ncl consumer data insecurity report: examining data breaches june 2014
DESCRIPTION
The National Consumers League #DataInsecurity Project has released a new survey of identity fraud victims, which finds that Americans are urgently calling out for government action on the growing threat posed by data breach and identity theft. The study, conducted in partnership with Javelin Strategy & Research, shows that the consumer impact of data breach is indeed severe: 61 percent of data breach victims surveyed reported that the breached information was used to commit fraud against them. What’s more, nearly half of victims--49 percent--do not know where the information used to defraud them was compromised.TRANSCRIPT
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
Sponsored by: Independently produced by:
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
2
CONTENTS Forward .................................................................................................................................................................. 3 Overview ................................................................................................................................................................ 4 Execu ve Summary ................................................................................................................................................ 5 Key Findings ........................................................................................................................................................... 7
General .............................................................................................................................................................. 7 Business ............................................................................................................................................................. 7 Government ....................................................................................................................................................... 8
Metropolitan Area Fraud Vic m Profiles ............................................................................................................. 10 The Data Breach — Iden ty Fraud Paradigm ....................................................................................................... 13 How Consumers React to Fraud ........................................................................................................................... 17 Vic ms’ Expecta ons ........................................................................................................................................... 21 Methodology ........................................................................................................................................................ 30 Appendix .............................................................................................................................................................. 31
TABLE OF FIGURES Figure 1: Fraud Vic ms Who Received Data Breach No fica ons, by Metropolitan Area .................................. 10 Figure 2: How Compromised Informa on Was Misused, by Metropolitan Area ................................................ 11 Figure 3: Types of Fraud Experienced by Fraud Vic ms, by Metropolitan Area .................................................. 12 Figure 4: Type of PII Breached and Misused, by Industry .................................................................................... 13 Figure 5: Type of Financial Account Informa on Breached and Misused, by Industry........................................ 14 Figure 6: Type of Organiza on Where Informa on Was Compromised .............................................................. 15 Figure 7: Number of Iden ty Fraud Occurrences for Data Breach Vic ms and Non‐Data Breach Vic ms ......... 16 Figure 8: Ac ons Taken by Vic ms as a Result of Experiencing Iden ty Fraud ................................................... 17 Figure 9: Agencies Contacted A er Fraud by All Fraud Vic ms and Vic ms Whose PII Was Breached, by Type of Organiza on Where Breach Occurred .................................................................................................... 18 Figure 10: How Fraud Affected Data Breach Vic ms’ Level of Trust, by the Industry Where Breach Occurred.. 19 Figure 11: Data Breach Fraud Vic ms’ Level of Confidence That the Industry in Which Breach Occurred Could Protect Them From Future Fraud .............................................................................................................. 20 Figure 12: Perceived Effec veness of Fraud Preven on Ac vi es Among All Fraud Vic ms and by Metropolitan Area ............................................................................................................................................... 21 Figure 13: Industries That Should Be Held Accountable and Business Avoidance Postbreach, by Fraud Vic ms Whose Informa on Was Breached at FIs, Retailers, and Other Organiza ons ................................................... 22 Figure 14: Organiza ons That Should Be Held Responsible for Protec ng Accounts During Recent Fraud, According to Non‐data breach Vic ms and Data Breach Vic ms ........................................................................ 23 Figure 15: Organiza ons That Should Be Held Responsible for Restoring Iden ty A er Recent Fraud, According to Non‐data breach Vic ms and Data Breach Vic ms ........................................................................ 24 Figure 16: Agreement With Statement, by Type of Organiza on Where Informa on Was Breached ................ 25 Figure 17: Fraud Vic ms’ A tudes Regarding Data Breaches ............................................................................. 26 Figure 18: Agreement With Statement, by Metropolitan Area ........................................................................... 27 Figure 19: When No fica on Should Be Provided A er a Data Breach, by Fraud Vic ms .................................. 28 Figure 20: Type of Organiza on Where Informa on Was Compromised, by Most Recent Fraud incident ........ 31 Figure 21: Informa on Compromised in Most Recent Fraud Incident, by Vic m Type ....................................... 31 Figure 22: Rate of Fraud Vic miza on by Type of Data Breached ....................................................................... 32
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
3
FORWARD This white paper was sponsored by the Na onal Consumer League. It explores the
a tudes, experiences, and percep ons of fraud vic ms in four metropolitan
areas: Chicago, Los Angeles, Miami, and Minneapolis. The white paper was
independently produced by Javelin Strategy & Research, a Greenwich Associates
LLC company. Javelin maintains complete independence in its data collec on,
findings, and analysis.
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
4
OVERVIEW As the use of consumers’ personally iden fiable informa on (PII) by businesses
con nues to evolve, sensi ve data is constantly being placed at risk of
compromise. To ensure that consumers can take necessary ac ons to protect
themselves a er a breach has occurred, 47 states have enacted data breach
no fica on laws.1 Yet despite the patchwork of state laws and industry‐specific
federal legisla on and regula ons,2,3 the past couple of years have been especially
trying for both consumers and breached organiza ons. Among all types of
sensi ve data, financial informa on is most favored by criminal organiza ons,
which are now more than ever successfully targe ng this data for the and
subsequent misuse.
To be er understand the data breach‐iden ty fraud paradigm, Javelin surveyed
fraud vic ms in four major metropolitan areas across the U.S.: Chicago, Los
Angeles, Miami, and Minneapolis. In comparing the experiences of fraud vic ms
who had suffered a data breach with those who did not, the effects of data
breaches on the integrity of consumer iden es are readily apparent. It is evident
that data breaches have become part of the public consciousness, specifically
because of their role in facilita ng iden ty fraud. This has severe implica ons for
all stakeholders, as affected consumers are holding a variety of organiza ons
accountable for failing to protect their PII from being compromised, bought, sold,
and misused by fraudsters, hackers, and other criminal en es. Changing the
status quo is cri cal to maintaining consumer trust in an environment where PII is
successfully stolen en masse, on an all too regular basis.
1 h p://www.ncsl.org/research/telecommunica ons‐and‐informa on‐technology/security‐breach‐no fica on‐laws.aspx, accessed June 2, 2014.
2 h p://ithandbook.ffiec.gov/media/resources/3372/frb‐sr‐05‐23.pdf, accessed May 14, 2014. 3 h p://www.hhs.gov/ocr/privacy/hipaa/administra ve/breachno fica onrule/index.html, accessed June 2, 2014.
