When Equifax announced Thursday that a massive hack had compromised the personal information of 143 million Americans, it became the latest in a long list of companies forced to warn consumers it had just exposed them to potential identity theft. Other members of the Massive Hack Club include Yahoo (500 million people), Target (110 million), LinkedIn (117 million) and Home Depot (50 million).
Yet despite the ocean of Social Security numbers, passwords, credit card numbers and mother’s maiden names stolen by hackers in recent years, identity theft remains a relatively rare phenomenon. Only about 15 million Americans suffered some form of identity fraud in 2016, according to Javelin Strategy & Research, and only an estimated 41 million Americans have ever been victims of identity theft, according to a 2016 Bankrate.com survey.
While those numbers are not to be taken lightly — by comparison, only 1.6 million home burglaries occurred in the US in 2015, according to the FBI — they still represent just a tiny fraction of the Americans who have had their personal information compromised. Why, with so much pilfered data available to fraudsters, have more Americans not become victims of identity theft? Why is so much stolen data seemingly going unused?
The primary reason, security experts say, is there simply aren’t enough qualified criminals to use all that information. “While these fraud rings are very active and they’re stealing billions of dollars, there are only so many of them,” said Shirley Inscoe, a senior analyst with the Aite Group, a business and technology research firm. “They literally can’t use all of this data.”
That may be cold comfort to anyone who’s had their checking account number stolen. But the realities of identity theft are far more complicated than news stories about corporate hacks tend to suggest. The truth is, once hackers have your personal information, they still have to package it, market it and resell it to buyers — typically one of the aforementioned organized crime rings — that can make use of it. This usually takes place on the “dark web,” an underworld of encrypted sites that can’t be accessed via standard browsers or search engines.
Moving millions of bytes of stolen data is not unlike trying to sell a hot Picasso: Even if you can find a buyer, the reward doesn’t always justify the risk.
“The ability to monetize and take action on that data, there’s really not the level of sophistication to do as much with it at scale,” said Theresa Payton, chief executive and founder of cybersecurity firm Fortalice and a former White House Chief Information Officer.
And not all identity fraud is created equal, with many lesser forms of the crime going undetected by the victims. “Pure identity theft is when a criminal actually takes over someone else’s entire identity to apply for a loan or a credit card or something along those lines,” said Inscoe.
In those cases, the victim may find his or her savings suddenly depleted and his or her credit rating destroyed. But there are smaller-scale identity crimes, such as using a real Social Security number to create a fake, or “synthetic,” person who establishes an independent credit record. Some fraudsters will even use stolen health data to order prescription drugs or medical equipment they can then sell on the black market. In both cases, victims can remain unaware their data was even used.
Still, the large majority of data stolen in these corporate breaches never gets used in any subsequent crime, raising questions about why a hacker would take the time to infiltrate well-guarded systems just to steal something they’ll never profit from. The answer, Inscoe says, is that money is often the last thing on a hacker’s mind.
“Their goal may be to cause a ripple in the economy or to damage a major US company,” she said. “There are also political motivations for these crimes. It exposes vulnerability and causes people to lose confidence” in the financial system. And perhaps most insidiously, some hackers just want to show off. “It demonstrates they can do it, and that’s important to a lot of hackers.”
We may never know the objectives of the hackers in the Equifax case, which Payton predicted would “go down as one of the worst data breaches in history” thanks to the permanent nature of the stolen information. “We’re not getting new Social Security numbers, we’re not getting new dates of birth,” she said. “This is not like a stolen credit card.”
Indeed, New York Attorney General Eric Schneiderman on Friday said he had begun a formal investigation into the breach, and House Financial Services Committee Chairman Jeb Hensarling (R-TX) said that his committee would be holding a hearing, calling it “a very serious and very troubling situation” that was “becoming all too common.”
But even if years go by with no evidence that criminals are profiting from the stolen Equifax data, that does nothing to reduce the possibility that they eventually will. Inscoe tells a story that illustrates what makes these sorts of data breaches so frightening: Some years back, hackers were caught stealing personal data from a major university in the South. Asked why they would bother stealing the personal data of students — people with little to no income or net worth — the hackers replied that they didn’t intend to use the data anytime soon. “’We’re just going to sit on it for 10 years till they become doctors and lawyers and professionals,’” she said. “’Then we were going to use it.’”
“These organized crime rings are run like a business, and they are highly profitable,” Inscoe said. “This is literally big business, and they are not thinking short-range.”