A data breach is a security breach that results in the unauthorized publication of data as well as its wrongful modification, damage, and failure. It is a security incident in which sensitive information is deliberately or inadvertently leaked to an untrustworthy setting. This data may be copied, viewed, distributed, hacked, or used by an unauthorized person. Unique Identifiable Information, personal health and academic information, financial information, user accounts, intellectual property secrets, and corporate trade secrets are all examples of data breaches (Finklea, 2010). Personal identifiable information: This is the data that can be used to identify an individual, locate them and also contact them. Examples of this information include name, birth certificate details, residential address, social security number, and phone number. This data distinguishes one individual from another. There are different ways that attackers can use this information.
Financial information: This refers to the data that a person uses to carry out money-related activities. Examples of such include banking account numbers, secret codes, and insurance information. Criminals with access to this type of information can significantly damage the financial standing of a victim (WilliamRoberd & L.Schreft, 2009).
Healthcare and education information: An individual uses health-related data for medical purposes. Examples include hospital records, prescriptions for specific conditions or allergic reactions, and medical insurance. This data can be used to buy prescription medicine and can lead to potential drug abuse. Educational information refers to transcripts, school records, and certificates (Finklea, 2010).
Payment card information: This is the data contained in a person’s payment cards such as credit and debit cards. This information can be used to carry out immediate transactions online.
User credentials: This refers to the information that is used to verify the identity of an individual online such as usernames and passwords. They control online activity such as online banking, emails, online shopping sites, social networking accounts, and even device accessibility. Once a criminal gets access to emails, they can use it to change the login details for other sites and consequently pull off espionage attacks. For example, if a data breach occurs and a cybercriminal manages to log in to a victim’s email account, they get access to billing details for credit cards, bank account information, health care access codes, and links to social media sites and secondary email addresses (Logweller, 2009).
Many data breaches encompass overexposed and unstructured data such as documents, sensitive information, and files. The release of information occurs through loss of digital media in devices after which the data gets stored online unencrypted. This information can also be posted on another computer that is accessible from the internet lacking appropriate data security safety measures. It is then transferred to a system that is not adequately credited for security at an accepted level such as unencrypted emails or to information systems of hostile agencies. These agencies include competing organizations or foreign nations whereby it is exposed to intensive decryption techniques. The concept of a trusted environment is somewhat fluid. This is because retailers store customer information after every purchase and use it for marketing purposes. They can also sell this data to third-party agents who use it to tailor-make their advertising campaigns for different target markets. This data is highly targeted by criminals for malicious purposes. In other instances, data that was perceived to be secure might no longer be safe because a trusted member of staff who retains user privilege to data after termination has the potential of becoming a security threat. The threat from insiders is a major cause of data breaches. The people working inside an establishment cause more data breaches than external threats such as hackers, cybercriminals, and state-sponsored actors. More often than not, data breaches are rectified before the damage becomes widespread. If not handled appropriately, they lead to identity theft among other crimes (Organisation for Economic Co-operation and Development., 2009).
Identity theft takes place when someone gains unlawful access to information that had been lost during a data breach and uses it to commit fraudulent activities usually gaining a financial advantage in the other person’s name. Such data includes personally identifying information, financial information such as bank account information, driver’s license number, electronic signatures, fingerprints, passwords, credit card number, name, and social security number. In other instances, identity thieves take up the identity of an unsuspicious individual entirely by acquiring identification that bears the person’s name then they use it to commit crimes as that person. It is usually not a stand-alone crime, rather a part of a larger crime. It is estimated that about 9 million Americans fall victims of identity theft annually. The vice has become a goldmine for cybercriminals whereby in 2016, about $16 billion in losses were experienced. The numbers keep fluctuating because the tactics used to steal identity and the crime-fighting techniques that are used by the police change over time. Many users are usually unaware that they have been compromised until they get surprised with the consequences of the identity fraud such as low credit scores and negative account history (Nicole & Meulen, 2011). The cost of identity theft is both financial and psychological. Victims are caught unaware leading to shock and stress. It takes up time before one can clear their name usually in years. In other instances, they are unable to get home loans approval, credit card approval, and lack employment if credit-worthiness is a requirement for the job (Finklea, 2010).
There are various categories of identity theft. These include financial identity theft, synthetic identity theft, identity cloning and concealment, child identity theft, criminal identity theft, and medical identity theft. Identity cloning takes place when an identity thief impersonates another individual to hide their true identity in real life. Such examples include illegal immigration and disguising creditors. Criminal identity theft takes place when a criminal refers to himself as another individual to police through the use of fake pre-acquired identity cards. Synthetic identity theft occurs when identities are entirely or partly fictitious. For example, the combination of a name and date of birth that is not real with a real social security number. In most instances, when a fraudster acquires credit, it becomes a loss to the creditors. Medical identity theft happens when an individual acquires medical care under another person’s identity. Child identity theft takes place when someone uses the details of a minor to acquire personal gain such as attaining a new driver’s license. Finally, financial identity theft is one in which fraudsters gain monetary benefits in another person’s name (Archer & al, 2012).
