Research and Statistics

Study: Data breaches pose a greater risk


It used to be that just 1 in 9 victims of a data breach had the hacked info used against them. Now the odds are 1 in 3, says a new study

The content on this page is accurate as of the posting date; however, some of our partner offers may have expired. Please review our list of best credit cards, or use our CardMatch™ tool to find cards matched to your needs.

The risk level is growing for anyone whose information is stolen in a data breach.

In 2010, you had a one in nine chance of becoming a victim of identity theft after your financial or personal information was swiped. Today, your odds have increased to one in three, according to a survey of ID theft victims by the National Consumers League (NCL) and Javelin Strategy & Research.

In the five years that Javelin has studied the link between data breaches and identity theft, “the relationship has grown stronger every year.”

Study: Data breaches pose a greater risk

Thieves steal information to make money, says Al Pascual, Javelin’s senior analyst of fraud and security, and co-author of the study, “The Consumer Data Insecurity Report.”

Along with the risk to consumers, the financial stakes have soared. Fraud committed with existing credit cards and debit cards jumped from $8 billion in 2012 to $11 billion in 2013.

The bad guys no longer rely on Dumpster-diving and stealing mail to get their hands on your personal and financial information. Instead, they hack into computers and sell the information they steal on the black market.

“This is a global organized-crime underground,” says report co-author John Breyault, vice president of public policy, telecommunications and fraud at the National Consumers League (NCL). “They collect information any way they can and monetize it as quickly as possible.”

The Target data breach that began last year — and which impacted up to 110 million consumers — shone the spotlight on such breaches, raising awareness of the risks they pose.

“We see this as the real tipping point,” Breyault says.

In that incident, between 1 million and 3 million debit cards and credit cards were sold on the black market and used to commit fraud, according to the NCL. The cards went for between $18 and $37.50 each.

The Target case underscores the challenge facing retailers and other organizations that collect your personal data.

“How do you keep bad guys from getting in, and keep the good data from getting out?” asks Bob Olson, vice president of the global financial services unit at Unisys.

The Target breach garnered the most national attention, but the company was far from alone. In 2013, the Identity Theft Resource Center received 614 reports of data breaches that exposed almost 92 million personal records, ranging from credit card and debit card numbers to Social Security numbers.

Americans are taking notice. In the 2014 Unisys Security Index, more consumers reported they were afraid of abuse of credit card data and identity theft than they were of war and terrorism.

The survey of more than 1,000 people found 59 percent were “extremely” or “very” concerned about the abuse of their credit and debit card data. That compares to 52 percent of respondents who reported those levels of concern in the 2013 survey.

In addition, 57 percent in the 2014 survey said they were “extremely” or “very” concerned about identity theft, up from 54 percent the previous year.

Olson says he’s not surprised by the results: “It’s based on what’s really on the top of your mind.”

What happens to your information?
In many cases, stolen credit card and debit card numbers are used to make purchases online, Pascual says. But rather than stocking up on items like flat-screen TVs, crooks are using the cards for small transactions so they “fly under the radar.”

Criminals also are staying local. If card information is swiped in Texas, it’s more likely to be used in Texas than halfway around the world. That helps crooks avoid suspicion.

Credit cards and debit cards are most valuable on the black market before a data breach has been discovered and publicly disclosed, Pascaul says. At that early point, “there are no controls in place and the chance of committing fraud is higher.”

  1. Monitor your debit and credit cards for unauthorized charges.
  2. Keep an eye on your credit report. You can get a free report from each of the three main credit reporting agencies annually through
  3. If you spot a problem, regardless of how small, report it immediately.
  4. If you were using a debit card, change your personal identification number (PIN).
  5. Do not respond to calls or emails from scammers that ask you to verify your account information.
  6. Stay vigilant. Your information could be used by crooks months after the data breach.

Sources: Consumer Financial Protection Bureau, National Consumer League

With major data breaches, two sets of bad guys are typically involved — the data thieves, and the buyers of stolen data, says Michael Bachmann, associate professor of criminal justice at Texas Christian University in Fort Worth, and an expert on cybercrime.

