QUESTIONABLE REPORTS STILL COMING IN ON THE SEVERITY OF ID THEFT

The latest report to be published on whether identity theft is a “real” threat to consumers says that the victims of the smaller data breaches are more likely to suffer harm than the larger ones. Wal-Mart and the banks issuing the credit cards used from the biggest ever breach, TJX (TJ Maxx, Marshalls) resulting in 94 million lost credit card numbers, may not agree. They were out over $8 million in a Florida crime spree, according to InfoWorld. Businesses are victims, but unlike the consumer, they have the ability to pass these losses on to their customers. So it’s the little guy who eventually pays the bill, and the one who ends up saying, “where the hell do these people get their conclusions?” ID Analytics, a company in San Diego who analyzes identity risk through identity scoring for the financial community, retail trade, telecommunications, e-commerce, insurance and government, as well as a program to alert consumers of their potential for ID theft, just released a new study on the issue. (See article) All of this obviously requires a huge database—yes, another one—of public and private information which includes three billion identity elements allowing them to evaluate more than 700 million events for identity risk. There is a daily addition of eight million new data elements that continually update their analyses. I don’t know over what period of time their scrutiny has taken place, but their report states the crooks move through stolen data quickly, moving on to the next breach within two weeks. From what I know, and there is agreement here from several other privacy advocates, the bad guys have become so sophisticated they are now building databases of the spoils of their theft of personal data so that they can use it at the opportune time. Like one year later once credit monitoring is over. Matt Hines in the InfoWorld article comments on another of ID Analytics’ conclusions that “there is no evidence that fraudsters misusing breach data have been selling the information broadly, or distributing it over the Internet.” Hines takes issue with this conclusion and asserts: “Almost every data security expert you talk to will tell you that these underground ID data marketplaces exist, but, clearly in the case of the 10 million records that ID Analytics researched, there wasn't much evidence of this trend.” Apparently no one at ID Analytics looked at Chris Hansen’s two-part NBC “Dateline” show (Episode 1, Episode 2) back in July where they intentionally exposed personal data including a Social Security number, which ended up for sale on the underground Internet in less than an hour. Perhaps ID Analytics would like to reply to these allegations since there seems to be such wide disagreement with their results. My concern is that we are hearing too many reports of this nature, when the majority of business and government are even admitting that we have an identity crisis, and that there is yet no clear solution. But there really is: Give consumers control over their names and personal data.