Identity thieves were busy during 2014, but a new study estimates that U.S. consumers actually suffered fewer losses than in the past.

According to the 2015 Identity Fraud Study from Javelin Strategy & Research, the number of identity fraud victims decreased slightly last year, dropping by three percent from 2013. All totaled, Javelin estimates 12.7 million U.S. consumers were victimized in identity theft in 2014, compared to 13.1 million the previous year. Total fraud losses fell as well, dropping from $ 18 billion in 2013 to $ 16 billion in 2014.

In another bright spot in the report, new account fraud – where a scammer opens a new account in the name of the victim – appears to have hit a record low in 2014. The good news does not go much further than that however. The report also found that victims of new account fraud are three times more likely to take a year or more to discover that their identities were misused than victims of other types of fraud.

Additionally, while incidents of identity fraud may have declined, they had a lasting impact on the spending habits of some of the victims. According to the survey, 28 percent of the 5,000 people surveyed said they avoided merchants after being victims of fraud. In addition, individuals whose credit or debit cards were breached in the past year were nearly three times more likely to be an identity fraud victim.

While students were the least concerned about fraud, Javelin found students were actually the most impacted. Though 64 percent said they were unconcerned with fraud, the group reported feeling more impact when fraud occurred, with 15 percent classifying it as moderate or severe. Students are also the least likely to detect identity fraud themselves. Some 22 percent said they were notified of the situation by a debt collector or when they were denied credit, three times higher than the average fraud victim.

“Despite the headlines, the occurrence of identity fraud hasn’t changed much over the past year, and it is still a significant problem,” said Al Pascual, director of fraud & security, Javelin Strategy & Research, in a statement. “Consumers, financial institutions and retailers are all taking aggressive steps, yet we must remain vigilant. The criminals will continue to find new ways to commit fraud, so taking advantage of available technology and services to protect against, detect and resolve identity fraud is a must for all individuals and corporations.”

Tags:

• NEWS & INDUSTRY
• Cybercrime

Security firm Gemalto released a report on 2014 data breaches recently and the news was not good.

In its latest Breach Level Index report, the company revealed that one billion records were compromised last year in more than 1,500 data breaches worldwide. Compared to 2013, those numbers are an increase of nearly 80 percent in terms of data records and more than 40 percent in terms of breaches overall.

Gemalto’s Breach Level Index calculates the severity of data breaches across multiple dimensions based on breach disclosure information. Among the notable attacks included in the report are the Home Depot breach, the attack on JP Morgan Chase and the attack on eBay. 

“Easily at the top of the list in terms of the number of breaches was North America with 1,164 breaches, accounting for about three quarters of all breaches (76%),” according to the report. “Those attacks involved more than 390 million records, or 38% of the total.”

According to the data in the BLI, the main motive for cyber-criminals in 2014 was identity theft. Fifty-four percent of all data breaches were identity-theft related – more than any other category, including access to financial data. In addition, identity theft breaches accounted for one-third of the most serious incidents. Incidents where the compromised data was encrypted in part or in full increased from one percent to four percent.

“We’re clearly seeing a shift in the tactics of cybercriminals, with long-term identity theft becoming more of a goal than the immediacy of stealing a credit card number,” said Tsion Gonen, vice president of strategy for identity and data protection at Gemalto, in a statement. “Identity theft could lead to the opening of new fraudulent credit accounts, creating false identities for criminal enterprises, or a host of other serious crimes. As data breaches become more personal, we’re starting to see that the universe of risk exposure for the average person is expanding.” 

Broken down by industry, retail and financial services experienced the most activity compared to other sectors. Retail companies saw an increase in data breaches compared to 2013, and accounted for 11 percent of all breaches in 2014, according to the report. However, in terms of data records compromised, the percentage of retail records jumped drastically, from 29 percent to 55 percent. This was due in large part to attacks on point-of-sale systems, according to the report. 

In the case of the financial sector, the number of breaches remained relatively unchanged, though the average number of records lost per breach increased ten-fold. Overall, the number of data breaches involving more than 100 million compromised data records doubled compared to 2013. Most of the time, the malicious activity was traced to an outsider (55 percent), though 25 percent of incidents were tied to accidental loss. Fifteen percent were linked to a malicious insider. 

“Not only are data breach numbers rising, but the breaches are becoming more severe,” said Gonen. “Being breached is not a question of ‘if’ but ‘when.’  Breach prevention and threat monitoring can only go so far and do not always keep the cyber criminals out. Companies need to adopt a data-centric view of digital threats starting with better identity and access control techniques such as multi-factor authentication and the use of encryption and key management to secure sensitive data. That way, if the data is stolen it is useless to the thieves.” 

The full report can be read here.

Tags:

• NEWS & INDUSTRY
• Cybercrime

Dropbox released another transparency report on Thursday and announced that moving forward, it will do so every six months in an effort to keep the public informed of its interactions with authorities.

Bart Volkmer, a lawyer with the company, revealed in a blog post that Dropbox had received 268 request for user information from law enforcement agencies between January and June of this year. In addition, while he hasn’t specified an exact number due to restrictions, the Dropbox representative said there had been 0-249 national security requests.

The company received a total of 120 search warrants and provided content (files stored in users’ accounts) and non-content (subscriber information) in 103 cases. In response to 109 subpoenas, the company hasn’t provided law enforcement with any content, but it has produced subscriber details in 89 cases. While many of the requests came from the United States, the report shows that there have been a total of 37 requests from agencies in other countries.

Volkmer has pointed out that while these numbers are small considering that the company has 300 million customers, Dropbox only complies with such requests if all legal requirements are satisfied. He claims cases in which agencies request too much information or haven’t followed proper procedures are “pushed back.”

The report also shows that the rate of data requests from governments remains steady. An interesting aspect is that agencies keep asking Dropbox not to notify targeted users. However, customers are notified as per the company’s policies, except for cases where there’s a valid court order. A total of 42 users were notified when the file sharing service was presented with search warrants, and 47 individuals were informed in the case of subpoenas.

There haven’t been any requests from governments targeting Dropbox for Business accounts, the company said.

“We’ll push for greater openness, better laws, and more protections for your information. A bill currently in Congress would do just that by reining in bulk data collection by the US government and allowing online services to be more transparent about the government data requests they receive,” Volkmer said. “Another would make it clear that government agencies must get a warrant supported by probable cause before they may demand the contents of user communications. We’ll continue to lend our support for these bills and for real surveillance reform around the world.”

While many companies publish transparency reports to keep the public informed of requests from governments, interesting details can also emerge from court documents. A perfect example are a series of recently unsealed documents showing that US authorities threatened to fine Yahoo $ 250,000 a day if it failed to comply with PRISM, the notorious surveillance program whose existence was brought to light last year by former NSA contractor Edward Snowden.

Tags:

• NEWS & INDUSTRY
• Tracking & Law Enforcement