The first group of bad guys includes skilled hackers who have the expertise to get into sites and steal your information. They do not want to run the risk of actually using the data, so they sell it in bulk online. Bitcoin is the currency of choice, Bachmann says.

The Target data breach was the first time in which more than 1 million card numbers were offered for sale in bulk on the black market, Bachmann says.

Those buying stolen data look at the number of cards up for sale and whether or not the credit card information is complete. To make sure the cards will work in transactions, buyers may test the cards by making small charges to charitable organizations, Bachmann says.

For example, they may do “salami slicing” — making a series of small transactions for less than $10 that don’t come under the same degree of scrutiny from consumers and credit card companies, Bachmann says.

In January 2014, for example, the Better Business Bureau warned of fraudulent charges of $9.84 popping up after credit card numbers had been stolen. “The expectation is that many cardholders won’t notice the relatively small charge, and the credit card companies won’t go after such a minor sum,” the BBB said.

Along with stealing credit card and debit card data, crooks also are on the hunt for personal information. Social Security numbers are viewed as the “keys to the kingdom,” Pascual says. Social Security numbers are used to open new accounts, and to commit tax fraud and medical identity fraud.

As the “de facto national identification,” it’s almost impossible to get your Social Security number replaced once it has been stolen, Pascual says. Unlike credit and debit cards — which are canceled if fraud is discovered and cannot be resold on the black market — Social Security numbers can be sold repeatedly. “Once a criminal has it, he can continue to use it on a whim,” Pascaul says.

Bachmann says the same black market websites that sell credit and debit card information also sell personal identification, such as Social Security numbers, in bulk.

Criminals also can purchase passports and birth certificates at these websites. The prices these documents command varies by the country of origin. Documents from the United States are high-value targets.

A false sense of security
If the bad guys get their hands on your financial or personal information, they might not use it for months. So even if you do not see fraud occurring within a few weeks of a data breach, that does not mean you are in the clear. “That’s sort of a false sense of security,” Olson says.

A surprising one-third of fraud victims did not take steps to prevent further fraud, the NCL/Javelin study found. For those who did take action, nearly one-quarter set up email or mobile alerts on their credit cards or bank accounts. Another one-quarter set up fraud alerts on their credit reports.

It’s very difficult to be a participant in the modern economy and have zero vulnerability.

—  John Breyault
National Consumers League

And if the crooks have luck hacking into a site once to get information, they may come back again to see what else they can pilfer, he says.

Pascual warns that if criminals get their hands on the password for one of your accounts, they will try to use it with other accounts, because people tend to reuse their passwords. “As the number of accounts increases, fraud increases,” Pascual says.

Rather than coming up with complex passwords with a lot of numbers and alternative characters, he recommends using “the longest password you can remember. Length is always your friend.”

The move is now underway to switch from issuing credit cards with magnetic stripes to issuing cards that are chip-enabled. Chip cards store data in microprocessors and generate unique authorization numbers for each transaction, making the cards harder to copy or counterfeit.

However, chip-enabled cards are not a panacea. In Great Britain, the switch to chip-enabled cards meant a decline in fraudulent use of credit cards in person, but it did nothing to stop online fraud.

It’s no silver bullet,” Breyault says. “It’s very difficult to be a participant in the modern economy and have zero vulnerability.”

“The odds are you’ll be a data breach victim at some point,” says Pasqual.

See related:Data breach protection: 10 tips, What to expect, do after a data breach, Data breaches turn spotlight on EMV cards

Editorial Disclaimer

The editorial content on this page is based solely on the objective assessment of our writers and is not driven by advertising dollars. It has not been provided or commissioned by the credit card issuers. However, we may receive compensation when you click on links to products from our partners.

What’s up next?

In Research and Statistics

CFPB expands complaints system to prepaid cards, pawnshops

The federal consumer watchdog significantly expanded its consumer complaints program to include an array of financial products found outside banks

See more stories
Credit Card Rate Report Updated: December 2nd, 2020
Cash Back

Questions or comments?

Contact us

Editorial corrections policies

Learn more