 respondents over the last 10 years, according to Javelin (see Report: 28% of Breaches Lead to Fraud).
The fraud estimates are so high for the Utah breach because of the large number of Social Security numbers that were stolen, he says. "When Social Security numbers are used for fraud, it's for the worst types of fraud, the most expensive types, like account takeover or new account fraud."
In the interview, Pascual also discusses:
- The estimated costs of between $2 million and $10 million for the state of Utah to respond to the breach;
- The "stark contrast in the level of transparency" he sees between how breach response is handled by government agencies versus private enterprises;
- The correlation between breaches and fraud.
"Year over year ... the correlation between data breaches and fraud are increasing," Pascual says. "In 2010 if you were a victim of a data breach, there was a one-in-ten chance you would be a victim of fraud. ... But in 2012 [those chances have climbed to] one-in-four," he says.
Pascual leads Javelin's security, risk and fraud practice. Javelin is the research division of Greenwich Associates, a consulting firm. Pascual began his career with the banking institution HSBC. While working in HSBC's borrower verification department, Pascual performed enhanced due diligence investigations of high-risk loans. He later joined Goldman Sachs' fixed income, currency and commodities division, serving on its mortgage fraud investigations team. Later he joined Fidelity National Information Services, now FIS Global, to oversee data-driven investigations of organized payment fraud groups in the U.S. Pascual is a member of the Association of Certified Fraud Examiners and the International Association of Financial Crimes Investigators.