Identity Theft Statistics in 2020

Will Ellis
Will Ellis — Last Updated on August 19, 2020

identity theftIdentity theft has become one of the main scourges of the modern Internet era, posing challenges for consumers and law enforcement alike. Identity theft statistics lays bare the persistence of these fraudulent scams and brings to stark relief the price paid by victims.

For those of us not yet up to speed on what constitutes identity theft, it occurs “when a criminal appropriates an individual’s personal information such as name, address, date of birth or Social Security number to assume that person’s identity to commit theft or multiple types of fraud.” 

The growth of the Internet, the increasing dependence on e-commerce, along with the explosion of social media has created the perfect storm of opportunity for criminals to steal and exploit people’s identity. 

But the popularity of identity theft among the underworld stems from the ease to pull it off and monetize the stolen personally identifiable information (PII).

  • One in ten URLs are malicious
  • There were more reports filed about Identity theft in all its various manifestations in 2019 (20.3% of all reports), than any other type of complaint.
  • Formjacking attacks compromised, on average, about 4,800 websites each month
  • Gaining access through unauthorized methods accounted for 86% of the sensitive records that were exposed
  • It was discovered on March 25 that the Small Business Administration (SBA) data exposed 7,000 businesses applying for emergency loans
  • The worst data breach recorded in 2019 occurred in July with the Capital One Financial Corp. where 100 million customer records were exposed
  • The cost from cybercrime to global economy is estimated to be $445 billion annually

The Federal Trade Commission, FTC’s “Consumer Sentinel Network Data Book,” reports that the most common fraud complaints received fell into the category of identity theft, imposter scams, and debt collection. 

Apart from the motivation for financial gain, criminals are drawn to identity theft because of the relatively risk-free way it provides to get money, and ease of concealment (of either the crime or true identity of perpetrators). However, identity theft statistics also reveal that criminals are becoming more sophisticated at their craft; specializing more than ever in bypassing cybersecurity system defenses and authentication protocols, and hijacking the mobile phones.

At a time when consumers are reeling from a global economic and health crisis, criminals are likely to see these abnormal times and their vulnerability as an opportunity to intensify their efforts.

The purpose of providing this identity theft statistics is to enable our readers to understand the gravity of identity theft in society and the toll it exacts on its victims, not to let their guards down especially during this pandemic. 

The article’s title denotes that the focus will be on identity theft statistics for 2020. For obvious reasons, the jury is still out on the stats for 2020.  Therefore, as much as possible, we will be citing data for the most recent year of 2019. 

Consequently, most of our year-to-date references start from 2019, unless an earlier date is pertinent in illuminating trends in cybercrime and identity theft.

What Happened in the Previous Year (2019)


Cybercrime and Identity Theft

Security breaches are a leading indicator of identity theft incidents. A rise in data breaches often presages a rise in identity crimes and their collateral impacts. 

There were more reports filed about Identity theft in all its various manifestations in 2019 (20.3% of all reports), than any other type of complaint. 

cybercrime complaints from 2015 to 2018

Source: https://www.iii.org

This was largely because cybercriminals were very active in 2019, perpetuating a lot of high profile data breaches that left victims more vulnerable to identity theft. The worst data breaches recorded that year occurred in July with the Capital One Financial Corp. where 100 million customer records were exposed. 

Not long after, in October, the Adobe Creative Cloud breach occurred which exposed the information of 7­­ million users.

According to research published this year, with more than 270,000 incidences reported, the most common type of identity theft was credit card fraud, and it more than doubled between 2017 to 2019.

Global Trends and Cost to the Economy

The cost of cybercrimes is rising, although there remains conflicting analysis as to their exact cost. The Center for Strategic and International Studies (CSIS)  and McAfee project estimate that the likely cost to the global economy from these crimes is $445 billion annually. To put it in a broader context, they indicated that the possible range of this economic damage is between $375 billion and $575 billion each year.

Cybercrime costs

Source: https://www.visualcapitalist.com

The costs incurred by the businesses and organizations affected by a cyberattack usually involve damage control and incidence response activities in its aftermath. They usually include actions required to investigate, detect, recover, and manage responses to the breach. In addition, cyber breaches often demand after the fact costs of replacing lost customers, reputation data control, and mitigating business interruption.