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
5
EXECUTIVE SUMMARY Despite the broad patchwork of data security breach no fica on laws and
regula ons currently in place, data breach‐fueled iden ty fraud is on the rise. In
2013, nearly 1 in 3 data breach vic ms suffered iden ty fraud, compared with 1 in
9 in 2010.4 Yet not only has the actual connec on between data breaches and
fraud con nued to grow, but also media coverage of recent high‐profile data
breaches has served to reinforce the connec on between data breaches and fraud
in the minds of consumers. Consumer trust is of paramount value for businesses,
and being compromised in a data breach puts these businesses at risk of losing
customers.
Businesses are being heavily targeted for financial account informa on by
criminals and hackers, which has contributed to the substan al growth of certain
types of iden ty fraud. Na onally, there was a drama c increase in the volume of
exis ng card fraud (ECF), which grew from $8 billion in 2012 to $11 billion in total
fraud losses in 2013.5 Examining the experiences of fraud vic ms in four major
metropolitan areas reveals that while there are some similari es related to
na onal fraud trends among vic ms in these separate regions, there are also
important dis nc ons among them.
Consumer awareness of breaches is on the rise, as all consumers, and fraud
vic ms specifically, were more likely to be no fied of a data breach in 2013,
compared with 2012.6 Given such awareness of imminent or poten al threat to
their iden es, consumers believe that taking appropriate steps to safeguard their
data will help with protec ng their iden ty. Unfortunately, certain remedies that
have been relied upon by affected organiza ons and promoted by government
officials are ineffec ve in the preven on of fraud in many cases, yet con nue to be
prescribed to vic ms.
4 2014 Iden ty Fraud Report: Card Data Breaches and Inadequate Consumer Password Habits Fuel Disturbing Fraud Trends, Javelin Strategy & Research, February 2014.
5 Ibid. 6Ibid.
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
6
Fraud vic ms themselves do not seem to discriminate between business
organiza ons and financial ins tu ons when assigning blame for a data breach. In
reac on to a data breach, vic ms will specifically avoid doing business with
affected organiza ons — diminishing the future profitability of these businesses.
And while vic ms hold all organiza ons involved accountable for informa on
compromise, they feel differently as to who is responsible for protec ng accounts
and undoing damage caused by fraud, based on whether their lost informa on
was compromised in a data breach or an event unrelated to a data breach.
According to vic ms, the government has a significant role to play and issues to
address in the fight against data breaches. Vic ms expect the federal government
to ensure that businesses adhere to data security standards, while at the same
me they believe that exis ng regula ons are generally insufficient. Tacit support
from vic ms for stronger federal protec ons has joined the chorus of voices from
the financial industry who had supported changes to previously proposed
legisla on. While the passage of a na onal data breach law has remained elusive,
the damage that breaches represent to the integrity of consumer iden es and
the success of businesses might prove too difficult for legislators to con nue to
ignore.
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
7
KEY FINDINGS
General While data breaches are the predominant source of misused creden als, data
breach no fica on might help prevent against mul ple fraud incidents.
Defrauded data breach vic ms overwhelmingly a ribute their fraud to the breach
of their creden als (61% say they are certain that this was the source of the
misused creden als). However, data breach vic ms are 15% less likely to suffer
mul ple fraud events compared with all fraud vic ms (50% vs. 59% suffered only
one fraud incident).
Nearly a third of fraud vic ms fails to take any ac on to prevent further fraud.
This means that vic ms are more likely to take no ac on than to respond to the
fraud in any other way. The second and third most common ac ons taken are
receiving email or mobile alerts about credit card or checking accounts (24%) and
pu ng fraud alerts on credit reports (23%).
Business Breaches gravely affect consumer confidence, especially for retailers. Six in 10
vic ms whose informa on was compromised in a retailer breach said their level of
trust in the retailer declined significantly. This diminished confidence is less for
vic ms of breached FIs (28% say their confidence declined significantly). Retailers
are also up against the lowest degree of confidence in their ability to protect
vic ms’ informa on in the future. Only 10% of vic ms whose PII was breached at
a retailer were very confident that the organiza on could protect them from
future fraud.
Large retailer breaches are a locus of data breaches and consumer fraud. Half of
defrauded data breach vic ms indicate that their informa on was compromised in
a large retailer data breach. Further s ll, among those defrauded data breach
vic ms who knew that breached informa on was used to commit the fraud, 33%
say that the informa on was compromised from this same segment of businesses.
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
8
Vic ms believe not only businesses but also FIs should be held accountable, with
1 in 5 vic ms avoiding doing business with these organiza ons a er his or her
informa on is breached. Fi y‐two percent of fraud vic ms believe businesses and
organiza ons should be held accountable in the wake of a data breach, and 48%
say the same of FIs. Nineteen percent of vic ms whose informa on was breached
at one of these loca ons say that they would avoid doing business with the
organiza on in the future.
Organiza ons should prepare for more stringent federal legisla on regarding
data protec on, and con nued consumer lawsuits. Just over a quarter of fraud
vic ms believe that current federal data security requirements are sufficient for
protec ng health care and financial data. This indicates there is poli cal will for
passing pending na onal legisla on for greater accountability for all custodians of
sensi ve PII. Vic ms also overwhelmingly believe that consumers should be able
to take legal ac on against breached organiza ons regardless of where their
informa on was breached.
Government Immediate and comprehensive data breach no fica ons are needed. While
nearly 9 in 10 vic ms believe that data breach no fica ons should be immediate,
most states make allowances for delayed no fica ons.7 Data breach no fica ons
offer an opportunity for organiza ons to educate affected consumers about the
circumstances of the breach, their effect on the integrity of consumers’ iden es,
efforts undertaken by the breached organiza on to protect their iden es going
forward, and how consumers can ul mately protect themselves. The current
patchwork of state laws and federal regula ons are proving insufficient as the
connec on between breaches and fraud has never been stronger and as
consumers vote with their wallet, changing their patronage behaviors postbreach.
7 h p://www.ncsl.org/research/telecommunica ons‐and‐informa on‐technology/security‐breach‐no fica on‐laws.aspx, accessed June 2, 2014.
