Unreported data breaches that escape the eyes of law enforcement are at the root of some of the biggest card fraud cases in Europe, according to Europol.
The main source of illegal data behind Europe’s biggest card-not-present (CNP) fraud investigations were data breaches stemming from insider leaks and malware, Europol claims in its latest Situation Report on Card Fraud in the European Union (PDF).
Europol says CNP fraud reached €900 million (US$1.1bn) in 2011 and accounted for 60 percent of all card fraud in Europe. Total card fraud losses in Australia were $189 million in 2012, however CNP fraud was higher at 72 percent of all card fraud in Australia.
The problem law enforcement has in investigating and stemming this growing area of fraud is Europe’s lack of data breach notification laws, according to Europol. Industry also have little faith in the “investigative possibilities” of law enforcement and generally want to protect their reputations, it notes.
“A major problem in the EU is the lack of proper regulations for reporting data breaches to police authorities. Law enforcement agencies, even if aware of a breach, have difficulties finding information on, and links to, the point of compromise, stolen data and illegal transactions,” Europol says.
Europol warns the argument that the private sector can bear the cost of that fraud and avoid law enforcement's involvement could lead to the “dangerous situation” where organised crime gangs are netting €1.5 billion a year from CNP fraud.
Australia similarly lacks a mandatory reporting regime, but late last year invited the public to comment on a discussion paper about whether [[xref: http://www.theregister.co.uk/2012/10/16/oz_data_breach_notification/ |data breach legislation the Australian Law Reform Commission recommended in 2008 should be adopted]].
The lack of law enforcement’s involvement leaves agencies with inadequate police statistics that would enable them to prioritise these types of investigations, in turn making it difficult to initiate international co-operation -- for example with the US -- where currently most breached data that affects European card holders comes from. Without mandatory reporting, internal investigations by targeted companies focus on improving security measures within the organisation, but rarely attempt to identify suspects, Europol notes.
Law enforcement objectives would on the other hand attempt to combat money mule networks, investigate crime gangs from the Baltic states and Russia and seize assets, amongst other things.