According to a study conducted in 2019, researchers from the Ponemon Institute and Accenture point out that these costs have grown in successive years. The average cost associated with data breaches worldwide stood at $13 million globally in 2018, which was up 12% from the 2017 figure of $11.7 million. 

The Identity Theft Resource Center’s (ITRC) 2019 End-of-Year Data Breach Report provides a veritable breakdown summary of global threat activity along with insights and trends.

At the end of 2018, there was a ray of sunshine in the number of data breaches reported. For the first time in 5 years, there was a decline in the number of data breaches, although the number of records exposed went up. 

Identity theft and fraud reports 2015-2018

Source: https://www.iii.org

Based on this good news, there was optimism that the number of data breaches might have reached their peak. To test the validity of this assertion, however, it would require the passage of another year to discover if this was a developing trend or just an outlier. 

Unfortunately, the latter was the case. After a year had transpired, it became evident that the previous year’s development was nothing more than a short-lived deviation from the norm. 

From 1,257 breaches in 2018, it returned to its pattern of increasing number of breaches, bumping up to 1,473 in 2019, which represented a year-to-year increase of 17%. However, this was still below the record-setting number of breaches recorded in 2017 that produced 1,632 breaches.

Some 2019 ITRC Key Findings

The ITRC report reveals that in 2019, the following 

  • 34 million – that was the number of records that exposed non-sensitive personally identifiable information (PII) that could potentially be the gateway for additional exposure
  • Capital One bank had a outsized impact in its industry category, with the unenviable distinction of being responsible for exposing a whoping 99% of PII in its industry (over 705.1 million)
  • As a testament to its implementation of robust cybersecurity defenses, the financial sector at 8%, had the fewest number of breaches. However, this was tempered by the fact that it claimed the highest percentage of sensitive PII records at 61%
  • Gaining access through unauthorized access methods accounted for 86% of the sensitive records that were exposed
  • Understandably, the highest number of breaches recorded was from the business sector, accounting for 44% of the total breaches that happened in 2019. However, on a positive note, these breaches only exposed 11% of all sensitive records.
  • The number of attack groups utilizing destructive malware rose by 25%
  • One in ten URLs are malicious
  • Web attacks have increased by 75%
  • Mobile ransomware attacks were up by 33%
  • Supply chain attacks, which target the less-secure elements of a supply network, rose by 78%
  • Microsoft Office files had the dubious distinction of constituting 48% of malicious email attachments, was up 5%
  • Formjacking attacks compromised, on average, about 4,800 websites each month
  • Overall fraud losses were more than $1.9 billion for the year 2019

Below is the ITRC’s breakdown by industry category, the statistics surrounding their breaches recorded in its 2019 Key Findings.

Industry# of breaches% of total breaches# of sensitive records exposed% of sensitive records exposed# of non-sensitive records exposed% of non-sensitive records exposed
Business64443.72%18,824,97511.43%705,106,35299.990%
Medical/Healthcare52535.64%39,378,15723.91%1,8520.000%
Education1137.67%2,252,4391.37%23,1030.003%
Banking/Credit/Financial1087.33%100,621,77061.10%20,0000.003%
Government/Military835.63%3,606,1142.19%22,7470.003%
Totals1,473100%164,683,455100%705,174,054100%

Although it is scant comfort to the victims, at least there is some consolation to be gleaned from the fact that there has yet to be another breach of the scale that occurred when Equifax Inc., the largest U.S. credit bureau, suffered a breach in 2017 that exposed the personal data of 145 million people.

Due to the magnitude and the sensitive nature of the information exposed (social security numbers, home addresses, and so on), the Equifax breach has remained one of the worst breaches on record

Based on the 2019 ITRC report, the most effective method used by criminals to execute data breaches still remains hacking. Hacking as a form of attack embodies intrusion methods such as spreading malware and ransomware, phishing attacks, and skimming.

In 2019, this method resulted in 577 data breaches which ultimately exposed 15.3 million records.

Consumer Sentiment and Identity Theft

The FTC collects reports from consumers concerning issues and problems they experience in the marketplace. These reports are stored in a secure online database known as the Consumer Sentinel Network.

In 2019, the Consumer Sentinel Network Data Book (Sentinel Data Book) collected over 3.2 million reports, which was an increase over the previous year (2018). 