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
9
Government should facilitate the coopera ve development of a clear, ac onable
set of data security best prac ces. The business community is well incen vized to
stand side‐by‐side with consumers in advoca ng for change. Among affected
industries, consumers indicate that they are most likely to lose trust in retailers
a er a breach. For this industry especially, in light of con nued media scru ny and
pressure from the financial industry and government officials, par cipa ng in
efforts to shape the na onal debate is crucial. Government must do more as only
28% of vic ms consider exis ng federal regula ons to be sufficient for protec ng
sensi ve informa on such as financial account data and protected health
informa on (PHI), yet 70% believe the federal government should be responsible
for ensuring that businesses meet data security standards.
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
10
METROPOLITAN AREA FRAUD VICTIM PROFILES The threat that data breaches represent to the integrity of consumer iden es is
not unique to any region of the country. Examining the experiences of fraud
vic ms in four metropolitan areas, though, reveals that while there are some
similari es among vic ms in these separate regions, there are also important
dis nc ons among them.
Javelin’s annual iden ty fraud study elucidates the strong correla on between
data breach and iden ty fraud. This connec on is prominent in the areas
highlighted in this study — in Los Angeles and Miami, 4 in 5 fraud vic ms had
received a breach no fica on. This effect is compara vely subtle in the Midwest
ci es — in Chicago a li le over 7 in 10 had received a breach no fica on, while in
Minneapolis 2 in 3 received a breach no fica on (see Figure 1).
4 in 5 Fraud Vic ms in Los Angeles and Miami Have Been No fied That Their PII Was Compromised in a Data Breach
Figure 1: Fraud Vic ms Who Received Data Breach No fica ons, by Metropolitan Area
72%
82%
66%
80%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Chicago Los Angeles Minneapolis Miami
Percent of fraud victims
May 2014, n = 50Base: Fraud victims by metropolitan area.
© 2014 Javelin Strategy & Research
Q8. Have you EVER been notified by a business or other institution that your personal or financial information has been lost, stolen or compromised in a data breach?
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
11
When it comes to informa on misuse, making quick purchases seems to be the
most effec ve way for criminals to use stolen informa on. In 2013, online
purchase (40% of fraud vic ms) and in‐store purchase (36%) were the leading
methods in which fraud vic ms’ informa on was misused, according to Javelin’s
annual ID fraud study.8 The same holds true for fraud vic ms in Chicago, Los
Angeles, Miami, and Minneapolis. While in Minneapolis, online purchase (50%)
trumps all other areas in the extent of vic ms affected by this method (See Figure
2), in‐store purchase seems to be the most common method for informa on
misuse in Los Angeles (44%) (See Figure 2).
Na onally, there was a drama c increase in the volume of ECF, with total fraud
losses growing from $8 billion in 2012 to $11 billion in 2013.9 And given the
prevalent misuse of compromised informa on for online and in‐store purchases
reported by fraud vic ms in Chicago, Los Angeles, Miami, and Minneapolis (see
Fraudulent Purchases Are the Most Common Means of Misuse, With Online Purchases Favored in the Midwest and In‐Person Transac ons More Popular on the Coasts
Figure 2: How Compromised Informa on Was Misused, by Metropolitan Area
8 h p://www.ncsl.org/research/telecommunica ons‐and‐informa on‐technology/security‐breach‐no fica on‐laws.aspx, accessed June 2, 2014.
9 2014 Iden ty Fraud Report: Card Data Breaches and Inadequate Consumer Password Habits Fuel Disturbing Fraud Trends, Javelin Strategy & Research, February 2014.
8%
0%
2%
2%
2%
2%
6%
6%
4%
6%
34%
50%
20%
6%
10%
2%
6%
8%
6%
10%
10%
6%
39%
31%
13%
6%
4%
4%
4%
4%
2%
6%
15%
8%
44%
35%
11%
0%
0%
2%
2%
2%
2%
2%
9%
13%
28%
43%
0% 10% 20% 30% 40% 50% 60%
Another way
Make P2P transfers or payments
Buy prepaid cards
Obtain health care
Pay bills
Make ACH/wire transfers
Buy gift cards
Write checks
Withdraw cash from an ATM
Make purchases over the phone or through the mail
Make purchases in person
Make purchases online
Percent of fraud victims
Chicago
Los Angeles
Miami
Minneapolis
May 2014, n = 50Base: Fraud victims by metropolitan area.
© 2014 Javelin Strategy & Research
Q14a. You mentioned that the perpetrator misused your personal or account information. How was your information misused? Was it used to...?
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
12
Figure 2), it is not surprising that they were most likely to experience the same
type of fraud (see Figure 3). Vic ms in Chicago are affected the most by ECF, with
82% of vic ms, while Minneapolis vic ms arguably fare be er with 70% of vic ms
in the area having experienced ECF (see Figure 3).
Exis ng noncard fraud (ENCF), which also grew significantly na onally from 2012
to 2013,10 is the second most popular fraud type across all areas. A major
contributor to the growing incidence of ENCF is the confluence of poor password
habits and the exfiltra on of password lists by hackers. As consumers reuse
passwords across a greater number of online sites, their risk of fraud rises — when
passwords are compromised in a data breach, each password could expose
mul ple consumer accounts to unauthorized access.11 Among the areas examined,
fraud vic ms in Miami and Minneapolis were more likely to experience ENCF
compared with fraud vic ms in Los Angeles and Chicago (see Figure 3).
Tracking With Na onal Fraud Rates, Exis ng Card Fraud Most Likely to Plague Vic ms Regardless of Where They Live
Figure 3: Types of Fraud Experienced by Fraud Vic ms, by Metropolitan Area
10 2014 Iden ty Fraud Report: Card Data Breaches and Inadequate Consumer Password Habits Fuel Disturbing Fraud Trends, Javelin Strategy & Research, February 2014.
11 Ibid.
82%76%
70%74%
38%42%
50% 50%
16%
30%
20%
36%
18%
26% 24%
50%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Chicago Los Angeles Minneapolis Miami
Percent of fraud victims
Existing card fraud Existing non‐card account fraud New‐account fraud Account takeover fraud
May 2014, n = 50Base: Fraud victims by metropolitan area.
© 2014 Javelin Strategy & Research
Q12A through Q12D: Thinking about the most recent fraud incident, what type of personal/financial information was misused?
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
13
THE DATA BREACH — IDENTITY FRAUD PARADIGM The days of Dumpster diving and pickpocke ng as mainstays of a fraudster’s PII‐gathering
efforts have come and gone. Personally iden fiable informa on stored and transmi ed by
organiza ons, regardless of industry, now a racts the a en on of skilled criminal
organiza ons around the world. Once in possession of this data, much of it can be readily
misused to commit fraud or, instead, sold or traded in underground forums to other
criminals for subsequent misuse. In 2013, nearly 1 in 3 data breach vic ms experienced
iden ty fraud.12 Yet not only has the actual connec on between data breaches and fraud
con nued to grow, but also media coverage of recent high‐profile data breaches has served
to reinforce the connec on between data breaches and fraud in the minds of consumers.