Identity thieves have motives that drive their activity. These include but are not limited to criminal financial gain. The hackers gain financial benefits such as stealing credit card numbers and manipulating bank systems. They also seek to increase their reputation among fellow hackers to be recognized. Identity thieves also work for companies as spies to gain access to information about products and services and use it as leverage within the marketplace (Anderson, Durbin, & Salinger, 2008).
Steps involved in Identity Theft
A typical identity theft operation can occur both physically or remotely. The stages involved in any identity theft operation include:
Research: The criminals identify individuals who, when successfully attacked, they will have greater benefits. They look for any underlying weaknesses in a system such as a company’s network.
Attack: They proceed to make initial contact either socially or through a network. A network attack occurs through system weaknesses such as Wi-Fi and online attacks such as malware and phishing. A social attack involves the use of an insider that has user-privilege who hands over their login credentials either willingly or unknowingly.
Exfiltration: The attacker gets into one computer and attacks the network through it. He gains access to confidential data that he had targeted. They proceed to send this Personal Identifiable Data to payment networks who in turn compile it so that it matches the transactors and their transaction histories. The payment networks are the facilitators of trade in the black market (Otto, Antón, & Baumer, 2007). The techniques employed to get this data include individually tailored phishing scams, vishing techniques, successful hacks through commercial and government databases, and creation of elaborate networks of botnets that hijack millions of computers leaving no trace.
How identity theft occurs
Identity theft occurs through several ways. From simple means such as shoulder surfing and loss of devices to complicated methods such as hacking public computers and unsecured websites, the most common ways in which hackers steal identity are: Use of public records about citizens and going through the published official registers such as electoral rolls.
Data retrieval from redundant Information Technology equipment and storage devices such as Personal Computers, servers, Personal Digital Assistants mobile phones, and memory sticks. These items might have been dumped off carelessly or sold without having been well cleaned.
Identity theft also occurs through IT users that abuse their privilege and acquire data stored in their fellow employees’ systems.
Unsecured websites: Whenever an individual makes a purchase online there is a risk of the information being intercepted by an identity thief. This occurs through unsecured websites. Similarly, weak passwords can be guessed and changed through password reset questions. Social networking sites are also used whereby an individual creates a profile similar to his/her victim.
Dumpster diving: Old bills, financial statements, salary slips, and business records that people throw in the trash contain personal information such as address, name, account numbers and credit worth of an individual. When a dumpster diver pieces together this information from torn papers, they can use it to open bank accounts or assume identity entirely (WilliamRoberd & L.Schreft, 2009).
Mail theft: When criminals steal a person’s mail, they can take advantage of the information they get such as using a pre-approved credit card offers, new credit cards, and bank statements.
Phishing and SMiShing: In phishing, identity theft occurs through malicious emails that ask the victim to verify their financial information or do a fresh registration on a fake company’s website. In so doing, identity thieves capture data that they use for their fraudulent activities. SMiShing is similar to phishing although it occurs through a text message instead of an email (Finklea, 2010).
Wireless hacking: Identity thieves do this by connecting to public Wi-Fi networks and other unsecured home networks searching for personal information. They install logging software that tracks often visited websites stealing passwords in the process.
ATM and payment machines: Thieves can steal an identity by shoulder surfing while a person is entering their PIN code in the ATM. They can also rig the payment machines by installing an additional device onto an existing ATM or credit card reader in a process called skimming and steal this financial information or withdraw all the money (Archer & al, 2012).
What happens to the stolen information?
The type of information stolen determines where it ends up. Identity thieves use the personal information to carry out crimes such as applying for credit cards or taking up loans. Through the use of a person’s address, social security number, name, and date of birth, one can open a credit card and apply for a loan. The credit cards accumulate unusual charges that the victim is not aware of until it’s too late. They also never pay up the loans, causing the financial institutions to contact the victim (Trend Micro, 2017).
Hackers also use the personal information to intercept and poach tax refunds. They file fake tax returns by using the name, date of birth, and social security number, of the victim. This mostly happens to people who wait until the last minute to file for tax returns. They discover that their tax information was tampered with only when they file their tax return and it gets rejected (Anderson, Durbin, & Salinger, 2008).
Information stolen by hackers can be used to cover medical treatment. They do this through the use of health insurance account numbers and the social security number. They receive prescriptions, treatment, and other medical procedures by using a victim’s details. In so doing, they impose additional bills to the victim and mix up medical reports that might pose a health risk (Trend Micro, 2017).
