Experts: Small Risk of Identity Theft in Ohio ‘s Stolen Computer Tape Case

June 27, 2007

The staggering amount of personal information contained on a stolen state computer tape has worried Ohio residents and led Gov. Ted Strickland to call nearly daily briefings since the device was stolen a week ago.

But the sheer amount of information, including the names and Social Security numbers of nearly 400,000 people, means that the state employees, taxpayers and others unlucky enough to be on the tape are actually at a very low risk of having their identities stolen, experts said.

A company that has studied data breaches said personal information is at much greater risk when a particular person or small group of people is targeted, an everyday occurrence with no public announcement to scare away potential thieves.

You are much more at risk if someone goes through your garbage can than if you are part of a large data breach, said Thomas Oscherwitz, vice president of government affairs and chief privacy officer for San-Diego based ID Analytics.

“In that case you are a targeted victim as opposed to a large population where it will be difficult for a fraudster to go through that list,” Oscherwitz said.

The theft was revealed June 15 and Strickland held briefings all but two days of the following week.

Being part of a large data breach is not a prerequisite for identity theft. It can happen to any individual, said Jay Foley, executive director of the Identity Theft Resource Center.

“It will happen to just about everybody, eventually,” Foley said.

ID Analytics, which provides identity-risk management services to some of the country’s largest financial and wireless companies, conducted a study of four data breaches covering about 500,000 consumer identities.

Less than one-tenth of 1 percent, or one in 1,000 identities, was subjected to fraud in the breach the company described as an intentional target by identity thieves. The smaller the data set, the greater the chances that individuals will be victims of identity theft, the company found. ID Analytics said it could not release the specifics of the breaches because they have confidentiality agreements with the organizations supplying the data.

The sample size of the study was small, but the company claims it is the only comprehensive study that has been conducted using information from actual data breaches.

It’s important to differentiate between the types of data breaches when determining risk, Oscherwitz said. Breaches masterminded with intent carry much greater risk than incidental thefts of computers or other devices, or a misplaced data storage device.

The case in Ohio has several barriers to identity theft. The backup tape, stolen out of the car of a state intern on June 10, appears to be part of a ring of theft that targeted a radar detector and stereo equipment in three different cars, what Oscherwitz called an incidental theft.

Additionally, Strickland has made a string of public announcements that have led to more than 20,000 people signing up for free identity-theft protection and put any potential thief on alert that accounts are being watched. The study performed by ID Analytics on the data breach targeted intentionally for fraud showed a decrease in activity once public notification was made, Oschwerwitz said.

Strickland has said getting access to the information on the tape to begin with would require specific hardware, software and expertise _ another barrier _ although data security experts have said a thief with time, computer skills and financial resources could get the information because the data was not encrypted.

The sheer number of identities on the tape _ nearly 400,000 _ significantly lowers the risk of any one individual’s identity being stolen, Oscherwitz said. There’s a practical explanation.

If a thief spent five minutes filling out an account application per identity and worked 61/2 hours a day, it would take the thief over 50 years to use all the data containing 1 million identities, the company said. Paying others a modest wage to help and get through the data in a year would cost nearly $1 million.

But there’s one wild card in the rapidly growing world of identity theft that could turn the theory upside down.

“Once the information is out there it can be sold on the black market to people overseas,” said Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse.

“If I were to get a million names and Social Security numbers, I’d be selling them off,” Foley said. “There’s going to be a black market.”

Oscherwitz said his company’s studies are simultaneously comforting and alarming.

“The evidence is there’s less fraud than one would expect,” he said, but the criminals are “very sophisticated.”

Was this article valuable?

Here are more articles you may enjoy.