Category20192018
Identity threat650,572 (20%)444,602 (15%)
Fraud1.7 million (53% of all reports)1.4 million (48% ofallreports)
Other0.9 million (28%)1.1 million (38%)

As is evident from the report, there was a year-to-year increase for identity theft and fraudulent activities.

What Happened This Year (So far)


Notable among the year-to-date breaches include the 654,400 records exposed by the Health Share of Oregon, according to the Insurance Information Institute (III) Facts + Statistics: Identity theft and cybercrime report.

Though the break-in and subsequent theft occurred on November 18, 2019, it wasn’t until January 2, 2020 that the University of Utah Health learned of the heist of a laptop from one of its vendors (Health Share of Oregon). The stolen laptop contained personally identifiable information of U of U Health members such as: names, Medicaid ID numbers, phone numbers, addresses, dates of birth, and social security numbers.

Most-common types-of-identity-fraud

Source: https://mysudo.com

Unfortunately, that was only one of the breaches that the U of U Health fell in recent times. The bona fide first incident that happened this year occurred between January 22 to February 27, and came as a result of unauthorized access to the University of Utah Health’s email account

The second University of Utah Health breach was linked to malware that was discovered on an employee’s computer, suspected of getting there through a phishing attack and thereupon gained access to patient information through the compromised employee’s email.

Following closely on its heels was the Marriott breach, revealed on March 31, that put the records of 5.2 million guests at risk. 

The ITRC blog chronicles known cybercrime and identity theft incidents that have occurred so far this year. The following are a subset of its findings

  • Circa April this year, 160,000 accounts may have been compromised by unauthorized users on video game maker Nintendo.
  • Paay, a credit card processing startup committed the hair-brained oversight of failing to activate a password on a server which led to the accidental overexposure. They acknowledged on April 3 that this left credit card details and transactions exposed for anyone to see. 
  • An unauthorized actor had accessed 23 million usernames and passwords
  • It was discovered on March 25 that the Small Business Administration (SBA) data exposed 7,000 businesses applying for emergency loans.

Cyberattacks are getting bolder and more ambitious

Just like investors diversify their portfolio, Symantec’s 2019 Annual Threat Report: ISTR (Internet Security Threat Report) Volume 24  reveals that cybercriminals are also branching out by varying their range of targets. They’re achieving this by deploying stealthier strategies to perpetuate identity fraud and theft. 

The cybercrime ecosystem has recently evolved to fully embrace an outsourcing business model. Before, a single operator had to juggle all activities required to produce malicious threats. But now, they no longer need to write code, setup command and control centers, or even distribute the malware themselves. 

There now exists a crop of shadowy underground crime groups to take care of this supply chain; for the right price anyone can purchase the requisite hacking tools and services, often sold as packaged utilities, to carry out their attacks.

However, there were encouraging trends and data which shows businesses and institutions are getting more sophisticated in hardening their systems and thwarting cyberattacks:

  • There was a 52% drop in crypotojacking events in the past year (however, this might be tempered by the fact that the value of cryptocurrencies cratered by 90% during that period)
  • 4X more crypotojacking events were blocked in 2018 compared to 2017
  • Although enterprise ransomware was up by 12%, overall ransomeware across the board declined by 20%
  • Though formjacking attacks were the new kids-on-the-block, 3.7 million formjacking attacks were still blocked on endpoints.

Cybercrimes are typically an inherent low-risk, high-reward business. However, other forms of threats that provide disproportionate rewards were on the upward trend in 2018, such as formjacking. 

Formjacking involves injecting malicious JavaScript into payment forms for the purpose of stealing credit card and personal information when unsuspecting consumers are checking out on eCommerce sites.  In non-technical parlance, infected web servers are used to skim off people’s payment information.

credit-card-fraud-2019

Source: https://fox26medford.com/

Data from Symantec show that in 2018, 4,818 unique websites were targeted and compromised with formjacking code – every month.

Sophisticated Fraud Schemes Seeking New Targets

Identity theft almost always leads to card fraud, as criminals seek to monetize the personal and financial information stolen by counterfeiting and skimming cards.

The 2019 Javelin Strategy & Research Study on Identity Fraud revealed that after three consecutive years of increases in fraud rates,  the fraud incident rate dropped significantly. The result of this collapse was that 2 million less victims were affected by criminal activity.

Primarily due to the adoption of chip-based cards, current card fraud losses decreased from $8.1 billion to $6.4 billion and the incidence of these attacks fell from 5.47% to 4.40%. Following a similar trend, fraud and incidence losses declined from 6.64% to 5.66%. 

