GAO: Lots of data breaches, not a lot of fraud
Auditors say only a fraction of largest intrusions in recent years showed clear evidence of resulting identity theft, but they admit that's not always easy to gauge.
Sometimes it feels like every day, there's word ofinvolving lost, hacked or pilfered personal data stores--and dire warnings about the potential consequences.
But according to a report just released by the Government Accountability Office (PDF), only a small fraction of those recent episodes have actually resulted in clear signs of identity theft.
After scrutinizing the 24 largest data breaches that got media attention between January 2000 and June 2005, the GAO found that only three of the incidents indicated fraud on existing accounts. One pointed to evidence that new accounts had been created based on the leaked information.
Those breaches included break-ins at third-party credit card payment processor CardSystems, shoe retailer DSW and e-commerce retailer CD Universe.
That leaves 18 incidents that signaled no evidence of identity theft and two incidents on which there wasn't enough information for the government auditors to decide.
But that's not to say there weren't a lot of break-ins. All told, the GAO found media reports of more than 570 data breaches--across a wide variety of public and private entities--in the media between January 2005 and December 2006 alone.
The GAO acknowledged that its research is not definitive. "Determining the link between data breaches and identity theft is challenging because, among other things, identity theft victims often do not know how their personal information was obtained," the auditors wrote.
The report, which was prepared for a congressional committee, also took a cautious stance on the idea of legally requiring stewards of personal data to notify anyone whose information may have been compromised in a security breach. Although the government auditors didn't make any formal recommendations to Congress, they said it's necessary to balance the need to alert consumers and to foster better security practices with the potentially high costs and consumer complacency that could accompany overly zealous notification.
Thirty-six states already have notification laws of some sort on their books, according to the GAO. Despite lots of talk, Congress hasn't taken much action on its own yet, and it's unclear whether this year will be any different.