In shift, hackers want your identity, not just your credit card

Data breaches rose 49 percent last year, says a study. And hackers are changing their priorities from short-term spending sprees with stolen card info to long-term mischief with your identity.

Don Reisinger
Former CNET contributor Don Reisinger is a technology columnist who has covered everything from HDTVs to computers to Flowbee Haircut Systems. Besides his work with CNET, Don's work has been featured in a variety of other publications including PC World and a host of Ziff-Davis publications.
Don Reisinger
3 min read

A staggering figure for those who seek greater security for their personal information. Gemalto

Stealing your identity is a key reason hackers break in to corporate networks, according to a new study.

The world was hit by more than 1,500 data breaches in 2014, leading to 975 million data records being lost or stolen during the year, Netherlands-based security firm Gemalto reported on Thursday (PDF). Data breaches were up 49 percent in 2014 versus the prior year, and the number of lost or stolen records was up 78 percent.

And in a change of strategy, hackers are actively targeting individuals, with 54 percent of data-hacking incidents focused on identity theft, the Gemalto report said. Just 17 percent of hacks were designed to access financial information, while 11 percent sought account access. According to Gemalto, hacking identities rather than financial information provides a long tail of benefit to hackers, rather than a short-term spending spree.

"We're clearly seeing a shift in the tactics of cybercriminals, with long-term identity theft becoming more of a goal than the immediacy of stealing a credit card number," Tsion Gonen, Gemalto's vice president of strategy for identity and data protection, said in a statement. "Identity theft could lead to the opening of new fraudulent credit accounts, creating false identities for criminal enterprises, or a host of other serious crimes. As data breaches become more personal, we're starting to see that the universe of risk exposure for the average person is expanding."

The Gemalto report comes just days after US health-insurance provider Anthem announced a security breach that resulted in the exposure of up to 80 million records. The hackers used a stolen password to break in to the Anthem network and steal everything from names to medical IDs to Social Security numbers.

The Anthem hack was just the latest in a string of attacks on companies. In a little over a year, hackers have stolen 56 million credit card numbers and 53 million email addresses from Home Depot; contact information for 76 million households and 7 million small businesses from JPMorgan's vaults; and 40 million credit and debit card numbers and personal information on 110 million customers from Target.

The hacks didn't stop there. Arts and crafts chain Michaels and restaurant chain P.F. Chang's also suffered embarrassing data thefts last year. In November, Sony Pictures suffered its worst hack in history, as hackers accessed private e-mails and copies of upcoming films.

A Pew Research study conducted last year found that 18 percent of consumers have had their credit card, bank account, or Social Security numbers stolen. A report just six months prior to that one found that 11 percent of consumers had been subject to such theft. Last December, H.D. Moore, chief research officer at security firm Rapid7, said the issue might be even more widespread than Pew believed.

"It'd be hard to find anybody in the US who hasn't had a credit card affected," said Moore.

While the risk of falling victim to a data breach appears high around the world, so far the vast majority of hacks -- 1,164 -- have occurred in North America. In addition, Gemalto's study shows that 58 percent of stolen records have come from retail, followed by the financial industry at 21 percent.

Acknowledging the impact that data breaches have on the US, and the sometimes patchwork efforts that go into securing networks, President Barack Obama's administration last month proposed a new law, called the Personal Data Notification and Protection Act, that would create a basic set of rules for how companies must safeguard customer information. If passed, the law would also criminalize the international trade of stolen personal identity information.

The law would in some ways complement regulations already in place for data theft in 47 states in the Union. However, many of the states have different requirements on data theft and hacking. Obama's law would codify the handling of customer information on a national level, so it's the same across the states.

Despite those efforts, it seems unlikely that customers will feel safe anytime soon.

"Not only are data breach numbers rising, but the breaches are becoming more severe," Gemalto's Gonen said. "Being breached is not a question of 'if' but 'when.' Breach prevention and threat monitoring can only go so far and do not always keep the cybercriminals out."