Although access to highly sensi ve or account‐specific PII might render criminals more
capable of perpetra ng fraud, the informa on they seek is not restricted to this data. Social
Security numbers are clearly the most comprised nonfinancial PII, especially at FIs (23% of
fraud vic ms and industries other than retailers (32%). However, less sensi ve, nonfinancial
PII such as full name and physical address is right at the top of personal informa on
compromised as reported by fraud vic ms across industries (see Figure 4).
The Proverbial ‘Keys to the Kingdom,’ Social Security Numbers Are the Most Compromised Type of Nonfinancial PII
Figure 4: Type of PII Breached and Misused, by Industry
12 2014 Iden ty Fraud Report: Card Data Breaches and Inadequate Consumer Password Habits Fuel Disturbing Fraud Trends, Javelin Strategy & Research, February 2014.
12%
5%
4%
4%
9%
7%
11%
11%
12%
12%
7%
14%
16%
12%
18%
32%
11%
2%
2%
1%
2%
0%
1%
4%
6%
6%
5%
19%
15%
16%
22%
15%
16%
3%
3%
3%
4%
4%
4%
6%
12%
12%
12%
12%
14%
17%
22%
23%
0% 5% 10% 15% 20% 25% 30% 35%
Other 1
Military ID card
Username and password for nonfinancial Internet accounts such…
A passport
Mobile phone and personal details on the phone
Medical records
Health insurance information
Username and password for Internet payment accounts such as…
Email account and password such as that for Yahoo! Mail or Gmail
Driver's license number
Username and password for your online banking accounts
PIN on your credit card
ATM PIN on your debit card
Physical address
Full name
Social Security number
Percent of fraud victims
Financial institution
Retail
Other
May 2014, n = 57, 69, 96Base: Fraud victims whose misused information was
compromised at above types of organizations.© 2014 Javelin Strategy & Research
Q12A. Thinking about the most recent fraud incident you experienced, what type of financial information was misused?
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
14
Financial account informa on, though, is the most heavily targeted by criminals
and hackers (see Figure 5). This is unsurprising when considering that consumers
whose card data was compromised experienced exis ng‐card fraud (ECF) at a rate
nearly eight mes higher than that of all consumers (35.7% vs. 4.6%, respec vely).
The rela onship between breached cards and fraud is increasing, with consumers
whose credit or debit card number was breached in 2013 experiencing a 37%
higher fraud rate than those whose card numbers were breached in 2012 (see
appendix, Figure 22). This is not to say that breached SSNs are not of great value
to criminals. The the of SSNs places consumers at a substan al risk of fraud. SSN
breach vic ms experience new‐account fraud (NAF) at a rate nearly 18 mes
higher than that of all consumers.13
Card Data Is the Foremost Target for Data The and Subsequent Misuse
Figure 5: Type of Financial Account Informa on Breached and Misused, by Industry
13 2014 Iden ty Fraud Report: Card Data Breaches and Inadequate Consumer Password Habits Fuel Disturbing Fraud Trends, Javelin Strategy & Research, February 2014.
19%
9%
9%
12%
16%
14%
25%
35%
5%
1%
16%
4%
6%
10%
27%
41%
7%
7%
12%
12%
12%
16%
29%
41%
0% 10% 20% 30% 40% 50%
Other
Another type of financial account (investment account /retirement account / insurance account / car loan / student…
A store credit or debit card account number
Other types of payment card number (gift card / prepaid card)
An Alternative payments provider such as PayPal, Amazonpayments, Google Checkout
A bank account number (including checking, savings, or moneymarket account)
A debit card account number issued by my bank
A major credit card account number issued by my bank
Percent of fraud victims
Financial institution
Retail
Other
May 2014, n = 57, 69, 96Base: Fraud victims whose misused information was
compromised at above types of organizations.© 2014 Javelin Strategy & Research
Q12A. Thinking about the most recent fraud incident you experienced, what type of financial information was misused?
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
15
Late 2013 saw a rash of major retailer breaches, including those at Michaels,
Neiman Marcus, and Target, where millions of records were compromised.14 It is
not surprising that large retail merchant leads the list of organiza ons where
consumers’ informa on was compromised (50%). A distant second on this list is
the credit card issuer (22%), followed by consumers’ primary bank (16%).
This contrasts significantly with consumer percep ons before the aforemen oned
major retailer breaches, in which it was believed that the majority of breaches
occurred within the financial industry.15 Given the high‐profile nature of these
breaches, the responsibility for these breaches was readily apparent to
consumers. In previous retailer breaches, which received negligible media
coverage, consumers might have been confused by FI and card issuer no fica on
efforts designed to prepare them for card reissuance or a reduc on in transac on
approvals, and mistakenly assigned responsibility for breaches to FIs or card
issuers.16
Large Retailers Are the Locus of the Highest Rate of Breach No fica ons
Figure 6: Type of Organiza on Where Informa on Was Compromised
14 h p://www.ny mes.com/2014/04/19/business/michaels‐stores‐confirms‐breach‐involving‐three‐million‐customers.html?_r=0, accessed June 2, 2014.
15 2014 Data Breach Fraud Impact Report: Consumers Shoot the Messenger and Financial Ins tu ons Take the Bullet, Javelin Strategy & Research, June 2014.
16 Ibid.
4%
4%
4%
5%
5%
5%
5%
5%
6%
7%
7%
8%
8%
8%
14%
16%
22%
50%
0% 10% 20% 30% 40% 50% 60%
Other organization
Virtual wallet provider
Small retail merchant
Restaurant or hotel
Cloud application
Online gaming site
Small online‐only merchant
Social networking site
University
Alternative payment provider
Government agency
Another financial institution
Large online‐only merchant
Gas station
Healthcare provider
Primary financial institution
Credit card issuer
Large retail merchant
Percentage of data breach victims
Q8b: Please indicate the type of organization where your information was compromised or stolen.
