The Stamford, Conn.-based research firm said in a report released Tuesday that 15 million Americans suffered from identity theft between mid-2005 and mid-2006. That's a 50% increase since 2003, when the Federal Trade Commission (FTC) reported 9.9 million American identity theft victims. The people Gartner surveyed weren't affected by the more recent TJX breach, but that company's mistakes mirror the failures of other merchants to protect customer data, said Avivah Litan, a vice president at Gartner.
"This survey shows that the efforts of IT professionals to protect customer data aren't working very well," she said. "It has taken a lot of work to get companies compliant with the PCI Data Security Standard (PCI DSS) and in many cases IT departments aren't getting the necessary financial support from upper management."
Litan's research included an online survey of 5,000 U.S. adults. Based on feedback from those respondents, she found that:
- The average victim lost $3,257 in 2006, up from $1,408 in 2005.
- The percentage of funds consumers managed to recover dropped from 87% in 2005 to 61% in 2006.
- The average loss on new account fraud more than doubled from $2,678 in 2005 to $5,962 in 2006.
- Unauthorized charges to credit cards rose nearly fourfold from an average of $734 in 2005 to $2,550 in 2006.
"Hackers are exploiting Internet auctions, non-regulated money transmittal systems, the ability to impersonate lottery and sweepstake contests, and other types of imaginative scams," Litan, said. "The thieves have also discovered the weakest links in the U.S. payments systems. Typically the weak links are found among the five or more million businesses that accept electronic payments from consumers, and the consumers themselves."
Electronic theft of sensitive information is a leading cause of credit card, debit/ATM card and bank account transfer fraud, she said.
Using the TJX breach as an example, she said one of the retail giant's biggest mistakes was storing credit card data it didn't need to store. Several auditors who check companies for violations of the PCI Data Security Standard (PCI DSS) made the same observation last week, and said TJX will almost certainly pay a heavy financial price for its PCI DSS violations.
Framingham, Mass.-based TJX acknowledged in January that an attacker exploited a flaw in a portion of its computer network that handles credit card, debit card, check and merchandise return transactions.
The breach was worse than first thought, TJX officials admitted two weeks ago. The company initially believed that attackers had access to its network between May 2006 and January 2007. However, the ongoing investigation uncovered evidence that the thieves also were inside the network several other times, beginning in July 2005.
Of course, TJX is only one of many companies to have disclosed a serious data breach. According to a list tallied by the Privacy Rights Clearinghouse (PRC), more than 104 million records containing sensitive personal information have been involved in security breaches since early 2005.
Regardless of the method used to steal data to commit new account fraud, Litan said this kind of fraud can be largely prevented if companies use identity verification and scoring services.