We found that less than 1 in 1000 of the breached identities were found in subsequent risk events (a fraudlent credit card application, for example). The distribution was very skewed though. Customer identities uncovered by large scale (and presumed to be untargeted) breaches were rarely used in the risk event, but customer identities uncovered by small scale (and presumed to be targetted) breaches were much more likely to be found in risk events. You can see why, becuase if your name and details are on a stolen laptop
somewhere, you’re probably safe. But if a thief steals your post, they may well use it.
The person who steals your identity might not be a thief or a call centre worker. Data stolen by friends and family is generally called “familiar” or “family fraud”. It seems like it would be considered data breach, but historically it has not been and so does not show up in statistics. But a colleague of mine pointed out that social networking sites like MySpace and
FaceBook might actually create additional “familiar fraud” because social networks extend and publicise your family and friends network, which is an interesting point to reflect on.
Anyway, the main point I wanted to share from our researches are: data breaches are bad, but they are all very different. The risk to a specific consumer depends on 1) what was taken, 2) how it was taken, and 3) how much data was taken.