May 2014, n = 150Base: Fraud victims whose information was
compromised in a data breach.© 2014 Javelin Strategy & Research
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
16
Although almost half of fraud vic ms don’t know where the informa on used in
the most recent fraud incident was compromised (49%), this is especially true for
vic ms of events that were unrelated to a data breach such as a stolen device or
wallet (88%), (see Appendix, Figures 20 and 21, respec vely). Unfortunately, those
vic ms who are unaware of how their data was compromised were not in a
posi on to react un l they were no fied of the fraud — they could not take
immediate steps, a er the loss of their PII, to protect their iden ty nor could they
prevent the con nued the of their PII from the compromised source.
Data breach vic ms, on the other hand, are more aware of their informa on
compromise and related misuse, which might be due to breach no fica ons sent
by the concerned organiza ons (see Appendix, Figure 21). Presumably, this
contributes to data breach vic ms being less likely to suffer mul ple fraud
incidents compared with non‐data breach vic ms (41% are data breach vic ms
experience mul ple fraud incidents vs. 50% of non‐data breach vic ms), (see
Figure 7), because knowing where the breach occurred and what informa on was
compromised helps consumers take steps to help prevent future fraud.
Consumers Whose Informa on Was Compromised in a Data Breach Are Less Likely to Suffer From Mul ple Fraud Incidents
Figure 7: Number of Iden ty Fraud Occurrences for Data Breach Vic ms and Non‐Data Breach Vic ms
59%25%
9%
7%
50%
26%
20%
4%
1 time
2 times
3 times
Data Breach Victims Non‐Data Breach Victims
Q10. How many times have you been a victim of identity fraud?
May 2014, n = 50, 150Base: Fraud victims who are also data breach victims,
fraud victims who are not data breach victims.© 2014 Javelin Strategy & Research
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
17
HOW CONSUMERS REACT TO FRAUD It might be intui ve to think that once defrauded, vic ms would go overboard
with preven ve measures to avoid future informa on compromise. However,
nearly 1 in 3 vic ms took no ac on a er fraud occurred (see Figure 8). Of the
many op ons available to vic ms to help protect their iden ty, ac vely
monitoring financial accounts seems to be some of the most popular steps taken
toward preven on as vic ms are most likely to sign up for ac vity alerts from their
banks (24%) and begin using online banking (18%) (see Figure 8).
1 in 3 Vic ms Refrains From Taking Any Ac on A er Vic miza on
Figure 8: Ac ons Taken by Vic ms as a Result of Experiencing Iden ty Fraud
32%
10%
11%
12%
13%
14%
16%
18%
23%
24%
0% 5% 10% 15% 20% 25% 30% 35%
You have taken no actions as a result of the fraud
You now use two‐factor authentication for logging in to your financialaccounts/social networking websites
You put a security freeze on your credit report
You spend less money online
You avoid online registration requiring personal information.
You avoid certain merchants
You installed antivirus, anti‐spyware or a firewall on your computer
You use online banking.
You put fraud alerts on your credit reports
You receive email or mobile alerts about your credit card or checkingaccount
Percent of fraud victims
May 2014, n = 200Base: All fraud victims.
© 2014 Javelin Strategy & Research
Q19. As a result of being a fraud victim, are any of the following statements true of you? Top ten options shown
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
18
Especially clear is consumers’ low level of awareness of where to obtain assistance
a er they’ve been vic mized. Although banks and credit card companies are the
clear favorites among fraud vic ms, just over 2 in 5 vic ms contacted these
organiza ons (44% and 43%, respec vely) for advice, help, or more informa on.
Interes ngly, contac ng the bank or a credit card company is more popular
among vic ms whose PII was breached at a retailer than vic ms whose PII was
breached at a FI (50% vs. 41%, respec vely). Among vic ms who contacted these
two agencies, sa sfac on remains high (59% and 70%, respec vely). Conversely,
the propor on of fraud vic ms who contacted law enforcement, a credit
monitoring service, or a federal agency is way lower — at 13%, 12%, and 10%,
respec vely‐‐and vic ms are more likely to contact these agencies when their
breach occurred at organiza ons other than FIs or retailers (see Figure 9).
Vic ms Contact FIs and Credit Card Companies for Pos raud Assistance
Figure 9: Agencies Contacted A er Fraud by All Fraud Vic ms and Vic ms Whose PII Was Breached, by Type of Organiza on Where Breach Occurred
2%
16%
25%
25%
25%
11%
30%
39%
44%
4%
3%
8%
13%
10%
11%
17%
46%
50%
4%
9%
12%
13%
13%
12%
17%
41%
41%
3%
6%
10%
12%
13%
14%
17%
43%
44%
0% 10% 20% 30% 40% 50% 60%
Another organization
Local or state government agency such as the State Department ofMotor Vehicles, State Attorney General's Office, etc.
A federal agency such as the Federal Trade Commission, IRS, orSocial Security Administration
A credit monitoring or identity protection service provider such as:Identity Guard, LifeLock, etc.
Local or state law enforcement agency
I did not reach out to any organizations after discovering I was avictim of identity fraud
A credit bureau such as: Experian, Equifax, TransUnion, or Innovis
Your credit card company
Your bank or credit union
Percent of fraud victims
All fraud victims
Breached at a financialinstitution
Breached at a retailer
Breached at anotherorganization
May 2014, n = varies 69 to 200Base: All fraud victims, fraud victims by type of
organization where information breached.© 2014 Javelin Strategy & Research
Q16. After discovering you were a victim of identity fraud, did you reach out to any of the following organizations for assistance, advice, or additional information?
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
19
Consumer trust is of paramount value to businesses, and being compromised in a
data breach definitely puts these businesses at risk of losing customers. Fourteen
percent of vic ms said they avoid certain merchants (see Figure 8), while nearly 6
in 10 vic ms said their trust in retailers has significantly decreased a er their
informa on was compromised (see Figure 10). Evidence can be found in the 2013
Target breach, which shook the core of the company as its stock price plummeted
and key execu ves resigned in an effort to show responsibility and maintain
consumer trust.17
When Breached Informa on Is Used to Commit Fraud, Vic ms Are Most Likely to Lose Trust in Retailers
Figure 10: How Fraud Affected Data Breach Vic ms’ Level of Trust, by the Industry Where Breach Occurred
17 2014 Data Breach Fraud Impact Report: Consumers Shoot the Messenger and Financial Ins tu ons Take the Bullet, Javelin Strategy & Research, June 2014.
