4. Misuse Related to Internal and External Breaches Exhibit Similar Behavior
Identities involved in internal data theft demonstrated strikingly similar behavior to traditional data breach victims in two main categories: strong application activity in the online channel and the duration of misuse for each identity was typically less than two weeks.
Employees or recipients of internally breached data mimicked the same application patterns as serial identity thieves. Five out of the eight incidents of internal data theft had over 80 per cent of their application activity online. Although there were cases where phone and direct mail channels were used, the Internet continues to serve as a 'faceless' medium used by fraudsters to prevent detection.
Secondly, the period of misuse for each internally breached identity was approximately two weeks. This is consistent with prior research done by ID Analytics and demonstrates the sophistication of those with access to the data.
The Enemy in Action
The following two cases illustrate the temporal and relational patterns described in the previous four findings. Each of these case studies was included in the overall analysis and was discovered using breach analysis technology.
Case Study #1
An organization found an employee emailing sensitive information related to their customers to a personal email account. After completing an analysis on the breached identities, analysts learned there was organized misuse as a result of the internal data leak. The analysts discovered that the employee had submitted 196 applications using 66 different identities over a two-month period linking to one unlisted wireless phone number. Even though this activity continued for two months, 161 of the applications were submitted over a period of 11 days. In order to try and mask the fraudulent activity, five different addresses were used throughout the credit application scheme: three apartments and two single family homes.
In previous studies performed by ID Analytics, research showed identity thieves minimize the points of contact for a given group of stolen identities. This may help the fraudsters better control the flow of information to service providers and help them obtain the fraudulent credit cards and mobile phones. In this case, the employee used a pay-as-you-go wireless phone and terminated the service once the credit scheme was complete.
The employee focused on submitting credit card applications online, with 99 per cent of the applications distributed across five different bank card issuers. The perpetrator engaged in application "flurrying" where a group of identities is used to apply for several applications over a very short period of time and then replaced by the next group of identities.