In its 2011 annual report, the Information Commissioner’s Office reported that 603 data breaches had been reported. While the private sector accounted for the largest single segment (186 breaches reported), the public sector is not immune and is surprisingly vulnerable. Central and local government, the NHS and other public sector bodies combined, accounted for 388 (nearly 65%) of all the breaches reported.
While the seriousness of a data breach is never underestimated, the effects are, possibly less easy to quantify. Reputationally, at least, the effects are the same no matter whether the organisation is a public or private sector one: confidence and trust in the organisation is seriously undermined. The penalties imposed by the Information Commissioner’s Office for serious data breaches – up to £500,000 – also apply equally across the public and private sectors. From a media standpoint, however, the ‘story’ of a data breach tends to attract more attention when it is a public body that has lost data: not least because the quantity of data collected and stored by such organisations tends to be so much greater. But the question in everyone’s mind remains the same: what might happen to the data that has been lost or stolen and is any of it about me?
Potentially, of course, nothing happens to it. If a data breach occurred through the theft of an unencrypted work laptop, it is highly likely that it was the laptop – rather than the documents contained within it – that was the target for the thief. But even in such situations, the potential for mischief looms large in the minds of those responsible for the data breach and of those whose data is at risk.
Data is the new currency
The age old aphorism states that knowledge is power. Data, of course, is a key source of much knowledge. In the private sector, the threat of identity fraud (the use of a completely fictitious identity or the impersonation of a genuine individual to gain products or services in the victim’s name) is one that has become more prevalent over the past five years. Identity fraud, in cases of impersonation of course, is a prime example of how powerful knowledge can be. In 2010, identity fraud accounted for nearly one half of all frauds (47%) recorded by Members of CIFAS – the UK’s Fraud Prevention Service and, given that the same fraudsters attack both public and private bodies, the threat has to be seen as universal.
The case of ‘David Peters’ (a prolific identity fraudster based in North London) is a prime example. Over several years, Peters systematically defrauded both public and private sector organisations using fraudulent passports, driving licences and national insurance numbers totalling at least 131 different identities. Police and DWP investigations established that Peters made at least £1 million from defrauding, among others, CIFAS Member organisations and local councils. Indeed, Judge Gerald Gordon, when sentencing ‘Peters’, noted: “I have not the slightest idea what your actual name is.”
In addition to the overall scale of identity fraud, the number of individual victims of impersonation recorded on the CIFAS database has continued to increase, from 77,500 on 2007 to 102,600 recorded in 2010.
For any of those victims, one of their first questions will tend to be ‘how did the fraudster get my details?’ There are numerous ways that details could have been gained: including the fraudster being a friend or relative, through to a handbag or case being stolen, skimming, phishing, details being freely available through online sites such as facebook and – of course – data breaches.
Understanding the fraud problem
For an identity fraud to be successful, the fraudster needs to have enough information to impersonate the applicant plausibly. In other words, the details provided need to be correct or seem correct. Therefore, when data is lost or stolen (data that has already been verified by the body collecting it as correct and up to date), a criminal potentially has access to a treasure trove of correct details: full names, addresses, postcodes, employment details, contact details, bank account numbers etc. If an organisation (be it a Government department, a local authority or a bank) is unaware of the data loss or breach, and then receives an application or service request that looks and seems genuine, filled with correct data, then how is it to know that the application is not genuine?
The problem is the same no matter who lost the data: benefit records and credit card customer details are equally valuable to a fraudster and the greater the quality and quantity of data, the greater the potential criminal damage that can be caused. So, in such situations, what duty of care does this impose upon the bodies that have suffered a data breach?
Data sharing – the acceptable way of battling identity fraud
Members of CIFAS share information on proven frauds in order to prevent further fraud and, during the last five years Members have reported fraud savings of £4 billion through the use of the CIFAS National Fraud Database. By sharing information on confirmed frauds, Members are able to verify applications and carry out additional checks to ascertain whether the application is fraudulent or not. Details of victims of impersonation are also shared in the same way. By sharing this information, organisations that have been attacked by fraudsters are fulfilling the ultimate duty of care; demonstrating that fraud is a shared problem, noting that the innocent victim has been impersonated, and informing other bodies that additional checks must be made, to verify the application’s validity (or lack of it).
Protection is also available for those whose personal data has been lost or stolen. For organisations who choose this option, CIFAS Bulk Protective Registration would place a warning flag on the CIFAS National Fraud Database against the names and details of every person whose personal data had been compromised. This would alert any CIFAS Member receiving an application in that person’s name to carry out additional checks and verify that the application or claim came from the genuine individual and not a fraudster impersonating him or her. Bulk Protective Registration not only helps a data controller fulfil its duty of care to affected customers, but it helps proactively to address and counteract the criminals that could be attempting to inflict further reputational and financial damage on organisations and individuals alike.
The threat is everywhere
In 2010, over 11,000 bank accounts were targeted by identity fraudsters. This was in addition to over 44,000 mail order accounts, 23,500 plastic card accounts and nearly 17,000 communications accounts. There have even been identity frauds targeting life insurance and pension policies. Considering that insurance covers a named party, this indicates that the false identities are likely to be used for more than just acquiring funds (e.g. obtaining fake driving licences or passports). In other words, every product or service can be targeted by an identity fraudster: benefits, passports and numerous other public sector offerings included – as the case of ‘David Peters’ has demonstrated.
Any organisation that has suffered a data breach must recognise that its first priority is the protection of those whose data is at risk. By taking reasonable steps to ensure that victims are informed and protected, and their vulnerability to identity fraud is communicated to them (and other organisations), those bodies that have suffered a data breach will take the power away from the data thieves. This helps to prevent further individuals becoming victims of identity fraud and, in turn, helps to save vast sums from being lost to fraudsters.
About CIFAS
Kate Beddington-Brown is Head of Communications at CIFAS, the UK Fraud Prevention Service- a not-for-profit membership association representing the private and public sectors. CIFAS is dedicated to the prevention of fraud, including staff fraud, and the identification of financial and related crime. CIFAS operates the National Fraud Database (NFD) and the Staff Fraud Database (SFD).
