Reflections on a new internal data theft study

Who steals data, and what do they do with it? Cooper Bachman of ID Analytics scrutinizes research from a dozen data thefts resulting in 1,300 attempted instances of data misuse.

While external data breaches involving household brand names such as TJX tend to grab more headlines, insider data thefts are emerging as compliance and reputational risks for organizations. Recent studies suggest that over 60 per cent of data breaches originate from an internal source or event. One reason for this is that in today's data-rich environment organizations continue to struggle with the 'human element' at the heart of data security. It can be extremely difficult to balance the protection of sensitive data with granting access to employees who need it to complete their daily job requirements. To that end, organizations have implemented several new security measures including employee education programs, data access monitoring, and strict policies regarding USB ports and portable devices. Although these are steps in a positive direction, little has been done to study and understand how the data is exploited once it leaves an organization.

In late 2007, ID Analytics performed Analysis of Internal Data Theft, a study of more than a dozen incidents of internal data theft involving over five million identities from consumer and employee files across the government, education, and commercial sectors. The purpose of the analysis was to identify cases of identity fraud resulting from internal data theft in order to understand the behavioral patterns associated with misuse of stolen identities. The study also analyzed the types of goods and services that were targeted by individuals who unlawfully obtained sensitive personal information from their organization.

The findings further illustrate the need to protect sensitive data from not only external factors, but internal employees as well. The research team found the following trends among the cases of internal data theft reviewed:

  • Fraudulent activity resulting from internal data theft tends to occur in close proximity to the office location where the data was removed.

  • Personal data stolen by an employee is misused more frequently than data obtained through an external breach.

  • The study group revealed a disproportionate amount of attempts to fraudulently obtain wireless phones. While this phenomenon could extend beyond internal data theft, this trend was not apparent in our prior research focusing on the harm associated with data breaches.

  • Employees or fraudsters abusing internally stolen data behave remarkably similar to traditional identity thieves who have access to breached data. The majority of breached identities were misused for a period less than two weeks and fraudsters primarily used the Internet to apply for goods and services.

Over a dozen incidents of internal data theft consisting of over five million consumer and employee identities were reviewed by ID Analytics fraud analysts. Of these, eight incidents ultimately led to identity fraud, with over 1,300 cases of attempted fraud targeting bank card, retail card, and wireless providers. These cases represent behavior that is indicative of organized misuse, which is a concentrated effort to abuse a group of stolen identities.

Identity fraud is different than account fraud. Identity fraud deals with stolen or fabricated identity elements (e.g., social Security number, name, and address). One way to detect identity fraud is to examine new account initiations across companies and industries. In cases of fraud, many new accounts of multiple types are opened across different institutions. Account fraud is the misuse of an existing account that is discovered examining transactions. Account fraud only affects a single institution and a single account. The harm is financial loss and it is easily reconciled by closing the account and issuing new cards.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about BillCommunity BanksJavelinTrack Data

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Cooper Bachman

Latest Videos

More videos

Blog Posts