Which begs the question: What’s the responsibility of corporations toward fraud and identity theft?
Of course, organizations have the obligation to protect their customers’ information. If not by law, it is a
moral responsibility when people trust you with so much sensitive information. But I think it goes beyond
that. Many would argue (myself included) that organizations have a corporate social responsibility to
protect not only their customers from fraud, but to act more widely to prevent fraudsters from using
information obtained elsewhere. Not only should we prevent data breaches leading to information from
being stolen, but corporate responsibility should guide us in preventing the information from being used
in our own organization. And, ethical standards and rules supported by technology need to be part of
every single organization’s cybersecurity strategy.
Understanding Data Breach Fallout: From the Dark Web to Funding Other Crimes
Perhaps one of the best ways to articulate why organizations need to step up their cybersecurity strategy
is to better understand what happens to stolen data.
The market for personally identifiable information (PII) on the dark web is massive, and over the years,
fraudsters have become more sophisticated in terms of their ability to acquire more than just one PII item.
For instance, the 2017 Equifax data breach revealed not just the names but also the social security
numbers, birth dates and addresses of almost half of the total U.S. population (143 million individuals)—
critical, personal information that is like gold to fraudsters. And, although according to The Identity Theft
Resource Center the overall number of U.S. data breaches tracked decreased the following year by 23%
from 1,632 data breaches in 2017 to 1,244 in 2018, the reported number of exposed records containing
sensitive PII jumped an alarming 126% between 2017 and 2018 to more than 446 million.
The shelf life for this type of stolen data is oftentimes long, being made available to the highest bidder on
the dark web and then sold at a couple dollars a piece to bulk pricing for credit card numbers. When
illegally acquired user-generated passwords and PINs are added to the mix, this underground
marketplace can be quite lucrative for cybercriminals who use the profits to purchase goods as well as
fund terrorist groups and other criminal activities.
This all being said, in the case of the Equifax data breach, is Equifax the only responsible organization,
or should we also look at organizations with too little controls in place that will allow new accounts being
setup using the Equifax breach information? What’s the extent of a corporation’s responsibility toward
the usage of stolen data? Is it just global risk assessment and accounting for potential losses in the overall
budget or does it extend beyond that?
Furthermore, what role did the corporation accepting the risk or the bad debt play in facilitating such
criminal activities?
Bottom line: the focus on protecting our customers’ data is oftentimes insufficient. We must also put
controls in place to prevent fraudsters from exploiting our organizations for a profit, with previously stolen
data.