The last few years have been particularly eventful, and 2015 will be remembered for many momentous milestones. For those of us involved in security and fighting fraud online, we will remember it as a big year for major data breaches.
A report carried out by PwC examining UK data breaches showed that not only had there been a rise in 2015 but that the scale and cost of these breaches had doubled. The report concluded that data breaches, for large business are “a near certainty.”
In the short term, these attacks mean less consumer confidence and less business for the businesses that were breached. There is also the question of liability. If data is lost, firms could find themselves in breach the Data Protection Act (1998) and subject to prosecution. It is not surprising, then, that Lloyds of London has reported a marked increase in data breach liability insurance policies being written.
Yet there is one issue that doesn’t often get the coverage that it deserves; what is happening to all this leaked data? What, for example, is happening with the 600,000 plus personal and financial details that JD Wetherspoons lost? Who is using the bank details from the UK’s leading banks? And what are they using it for?
The simple fact is that this data ends up in the hands of criminals: either the criminals who carried out the breach in the first place or sold onto others.
Financial Fraud Action UK (FFA UK) is the UK’s financial industry anti-fraud group and works alongside a dedicated police force to monitor and combat financial fraud in the UK. In March this year, it published its 2015 year-end report, announcing, as said at the top of the article, that “financial fraud losses across payment cards, remote banking and cheques totalled £755.0 million in 2015, an increase of 26 per cent compared to 2014.”
When looking for key drivers behind this huge increase, the experts at FFA UK are in no doubt: “The rise across all fraud loss types during 2015 owes much to the growth of impersonation and deception scams, as well as sophisticated online attacks such as malware and data breaches.”
The message is crystal clear: data breaches in the UK are a significant cause of the increase in financial fraud in 2015.
It might seem obvious, but this is the first time that these two trends have been linked causality demonstrated. The continued rise of CNP fraud in the UK is being driven by, among other things, the data illegally obtained via data breaches.
Of course, it’s not just the financial data that is valuable, personal data is valuable too. According to Action Fraud UK, the UK’s national fraud and cyber-crime reporting center, fraudsters need only know a customer’s name, date of birth and address to open bank accounts and access credit in their name, which they can then utilize to take over their existing accounts and cards. When this information is taken from data breaches, fraudsters are able to get to work straightaway.
Data breaches should be seen as a four-minute warning for anyone looking to guard against fraud. When a breach happens, that means hundreds of thousands of records of personal and financial information are getting into the hands of criminals and it will not be long before they are used for fraud.
Businesses who have suffered a breach are legally obliged to inform those whose data has been compromised so that they can take action to protect themselves. But, equally, merchants should take heed of data breaches as an early warning that fraud is about to increase. Whether this means investing in new anti-fraud or security software or tightening the rules of existing protocols is up to the merchant.
Yet what is in no doubt is that data breaches mean fraud will spike, and merchants should be prepared.