Data breach victims more likely to be fraud targets: Study

June 28, 2011

Victims of data breaches are far more likely to become the victims of fraud than other consumers and credit card issuers need to do more to protect their customers, a new study from the firm Javelin Strategy & Research found.

About four percent of consumers are victims of fraud, Javelin said, but if you’ve been a victim of a data breach, that risk rises to 17 percent.

The annual report from Javelin comes on the heels of a flurry of massive data breaches that exposed millions of consumers’ personal information, credit card numbers and other details and punctuates the real risks victims face. The sophistication of hackers has been particularly problematic, the company said.

Breaches of customer data from Sony customers exposed more than 100 million accounts and came following an attack on email marketing giant Epsilon. But it was the far smaller attack on Citigroup in May that really ratcheted up the pressure on banks as lawmakers started pushing hard for a data notification law.

“A new wave of hacker attacks threatens the current security model, resulting in a call to action for issuers to take a strong look at the processes in place for detection and prevention of fraud,” said Philip Blank, Javelin’s managing director of security, risk and fraud.

About $37 billion was lost last year in the U.S. to credit card fraud, Javelin said. New account fraud — when an account is created in someone else’s name after their identity is stolen — was the biggest area of loss at $17 billion.

Even though losses per consumer are often in the thousands, fraud victims are protected from having to pay the fraudulent charges. However, the process of clearing up the charges can be extremely time consuming. Javelin said the mean amount of time for a consumer to resolve someone opening a new account in their name is 49 hours.

The report said credit card issuers should do more to alert their customers to potential problems, including notifying them that another card has been issued to their existing account or that the billing address has been changed. Javelin said the credit card issuers have been doing a good job trying to educate customers about threats.

To help prevent accounts from being as vulnerable to identity fraud, Javelin said it continues to support the idea of no longer using full Social Security numbers to authenticate accounts. Those numbers are the key to identity thieves leveraging other information they’ve stolen and getting credit issued in the victims’ names.

There’s a lot at stake for the banks to keep customers protected, Javelin said, noting that they react to being victimized by changing banks, spending less money or using a different form of payment.

Javelin evaluated 23 credit card issuers and name these as the best at combating and dealing with fraud (in order):

  • Bank of America
  • Discover
  • U.S. Bank
  • USAA
  • Capitol One
  • JPMorgan Chase
  • American Express
  • HSBC

Consumers can also do their part to combat credit card fraud, particularly new account fraud, by avoiding phishing attacks that frequently follow data breaches. The thieves rarely have the Social Security numbers they need to open new accounts, so they take all the other data they have to make a credible pitch to the victims to get them.

Also, consumers should beware of phone calls seeking the same information. Don’t follow links in emails purporting to be from your bank or credit card company. Always go to a known website to use your account and call the number of your statements or the back of your card, not one that is emailed to you.

One comment

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see

The good thing about credit card fraud, from a cardholder’s stand point, is that ultimately the issuer is liable for fraudulent transaction amounts. Still, the investigative process can take a while and you will be wholly involved in it. Moreover, there are a number of things that can go wrong and your credit history may suffer as a result. So just because someone else is paying for it, does not mean that you will necessarily get off scot-free. redit-card-issuers-do-poorly-at-detectin g-well-at-resolving-fraud

Posted by gstanski | Report as abusive

[…] riddle me this: If more than 500 million files (that we know about) have been breached and about 17 percent of the individuals in those databases have suffered personal compromises, what happened to the […]

Posted by The Weakest Link: Feds Fail with Cyber Security Proposal – Identity Theft 911 Blog | Report as abusive

[…] Victims of a data breach are more than four times as likely to become victims of fraud than other consumers. That’s according to the Javelin Strategy and Research annual report, which says credit card companies should be doing more to alert customers to potential dangers, such as notifications when issuing new cards or changing billing addresses. The report also notes that hackers have become more sophisticated, threatening “the current security model, resulting in a call to action for issuers to take a strong look at the processes in place for detection and prevention of fraud,” said Javelin’s Philip Blank. [Reuters] […]

Posted by 01-31 June 2011 « Privacy News Highlights | Report as abusive