Security Breach, Massive vs. Minor, Which is Best?

Is a massive security breach better than a small one? ID Analytics, a San Diego based fraud detection company, recently analyzed four recent security breach cases involving 500,000 accounts. The six month study compared the information which was compromised to applications for credit. They discovered that the smaller the breach, the more likely it is that the information would be used.

Mike Cook, ID Analytics co-founder, said “If you’re in a breach of 100, 200 or 250 names, there’s a pretty high probability that you’re identity is going to be used.” It is believed that the perpetrator can only use 100 to 250 identities in a year. If a breach is very small as to the identities compromised, there is a strong likelihood that the data will be used. If the breach yields more names and associated information, there is a lesser chance that any one will be used. Statistically they believe that only 1 in 1,000 identities will be used.

This is good news, in a way, because it says that only so much data can be used in a given period of time. It isn't good if you or your customer is the one in 1,000. And you must still react to the data breach. Using the FCRA, credit card loss reports and other tools available to raise red flags, can help mitigate the potential damage caused by the use of the data. The quicker these flags are raised, the less likely it is that the data will be useful. If no flags are raised, no precautions taken, the data has a longer shelf life and the risk of use in the long term is higher.

If your website has information on identity theft, this 1 in 1,000 statistic may provide some comfort to your customers. This is especially so when combined with your proactive stance on security and data theft prevention. You should clearly describe to your customers what you do, but in very general terms. Let your customers know that you take the security of their information seriously.