By Lauren Reynolds, Rose Law Group attorney focusing her practice on cyber security and Dan Gauthier, law clerk
Data breaches have become a frequent occurrence. If your personal information has not been compromised in such a breach, you might know someone whose information has been. Despite the prevalence of such incidents, however, not much is known about what happens to one’s personal information after it has been compromised. The Federal Trade Commission [FTC] recently released a study attempting to track the use of consumer data. The findings have been made public and are eye-opening.
In the study, FTC researchers created around 100 consumer “accounts,” which included fake consumer data such as name, address, phone number, email address, password, and payment mechanism (online payment account, Bitcoin wallet, or credit card). It was not specified whether the passwords belonged to the email address or payment mechanisms. The data were posted twice – one week apart – on a Website known to attract identity thieves. Researchers monitored the data for two weeks and logged email access attempts, payment account access attempts, attempted credit card charges, and texts and calls received by the phone numbers.
The first data posting attracted about 100 views, while the second posting was picked up by a Twitter bot and attracted about 550 views.[1] About 90 minutes passed after the first posting before an unauthorized access attempt, while after the second posting, there were attempts within nine minutes. There were more than 1,200 unauthorized access attempts during the entire data collection period (two weeks).
More than 90 percent of all email addresses, credit card numbers and payment accounts had unauthorized access attempts during the data collection period. In fact, on the day of the second posting alone, more than 90 percent of the credit card numbers had unauthorized charge attempts. The largest credit card purchase attempt was $2,697.75, on a clothing Website. All credit card charge attempts within two weeks totaled $12,825.53.
This study makes one thing clear: If consumer information is posted for the public, it will be used. Moreover, once consumers have notice of a data breach, it is likely too late to take preventive measures because data are used within hours, or even minutes, of being made available.
Though consumers are rarely able to prevent data breaches or fraud, they should take other proactive steps to avoid identity theft and minimize the harm if it occurs. Consumers should be vigilant, monitor payment accounts, and more effectively secure online accounts.
Consumers can set automatic alerts for suspicious, large or international purchases and manually review accounts for small test charges, which thieves use to see whether the payment account is viable. In addition, consumers can enable two-factor authentication everywhere they can: email addresses, banks, social media accounts and more. Such authentication provides an additional line of defense. This, however, is by no means an exhaustive list of proactive steps that can be taken by consumers, nor is it a guarantee against the risk of identity theft.