48%
28%
59%
0% 10% 20% 30% 40% 50% 60% 70%
Other type of organization
FI or financial service provider
Retailer
Percent of fraud victims
Q21. How has your most recent fraud incident impacted your level of trust with the organization where your information was compromised? “Somewhat decreased” and “significantly decreased” shown.
May 2014, n = 57, 69, 96Base: Fraud victims whose misused information was
compromised at above types of organizations.© 2014 Javelin Strategy & Research
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
20
In addi on to losing the most trust in the wake of a data breach, retailers also
fared poorly compared with FIs or other organiza ons when it came to fraud
vic ms’ expecta ons that the organiza on would be able to protect their data in
the future (10% vs. 24% vs. 26%, respec vely) (see Figure 11). In the wake of
recent high‐profile breaches, it’s clear that retailers have a long and hard ba le
ahead of them to regain consumer trust and confidence.
Vic ms Are Also Least Confident That Retailers Can Protect Their Infor‐ma on in the Future
Figure 11: Data Breach Fraud Vic ms’ Level of Confidence That the Industry in Which Breach Occurred Could Protect Them From Future Fraud
26%
24%
10%
0% 5% 10% 15% 20% 25% 30%
Other type of organization
FI or financial service provider
Retailer
Percent of fraud victims
Extremelyconfident
Q26. How confident are you that this organization can protect you from fraud in the future?
May 2014, n = 57, 69, 96Base: Fraud victims whose misused information was
compromised at above types of organizations.© 2014 Javelin Strategy & Research
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
21
VICTIMS’ EXPECTATIONS Consumer awareness of breaches is on the rise, as all consumers, and fraud
vic ms specifically, were more likely to be no fied of a data breach in 2013,
compared with 2012 (32% vs. 12% and 68% vs. 51%, respec vely).18 Given such
awareness of imminent or poten al threat to their iden es, consumers believe
that taking appropriate steps to safeguard their data will help protect their
iden ty. According to fraud vic ms, electronic monitoring of financial accounts
(46%) and their credit card company’s fraud detec on system (44%) prove to be
the two most effec ve ac vi es in preven ng ID the , placing almost the same
level of responsibility on themselves and their credit card company (see Figure
12).
Interes ngly, fraud vic ms believe signing up for an iden ty protec on service is
the least effec ve method — only 23% of vic ms picked this ac vity — to prevent
ID the , with vic ms in Minneapolis the least convinced of this op on (12% of
Electronic Monitoring Considered Most Effec ve at Fraud Preven on
Figure 12: Perceived Effec veness of Fraud Preven on Ac vi es Among All Fraud Vic ms and by Metropolitan Area
18 2014 Data Breach Fraud Impact Report: Consumers Shoot the Messenger and Financial Ins tu ons Take the Bullet, Javelin Strategy & Research, June 2014.
12%
16%
30%
36%
30%
34%
36%
36%
44%
30%
26%
44%
42%
38%
44%
44%
48%
44%
30%
26%
42%
42%
46%
42%
50%
46%
52%
18%
26%
28%
26%
32%
34%
26%
44%
42%
23%
24%
36%
37%
37%
39%
39%
44%
46%
0% 10% 20% 30% 40% 50% 60%
Using an identity protection service
Turning paper statements off to avoid mail theft
Reviewing your credit report regularly
Monitoring financial accounts and bills through review of paperstatements
Using fraud alerts on your credit report and bank accounts
Shredding paper statements
Your primary bank's fraud detection systems
Your credit card company's fraud detection system
Monitoring accounts through the Internet, mobile devices, orother electronic means
Percent of fraud victims
All fraud victims Chicago Los Angeles Miami MinneapolisMay 2014, n = varies 50 to 200Base: All fraud victims, fraud victims by metropolitan area.
© 2014 Javelin Strategy & Research
Q24a. In your opinion, how effective are the following activities in helping consumers like you protect their identity? Very to extremely effective shown.
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
22
fraud vic ms). Yet despite this percep on, providing or subsidizing these services
has become a remedy that government officials are pressing breached
organiza ons to offer. In many cases vic ms might be er understand the value of
these services through experience, as commonly prescribed credit monitoring is of
li le value in preven ng fraud related to breached credit and debit cards.19
Fraud vic ms do not seem to discriminate between businesses and FIs when
assigning blame for a data breach. While 52% of vic ms consider businesses to be
responsible for data breaches, 48% blame FIs (see Figure 13). This is true even
among vic ms whose PII was breached at a FI (51% believe FIs should be held
accountable and 46% believe retailers should be held accountable) and those
whose PII was breached at a retailer (45% believe FIs should be held accountable
and 51% believe retailers should be held accountable). Regardless, government
agencies get the least of the blame, with only 24% of vic ms holding them
accountable for a breach (see Figure 13).
Vic ms Believe All Organiza ons Should Be Held Accountable and Some Would Vote with Their Wallets
Figure 13: Industries That Should Be Held Accountable and Business Avoidance Postbreach, by Fraud Vic ms Whose Informa on Was Breached at FIs, Retailers, and
Other Organiza ons
19 2014 Data Breach Fraud Impact Report: Consumers Shoot the Messenger and Financial Ins tu ons Take the Bullet, Javelin Strategy & Research, June 2014.
25%
30%
44%
65%
65%
11%
19%
23%
45%
51%
17%
19%
28%
51%
46%
13%
19%
24%
48%
52%
0% 20% 40% 60% 80%
I avoid doing business with similar organizations to the one/thosewhere my personal information was breached
I avoid doing further business with the organization(s) where mypersonal information was breached
The government should be held accountable in the wake of adata breach / ID Fraud
Financial institutions should be held accountable in the wake of adata breach
Businesses and organizations should be held accountable in thewake of a data breach
Percent of fraud victims
All fraud victims
FinancialinstitutionRetailer
May 2014, n varies 57 to 200Base: Fraud victims whose misused information was
compromised at above types of organizations.© 2014 Javelin Strategy & Research
Q27. Please read each of the following statements carefully, and indicate your level of agreement on a scale of 1 to 10, where 1 = strongly disagree and 10= strongly agree. 9‐10 shown.
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
23
While fraud vic ms hold all organiza ons involved accountable for informa on
compromise, they feel differently based on whether the informa on was lost due
to a data breach or an event unrelated to a data breach. Data breach vic ms are
not only more likely to consider the breached organiza on responsible for
protec ng their accounts compared with non‐data breach vic ms (49% vs. 40%),
but they are also more likely to hold their FIs responsible for account protec on
(40% vs. 28%) (see Figure 14).
