Few ID thefts have been linked to data breaches

WASHINGTON — Personal information about Americans is stolen or lost from some government or private computer almost daily, but congressional auditors can link only a few identity thefts to the breaches.

That's primarily because links are so hard to find that nobody knows how frequently security lapses lead to fraud, the Government Accountability Office said last week.

"No comprehensive data are available on the consequences of data breaches" from law enforcement agencies, industry and trade associations, consumer groups or privacy advocates, according to GAO, which is Congress' auditing arm.

At the federal level, investigators questioned the FBI, Secret Service, U.S. Postal Inspection Service, and Immigration and Customs Enforcement.

"Representatives of all these agencies told us that their investigations of data breaches do not typically allow them to fully ascertain how stolen data are used," the GAO said. "Similarly, they noted that investigations of identity theft do not always reveal the source of the data used to commit the crime."

But when links are found, the damage can be expensive.

The Comptroller of the Currency said more than $13 million in fraudulent charges on customers' cards were reported by 24 banks as a result of a hacker gaining access in May 2005 to names and account numbers at CardSystems, which processes credit card payments.

In 2005, the Federal Trade Commission settled with BJ's Wholesale Club over alleged security breaches that resulted in several million dollars in fraudulent purchases using customers' credit and debit card data.

At the Federal Deposit Insurance Corp., an intern allegedly improperly accessed data and used it to take out more than $425,000 in fraudulent loans in the names of FDIC employees.

GAO looked at 24 of the largest reported breaches between January 2000 and June 2005 in state governments, colleges and universities, retailers, medical facilities, and financial and information services companies.

Compromised data was used to open unauthorized new accounts in one case and to commit fraud on existing accounts in three cases. There wasn't information to tell if harm resulted in two cases.

In 18 cases, no identity thefts could be attributed to the breaches. Victim company representatives said sometimes they could tell no unauthorized person had looked at the data. But in other instances where they were not aware of any fraud, "they acknowledged that there was no way to know for sure," GAO said.

New York state, which requires public and private entities to report breaches, recorded 225 of them in the 302 days after Dec. 7, 2005.