Identity theft study reveals HSBC, BofA, Wamu top targets

Customers of HSBC, Bank of America, and Washington Mutual suffer the highest rates of identity theft in the banking industry, according to an investigative study released Wednesday by a UC Berkeley Law School researcher.

The Federal Trade Commission received over 245,000 reports of identity theft in 2006, but does not typically publish the names of the financial firms and companies listed in the reports. Through an extensive Freedom of Information Act request, Chris Hoofnagle, a staff attorney at UC Berkeley's Boalt School of Law, was able to get detailed records on the individual consumer complaints.

Hoofnagle received detailed information for three randomly chosen months in 2006: January, March, and September. These months included data from 88,560 complaints, with 46,262 names of institutions identified by victims.

Once he crunched the numbers, Hoofnagle discovered that HSBC has the highest rates of reported identity theft in the financial industry during 2006, when adjusted for billions of dollars in deposits. Bank of America and Washington Mutual came in a close second and third. According to Hoofnagle's stats, HSBC had 21 incidents of identity theft per billion dollars in deposits, Bank of America/MBNA had about 17, while Washington Mutual had 16. Online banking leader ING had the lowest rates in the industry, with just a single reported incident.

Technically, American Express and Capital One lead the pack--with 485 and 242 respective incidents per billion dollars in deposits. However, Hoofnagle excluded them from the graph due to the small scale of each company's banking operation (Amex's 7 billion in deposits compared with Bank of America's nearly 760 billion).

Outside of the financial services sector, telecom giants AT&T and Sprint suffered from more than 9,100 and 8,300 estimated reported cases of identity theft. As the firms do not publish the numbers of customers they serve, it was impossible for Hoofnagle to break these numbers down further.

While the FTC incidents that Hoofnagle examined were from 2006, a number of recent reports indicate that HSBC has recently been overwhelmed with a "a wave of banking fraud." Real numbers to back up these reports will not be available from the FTC for some time.

The levels of theft described by Hoofnagle's match up nicely with a 2007 report released by Cambridge University researchers, which revealed that Bank of America and Washington Mutual took the longest time to shut down phishing sites targeting the banks. Sites masquerading as BofA and Wamu typically stayed online for more than 100 hours, compared with less than two days for Chase and PayPal.

Finally, while the FTC publishes an annual identity theft report, it is not required to break down its figures and reveal the names of the most frequently victimized banks. While states like California have been able to pass significant pro-consumer data breach legislation, this is one area where states have little power. Incidents of identity theft are primarily reported to the FTC, and not to state attorneys general. To force the FTC to voluntarily publish such data, federal legislation will be required--something that is unlikely to happen.

Hoofnagle's 16-page study, with detailed numbers and graphs, can be found here.