Data Breach Vic ms Are More Likely to Believe That Breached Organiza ons as Well as Their Banks Are Responsible for Protec ng Accounts
Figure 14: Organiza ons That Should Be Held Responsible for Protec ng Accounts During Recent Fraud, According to Non‐data breach Vic ms and Data Breach Vic ms
36%
28%
42%
40%
36%
40%
45%
49%
0% 10% 20% 30% 40% 50% 60%
You
Your bank
Your payment card company
The organization/website from which your information wasstolen or compromised
Percent of fraud victims
Data breach victims
Non‐data breachvictims
Q29. Which of the following would you say were responsible for protecting your account in your most recent fraud incident?
May 2014, n = 50, 150Base: Fraud victims who are also data breach victims,
fraud victims who are not data breach victims.© 2014 Javelin Strategy & Research
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
24
When it comes to restoring their iden es and lost funds, data breach vic ms
maintain that breached organiza ons are responsible (53% of breach vic ms vs.
38% of nonbreach vic ms), while non‐data breach vic ms say payment card
companies are responsible (49% of breach vic ms vs. 60% of nonbreach vic ms)
(see Figure 15).
Data Breach Vic ms Would Like to See Breached Organiza on Restore Lost Funds; Non‐data breach Vic ms Say Card Companies Should Instead
Figure 15: Organiza ons That Should Be Held Responsible for Restoring Iden ty A er Recent Fraud, According to Non‐data breach Vic ms and Data Breach Vic ms
36%
46%
60%
38%
25%
47%
49%
53%
0% 20% 40% 60% 80%
You
Your bank
Your payment Card Company
The organization/Website from where your information wasstolen or compromised
Percent of fraud victims
Data breach victims
Non‐data breach victims
Q29b. Which of the following would you say were responsible for restoring your identity and lost funds in your most recent fraud incident?
May 2014, n = 50, 150Base: Fraud victims who are also data breach victims,
fraud victims who are not data breach victims.© 2014 Javelin Strategy & Research
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
25
Consumer pa ence seems to be a thing of the past as an overwhelming number of
fraud vic ms believe they should be able to take legal ac on against companies
where their informa on was breached (64%), (see Figure 16). Furthermore, this
sen ment is consistent regardless of where the informa on was breached — 64%
of FI breach vic ms, 66% of retailer breach vic ms, and 70% of another
organiza on breach vic ms believe this is important.
Regardless of Where Informa on Was Breached, Vic ms Believe Consumers Should Be Able to Take Legal Ac on
Figure 16: Agreement With Statement, by Type of Organiza on Where Informa on Was Breached
70%
64%
66%
60% 62% 64% 66% 68% 70% 72%
Breached at another type oforganization
Breached at a financial institution
Breached at a retailer
Percent of fraud victimsQ30: Please indicate the degree to which you agree or disagree with the following statements on a scale of 1 to 5 where 1 = strongly disagree and 4 – strongly agree. Consumers should be able to take legal action against companies where their information is breached.
Options 4 and 5 shown.
May 2014, n = 57, 69, 96Base: Fraud victims whose misused information was
compromised at above types of organizations.© 2014 Javelin Strategy & Research
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
26
Data breaches can a ract a constant stream of class‐ac on lawsuits from
consumers and businesses. For example, the Target breach has spawned 90
lawsuits.20 Moreover, as consumer awareness increases, the difference in the level
of consumer protec on and ac on by organiza ons can be seen when contras ng
the Target breach with the earlier, prolific breach of TJX.21 In 2008, TJX provided
credit monitoring services only to vic ms who faced a higher risk of ID the . In
2013, Target provided this service to all customers, whether they were vic ms or
not, due to consumer backlash and government pressure.22
Fraud Vic ms Favor Legal Ac on Against Breached Organiza on
Figure 17: Fraud Vic ms’ A tudes Regarding Data Breaches
20 h p://www.businessweek.com/ar cles/2014‐03‐13/target‐missed‐alarms‐in‐epic‐hack‐of‐credit‐card‐data, accessed June 13, 2014.
21 2014 Data Breach Fraud Impact Report: Consumers Shoot the Messenger and Financial Ins tu ons Take the Bullet, Javelin Strategy & Research, June 2014.
22 Ibid.
28%
44%
64%
67%
70%
84%
85%
0% 20% 40% 60% 80% 100%
The current federal data security requirements are sufficient forprotecting health care and financial data
Breached organizations should notify consumers of a data breachonly when there is potential for harm stemming from the breach
Consumers should be able to take legal action against companieswhere their information was breached
Breached organizations should be required to notify the media
The federal government should be responsible for ensuring thatbusinesses adhere to data security standards, regardless of the…
Breached organizations should notify consumers whenever adata breach occurs no matter what
Breached organizations should be required to notify creditreporting agencies if there is a possibility that the stolen…
Percent of fraud victims
May 2014, n = 200Base: All fraud victims.
© 2014 Javelin Strategy & Research
Q30. Please indicate the degree to which you agree or disagree with the following statements on a scale of 1 to 5 where 1 = strongly disagree and 5 = strongly agree. 9‐10 shown.
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
27
Although vic ms don’t hold government responsible for a breach, they do,
however, expect federal government to ensure that businesses adhere to data
security standards (70%), (see Figure 17). Na onal data breach legisla on is
supported by the financial industry, which is calling for greater accountability from
industries that store or transmit sensi ve PII and financial account data. The
financial industry’s recommenda ons are geared toward retailers, and industry
groups — including the Independent Community Bankers of America and the
Na onal Associa on of Federal Credit Unions — are leading the lobbying effort to
amend pending na onal legisla on to reflect these recommenda ons.23
Businesses need to be aware of these ini a ves and how consumer
percep on of exis ng legisla on has created a climate in which proposed
na onal legisla on is likely to become law. Consumers are ji ery about
sharing their PII with organiza ons — only 28% of vic ms believe that
current federal data security requirements are sufficient for protec ng their
data (see Figure 17). This is especially true for Minneapolis, where only 16%
of vic ms believe they are adequate (see Figure 18).
Fewer Than 2 in 5 Fraud Vic ms in Any Metro Area Surveyed Consider Federal Legisla on Sufficient to Protect Consumer Data
Figure 18: Agreement With Statement, by Metropolitan Area
23 h p://www.nafcu.org/datasecurity/, accessed May 18, 2014.
