ID fraud soars with laptops targeted for data

"Big chunks of data tend to come from a physical breach at retailers or banks"
Written by Will Sturgeon, Contributor

"Big chunks of data tend to come from a physical breach at retailers or banks"

An expert investigator into data theft has told silicon.com that a recent spate of stolen laptops and back-up tapes is just the tip of the iceberg and identity theft is dramatically on the up-and-up.

In fact it's become such a problem that Bryan Sartin, VP investigative response at Cybertrust, claims almost everybody's identity will have been subject to some degree of breach, even if it didn't result in fraud.

Where crimes are committed, however, it is largely down to the existence of a highly active market for stolen data, especially bank details, said Sartin who showed silicon.com a number of live websites selling stolen account information from banking customers.

And with fraudsters able to make thousands of dollars per day from stolen data - compared to just a few dollars for the actual hardware - the motivation for targeting data is clear.

But for all the talk of phishing and spyware as a means to obtain such data, it is often physical theft which poses the greatest threat, said Sartin.

He said: "Where really big chunks of data are involved that tends to come from a physical breach at retailers or banks," explaining that breaking in and stealing a laptop is actually often "the path of least resistance". He added that the bulk of large-scale thefts tend to rely on the co-operation of an insider in his experience.

Sartin said: "Most bigger cases do evidence internal collusion," with evidence often including the theft of specifically targeted computers.

The first priority after discovering the loss or theft of a laptop or back-up tape is to assess the threat posed, said Sartin. This is generally where he comes in and works with companies to create a profile of the risk they face.

If a laptop or a box of tapes has been misplaced - with no suggestion of any wrongdoing beyond simple human error - and the data is known to be reasonably secure then the company has a decision to make about the negative versus the positive effects of disclosure.

Sartin said: "Many companies will take a stance of not saying anything until they really have to."

He added that lost devices tend not to result in data fraud, though there are no guarantees.

However, when a specific laptop or back-up batch has been stolen and fears raised that it is the data rather than the device which has been targeted, more companies are wising up to the need to disclose the breach.

In California they are required to do so by law, which Sartin says is a positive move but he believes there are other factors in play.

He said: "In the US it's true that a lot of disclosure is due to California law but also it's down to the pressure of customers; especially if they were to find out later."

But Sartin argues that fraudsters and their need to act quickly, have actually contributed to the reasons companies would disclose breaches. "The last thing the fraudsters want is to walk into a store and try to cash a cheque and have that picked up," he said.

As such the need to decide quickly whether to disclose and the awareness that problems may arise even as they are in discussions, has made companies increasingly err on the side of publicly admitting the breach.

Sartin added: "Fraudsters have actually created an agenda of disclosure."

Editorial standards