Although levels still remained much higher compared to previous years, losses emanating from checking and savings account takeover fraud declined year-over-year from $5.1 billion to $4.0 billion, which represented a 1.58% to 1.43% decrease. 

However, not everything was unicorn and roses.

“While the decrease in card fraud rates is undoubtedly good news for victims, fraudsters have  turned their attention to opening and taking over accounts,” noted Al Pascual, Javelin’s Strategy & Research Senior Vice President, Research Director and Head of Fraud & Security. 

As a result, high-impact fraud types such as misuse of non-card accounts, account takeover,  and new account fraud had staged a comeback, thereby casting a pale over the progress that had been made fighting to combat card fraud and identity theft. 

The report reveals that combined efforts of parties to the payment system process – financial institutions, card networks, merchants – have gone a long way to mitigate threats from certain fraud types. A case in point being the shift from magnetic stripe cards to EMV (embedded chip) cards; this along with other anti-fraud measures, have gone a long way to curtail card fraud – which used to be the bread and butter meal ticket of fraudsters.

The embedded chips put a kibosh on the business plans of counterfeit card fraud rings. As a result, the previous year recorded  14.4 million of fraud victims, a significant decrease from 16.7 million the preceding it.

Unfortunately, the results from Javelin’s 2020 Identity Fraud Survey will serve as a rude awakening to the payment industry, financial institutions, and businesses to reconsider how they currently manage identity fraud. The report underscores that while it is good to celebrate the decline in fraud victims and accompanying dollar loss, an in-depth evaluation reveals that criminals are targeting fewer victims but inflicting damage that is more difficult to prevent.

Since financial institutions and other primary criminal targets have been developing more sophisticated defenses, fraudsters have responded to the hardening of familiar targets by retooling well-honed schemes at new organizations. These organizations generally lack the experience of their battle-hardened counterparts in fighting fraud.

This lack of experience manifests in these new targets by being devoid of the tools, tactics, and personnel to comprehensively fight fraud. 

A Rocky Road Ahead for Healthcare Security

“Healthcare cybersecurity is in critical condition,” warns Josh Corman, HHS Cybersecurity Task Force member and Atlantic Council Director of the Cyber Statecraft Initiative. 

individualsa ffected in healthcare data breaches

Source: https://www.hipaajournal.com

According to the ITRC report, the medical and health sector ranked second (only after the business and financial sector) on the totem pole of the highest number of breaches in 2019, with 525, exposing 39.4 million sensitive records.

Healthcare systems generally lag other sectors in reducing their exposure to cyber threats and safeguarding their systems against identity theft, but security professionals are only beginning to discover how dire the situation has become. The medical data of millions of people are at risk of being exposed for the simple fact that they are being stored on hundreds of insecure servers worldwide

ProPublica identified 187 such servers and determined that anyone with a web browser and rudimentary lines of computer code can easily gain access. According to the report, as much as 5 million medical records of US patients are unprotected on the Internet, including many more around the whole. 

Unlike most security breaches we hear in the news where hackers circumvented an organization’s seemingly impregnable cyber defenses, most of the servers on which these medical records reside have unprotected passwords and lack basic security precautions. 

healthcare data breaches over 500 records

Source: https://www.hipaajournal.com

“It’s not even hacking. It’s walking into an open door,” said Jackie Singh, a cybersecurity researcher and chief executive of the consulting firm Spyglass Security. For instance, a simple garden-variety database query was all it took to retrieve the dates of birth, Medicare numbers, doctors and procedures of over a million patients from the servers of MobilexUSA. 

These lax systems are a boon to cybercrime and identity theft. 

Conclusion


Identity theft is becoming an intractable 21st Century problem. Our data has migrated from office siloes and relics of the past like physical paper, unto interconnected servers on the Internet.

This has increased our vulnerability to criminals stealing financial and personally identifiable information to perpetuate identity theft. The statistics presented in this article show the magnitude and seriousness of the problem.

When businesses don’t give privacy the importance it deserves, it elevates the risk of exposure of unwanted personal information. This information is invariably used to commit identity theft. 

When consumers aren’t discerning and careful enough to whom they divulge their information, they leave themselves at risk.

We all have a role to play in ensuring that we don’t fall victim to the scourge of identity theft.