16%
28%
30%
36%
0% 5% 10% 15% 20% 25% 30% 35% 40%
Minneapolis
Chicago
Miami
Los Angeles
Percent of fraud victims
Q30: Please indicate the degree to which you agree or disagree with the following statements on a scale of 1 to 5 where 1 = strongly disagree and 5 = strongly agree. The current federal data security requirements are sufficient for protecting health care and financial data. Options 4 and 5 shown.
May 2014, n = 50Base: Fraud victims by metropolitan area.
© 2014 Javelin Strategy & Research
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
28
The circumstances under which consumers must be no fied of a breach
varies, but these no fica ons offer an opportunity for organiza ons to
educate affected consumers on the circumstances of the breach, their effect
on the integrity of their iden es, efforts undertaken by the breached
organiza on to protect their iden es going forward, and how consumers
can ul mately protect themselves. Consumers clearly want to be in the know
in case of a breach. While a li le over 2 in 5 vic ms believe that consumers
should be no fied only when a breach has poten al for harm, an
overwhelming number of vic ms (84%) believe that breached organiza ons
should no fy consumers no ma er the circumstance (see Figure 17). In
addi on, fraud vic ms also believe that breached organiza ons should no fy
credit repor ng agencies (85%) and the media (67%) (see Figure 17).
Fraud Vic ms Overwhelmingly Prefer Speedy No fica on When It Comes to Data Breach
Figure 19: When No fica on Should Be Provided A er a Data Breach, by Fraud Vic ms
2%
1%
0%
1%
11%
86%
0% 20% 40% 60% 80% 100%
I have no opinion on how soon customers should be notified
Customers should be notified only once the source of the breach has beenthoroughly investigated
Customers should be notified within 12 months, no matter what
Customers should be notified within 90 days, no matter what
Customers should be notified within 30 days, no matter what
Customers should be notified immediately, no matter what
Percent of fraud victims
May 2014, n = 200Base: All fraud victims.
© 2014 Javelin Strategy & Research
Q31. Considering that a business or organization is required to notify affected customers of a data breach, how soon after a breach is confirmed should customers be notified?
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
29
When no fying consumers of a breach, speed is of the essence. This is not a
new cri cism — a er TJX disclosed the details of its breach in 2007, it was
heavily cri cized by analysts, the media, and consumers alike for holding
back informa on.24 Eighty‐six percent of fraud vic ms believe consumers
should be no fied immediately no ma er what (see Figure 19), providing the
breach organiza ons a significant opportunity to maintain the rela onship
postbreach by dispelling any misinforma on related to the event, reassuring
consumers that the organiza on is now secure, and detailing best prac ces
to prevent iden ty fraud. How and when consumers are no fied can
contribute to their percep on of an organiza on a er a breach, and
organiza ons that wish to maintain a posi ve rela onship with consumers
should ensure transparent and immediate no fica on.
24 2014 Data Breach Fraud Impact Report: Consumers Shoot the Messenger and Financial Ins tu ons Take the Bullet, Javelin Strategy & Research, June 2014.
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
30
METHODOLOGY In March 2014, the Na onal Consumers League retained Javelin Strategy &
Research to conduct a comprehensive research study on data breach and fraud
vic ms’ experiences, behaviors, and a tudes. The NCL conducted an online
survey of 200 fraud vic ms in the Chicago, Los Angeles, Miami, and Minneapolis
metropolitan areas. The results of this study are not na onally representa ve and
cannot be extrapolated to groups outside fraud vic ms in these four metropolitan
areas. The overall margin of sampling error is +/‐ 6.93 percentage points at the
95% confidence level. The margin of error is larger for subsets of respondents.
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
31
APPENDIX
Nearly Half of Consumers Do Not Know Where the Informa on Used to Defraud Them Was Compromised
Figure 20: Type of Organiza on Where Informa on Was Compromised, by Most Recent Fraud incident
Majority of Those Who Are Not Aware of the Loca on of Compromise Are Non‐data breach Vic ms
Figure 21: Informa on Compromised in Most Recent Fraud Incident, by Vic m Type
2%
6%
1%
1%
1%
2%
2%
2%
2%
2%
2%
3%
3%
4%
7%
15%
49%
0% 10% 20% 30% 40% 50% 60%
Other type of organization
My information was compromised in an event other than a data breach
Small retail merchant
Large online‐only merchant
Online gaming site
Virtual wallet provider
Small online‐only merchant
Social networking site
Another financial institution
Restaurant or hotel
Gas station
Health care provider
Government agency or office
Primary financial institution
Credit card issuer
Large retail merchant
I do not know where my information was compromised
Percent of fraud victimsQ13. To the best of your knowledge, where was the information used in your most recent fraud incident compromised?
May 2014, n = 200Base: All fraud victims.
© 2014 Javelin Strategy & Research
0%
61%
88%
35%
12%
4%
0% 20% 40% 60% 80% 100%
Non‐data breach victims
Data breach victims
Percent of fraud victims
My information wascompromised in adata breach
I do not know wheremy information wascompromised
My information wascompromised in anevent other than adata breach
May 2014, n = 50, 150Base: Fraud victims who are also data breach victims,
fraud victims who are not data breach victims.© 2014 Javelin Strategy & Research
Q13. To the best of your knowledge, where was the information used in your most recent fraud incident compromised?
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
32
Fraud Incidence is Increasingly Correlated with Card Breaches
Figure 22: Rate of Fraud Vic miza on by Type of Data Breached
28.2%
24.3%
37.1%
27.7%
38.6%35.1%
45.7%
16.1%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
Your credit card and/ordebit card number
Your credit card number Your debit card number Your Social Securitynumber
Percent of data breach victims
2012
2013
October 2012 ‐ 2013, n varies 75 ‐ 320 Base: Data breach victims in the past 12 months by type of information breached.
© 2014 Javelin Strategy & Research
Q5: How long ago did you discover that your personal or financial information had been misused?In the past 12 months.
The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas
33
ABOUT JAVELIN Javelin Strategy & Research, a division of Greenwich Associates, provides strategic
insights into customer transac ons, increasing sustainable profits and crea ng
efficiencies for financial ins tu ons, government agencies, payments companies,
merchants, and other technology providers. Javelin’s independent insights result
from a uniquely rigorous three‐dimensional research process that assesses
customers, providers, and the transac ons ecosystem.
Authors: Al Pascual, Senior Analyst, Fraud & Security
Publica on Date: June 2014
Editor Oie Lian Yeh