[BreachExchange] What happens to data after a breach?

[Audrey McNeil]

http://www.itproportal.com/2016/06/22/what-happens-to-data-after-a-breach/

“The rise across all fraud loss types during 2015 owes much to the growth
of impersonation and deception scams, as well as sophisticated online
attacks such as malware and data breaches.” – Financial Fraud Action UK
2016.

The last few years have been particularly eventful, and 2015 will be
remembered for many momentous milestones. For those of us involved in
security and fighting fraud online, we will remember it as a big year for
major data breaches.

A report carried out by PwC examining UK data breaches showed that not only
had there been a rise in 2015 but that the scale and cost of these breaches
had doubled. The report concluded that data breaches, for large business
are “a near certainty.”

In the short term, these attacks mean less consumer confidence and less
business for the businesses that were breached.

There is also the legal requirement to notify the Information
Commissioner’s Office and the possibility of being in breach of Privacy and
Electronic Communications Regulations (PECR) leading to fines and other
possible sanctions.

There is also the question of liability. If data is lost, firms could find
themselves in breach of the Data Protection Act (1998) and be subject to
prosecution. Indeed, there is a growing market for data breach insurance as
companies seek to shield themselves from the liability inherent in security
failures leading to breaches.

What Kount are concerned with, though, isn’t so much the breaches
themselves but what happens afterwards. What is happening to this data once
it falls into the hands of criminals? What are they using it for and how
can merchants and others protect against it?

Breaches mean fraud increases

The simple fact is that this information is used to carry out fraud. For
the cunning criminal, even the smallest amount of personal information can
be enough to fraudulently apply for financial products. When payment
details are compromised, it is enough for criminals to start making
purchases using illegally obtained card details and emptying out bank
accounts.

Financial Fraud Action UK (FFA UK) is the UK’s financial industry
anti-fraud group and works alongside a dedicated police force to monitor
and combat financial fraud in the UK. In March this year, it published its
2015 year-end report, announcing, as said at the top of the article, that
“financial fraud losses across payment cards, remote banking and cheques
totalled £755.0 million in 2015, an increase of 26 per cent compared to
2014.”

When looking for key drivers behind this huge increase, the experts at FFA
UK are in no doubt: “The rise across all fraud loss types during 2015 owes
much to the growth of impersonation and deception scams, as well as
sophisticated online attacks such as malware and data breaches.”

The message is crystal clear: data breaches in the UK are a significant
cause of the increase in financial fraud in 2015.

It might seem obvious, but this is the first time that these two trends
have been linked and causality demonstrated. The continued rise of CNP
fraud in the UK is being driven by, among other things, the data illegally
obtained via data breaches.

Bracing against breach related fraud

Fraud costs merchants money in a number of different ways. Lost goods and
lost revenue through chargebacks both hit merchants in the pocket. There is
also the possibility that merchants will become too risk averse and tighten
up their rules to the extent that legitimate transactions are declined
because merchants do not have the protocols, expertise, and systems in
place to differentiate between fake and genuine consumers.

Fraud is a real and present threat but our research has shown that
merchants are still not receiving the critical intelligence they need to
fight it.

In April of this year, we published our annual Kount Mobile Payments and
Fraud Report, and discovered that despite these breaches and rising fraud,
merchants were still not facing up to the threat of mobile fraud.

Looking at the responses to three critical areas, we saw that, although
merchants seemed to be slightly more aware of the amount of fraud taking
place, in some cases they seemed to be becoming less fraud aware than they
had been previously.

2015 – 2016 Change

Merchants aware of share of total fraud coming from mobile channel 40 per
cent 43 per cent + 7.5 per cent
Merchants who consider it very important to detect mobile transactions 46
per cent 42 per cent – 8.5 per cent
Merchants who believe that existing e-commerce fraud prevention tools are
suitable for m-commerce 28.5 per cent 36 per cent +25 per cent

Transactions taking place on mobile devices are the most vulnerable to
intrusion and only around four in ten merchants believe it is important to
detect mobile transactions. Detecting a mobile transaction is critical.
This vital piece of intelligence should be a central part of evaluating the
risk factors of any transaction. Without this knowledge, merchants are not
making a fully informed decision about the level of risk presented by the
transaction.

Equally, the tools that can track e-commerce fraud are not always up to the
task of tracking m-commerce fraud. Different platforms require different
security systems.

Thinking beyond the breach is critical for merchants. There is a
demonstrable correlation between data breaches and fraud; figures from the
US and UK bear this out. In the last year, there were 442,000 thefts of
mobile devices in the UK. A significant proportion of these would have had
payment and financial information stored on them. Multiply this with the
increasing number of data breaches and merchants have to start getting
mobile security savvy.

This rise in breaches and the correlating rise in fraud should be serving
as a warning to merchants. And, yet, our intelligence suggests that this is
currently not the case.

Data breaches happen because that data is valuable to criminals. And it is
valuable to criminals because they can use them to carry out fraud against
merchants, financial institutions and others.

If these targets of fraud are able to strengthen their security and be more
ready for the threat of fraud, then less fraud will take place. And if less
fraud takes place then there is a possibility, however slight, that the
reward of fraud will not be worth the risk of detection and so data
breaches might seem less attractive.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160623/4d743e31/attachment.html>