At Target, 40 million customers had their credit-card information exposed to hackers. At JPMorgan Chase, personal details associated with 80 million accounts leaked. Last month, a hacker gained access to 4.5 million records from the University of California, Los Angeles, health system.
Enormous numbers like these can make it feel as if we’re living through an epidemic of data breaches, in which no one’s bank account or credit card is safe. But the actual effect on consumers is quite different from what the headlines suggest. Only a tiny number of people exposed by leaks end up paying any costs, and for the rare victims who do, the average cost has actually been falling steadily.
How could that be? For starters, several laws protect consumers from bearing almost any financial losses related to hackers (though not the headaches of having to enter new credit-card numbers into Amazon and elsewhere). Instead, banks and merchants, like Target, must bear the cost. But even their losses have been dropping in recent years, as data security experts have learned new strategies to prevent intrusions from turning into theft.
“The bad guys are getting good,” said David Robertson, the publisher of The Nilson Report, a data provider for the card industry, “and the good guys are getting even better.”
It’s true that data breaches, particularly those in which Social Security numbers are compromised, can lead to a more devastating sort of identity theft, in which criminals open new financial accounts in a person’s name and do damage that can take years and a lot of work to clean up. But consumers are almost never on the hook for financial losses in these sort of episodes, which, by the way, have also been on the decline.
This relatively sanguine picture of the impact of data breaches is an example of a threat that looks worse than it turns out to be. The sheer size of hackings shocks and startles when the attacks are first reported, but it’s rare that journalists check on the actual consequences.
The statistics do not mean that data security is not a real issue for the authorities and consumers to think about. Even if the hackers don’t use your credit cards, there are instances in which leaked data of other kinds can be damaging in itself, as was clear in the recent episodes at Sony Pictures and Ashley Madison, the website that connects prospective adulterers. There are also serious geopolitical concerns about foreign hackers compromising national security if they get a hold of military maps or staff lists from the C.I.A.
For the companies and banks that bear the cost of stolen credit card numbers, the expenses are very real. Criminals racked up $7.8 billion in fraudulent purchases last year, with banks paying 62 percent of that amount and merchants the rest, according to The Nilson Report.
To prevent fraud in the first place, banks are currently introducing cards with so-called E.M.V. chips, which make counterfeiting cards – the most prevalent sort of fraud currently – much more difficult.
Though serious identity theft has been on the decline in recent years, many security experts are expecting that to change as dedicated criminals, whose easy counterfeiting is foiled by E.M.V. chips, start to focus their hacking on getting Social Security numbers and other data that enables them to open new accounts, said Mr. Robertson, at The Nilson Report.
“For the bad guys, your five-year growth plan is not data breaches and stealing credit cards,” Mr. Robertson said. “It involves stealing all the info you can and opening legitimate accounts in people’s names.”
Ultimately, the problem will still require businesses, and individuals, to stop the thefts from happening in the first place. Read more…