Additionally, stolen information can be used to open utility accounts such as gas, cellphone, landline services, cable and satellite television services, water service, internet payment services, and electricity. The impersonator proceeds to spend under that account without the knowledge of the victim. In other instances, the thieves call their target and pretend to be agents of the utility company in question. They fraudulently ask for information which they proceed to use for malicious purposes. (Nicole & Meulen, 2011)
Another way in which hackers use stolen personal details is taking advantage of the victim’s air miles. Using emails and the stolen passwords, hackers book trips using stolen airline miles or redeem cash through the websites that buy miles (Trend Micro, 2017). The following table summarizes the types of stolen information and what happens to it.
Figure 1: Likely scenarios for stolen information
PII (Personal Identifiable Information)
PAYMENT CARD INFORMATION
Using information for blackmail, hacktivism, and extortion
Making duplicitous insurance claims and buying prescription medicine
Create forged cards, repaying bills and money transmission
Apply for loans file fraudulent tax returns and Identity fraud
Launching spam and phishing attacks
Randomly buying items online
Source: Trend Micro, 2017
Figure 1 explanation: the stolen information undergoes many likely scenarios. Most of it ends up being peddled in the data black markets. Depending on the kind of data, the criminals find different uses for it.
Who is prone to identity theft?
Certain individuals are more susceptible to identity theft because of their popularity and income levels. People that earn an about $100,000 are 75% likely to be targeted in identity theft as compared to those making less than $25,000. Many consumers are not aware of their responsibility to protect themselves from identity theft. When such incidents occur, they blame any business associate or the company that they do with business. Identity theft occurs during various instances. When a customer is shopping online over public Wi-Fi connections, they put their information at risk. It also occurs when one allows others to use their online account names and passwords. Other instances when identity theft takes place include letting other people know the unlocking patterns and passwords for their mobile devices such as phones and tablets and sharing payment card numbers and PINs. Allowing other people to use their PIIs to land a job or apply for financial services is also a threat as well as failing to enroll in credit monitoring and identity theft protection services. Individuals should not ignore their responsibility to regularly monitor their credit information. It is worth noting that imposters are often people well-known to the victims hence the threat is not so far away. This could be a family member, a relative, a business partner, and a former employer or employee (Mitchell, 2001).
Mitigating Identity Theft
Due to the delicate nature of information, mitigation is necessary to protect oneself and the organization. One way to minimize the risk of data breach and identity theft is data quality techniques. It enables the owner of the data to rate it according to the level of its importance. Thus, the data can be given protection depending on how important it is to an organization or an individual. Stronger security measures should be implemented on devices. Even the devices that are marked redundant should be properly sanitized to ensure that hackers do not find anything when they lay their hands on them. Users should also adhere to strict online discipline. They should not click on suspicious links, programs, or applications. Also, one needs to limit the amount of personal information available online because identity thieves target it to perform malicious activities. A careful watch over social media accounts is necessary to avoid remaining logged on many devices. In addition, one should always shop at secured sites only. They should also enroll in identity prevention services. To avoid physical weaknesses, users should always shred documents that they intend to throw in the trash. They should also keep the mailbox locked and limit the number of physical mail that they want to receive (Mitchell, 2001). Merchants should always protect their websites using compliance techniques that protect all payment gateways. In addition, SSL certification should be obtained to increase the level of security of the website’s payment page. It is also crucial to invest in fraud prevention and detection software (Finklea, 2010).
Anderson, K. B., Durbin, E., & Salinger, M. A. (2008). Identity theft. Journal of Economic Perspectives, 2(22), 171-192.
Archer, N. P., & al, e. (2012). dentity theft and fraud : evaluating and managing risk. Ottawa: University of Ottawa Press.
Finklea, K. M. (2010). Identity Theft: Trends and Issues. Ft. Belvoir: Defense Technical Information Center.
Logweller, C. S. (2009). Identity theft breaches. New York: Nova Science Publishers.
Mitchell, S. (2001). How to Survive a Data Breach. a pocket guide. New York: IT Governance Pub.
Nicole, v. S., & Meulen, d. (2011). Financial identity theft : context, challenges and countermeasures. Berlin: Springer-Verlag.
Organisation for Economic Co-operation and Development. (2009). Online Identity Theft. Paris: OECD Publishing.
Otto, P. N., Antón, A. I., & Baumer, D. L. (2007). The choicepoint dilemma: How data brokers should handle the privacy of personal information. IEEE Security & Privacy, 125-135.
Trend Micro. (2017, June 21). What Do Hackers Do With Your Stolen Identity? Retrieved from Trend Micro Security: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/what-do-hackers-do-with-your-stolen-identity
WilliamRoberd, & L.Schreft, S. (2009, October). Data breaches and identity theft. Journal of Monetary Economics, 56(7), 918-929.