An IBM security expert explains why, and how he was an ID theft victim himself.
Even a computer security expert can have his identity stolen.
That’s what happened to John Kuhn, a senior threat researcher at IBM Security Services, when he got an X-ray at a local hospital. He says the hospital’s security was compromised and his medical records stolen — resulting in a “$20,000 or $30,000 surgery” being done to someone else in his name. He had to drive down to the hospital to prove it wasn’t him.
“It happens to the best of us,” he says.
Of course, it happens to millions of other people, too. Individual data breaches last year fell overall, according to an IBM study, but the strength of those cyber attacks have increased significantly. In other words, it’s not just credit card numbers that the thieves are after anymore.
“The hacks are growing more sophisticated and more targeted,” Kuhn says. “Instead of trying to attack a broad spectrum of retailers, they’re narrowing their amount of attacks — but increasing their potency. They’re looking for an easy target with huge financial gain.”
Medical records are the new target
In his experience of monitoring criminals, Kuhn says he’s discovered one consistent factor: They’re lazy.
“They don’t want to work hard for it,” he says. “They want to be able to walk in and walk out with a large heist.”
This tendency propels them toward big targets like retail chain stores, which have huge databases and a lot of room for human error — because the more employees a company has, the more likely one of them got sloppy with security.
Employees need to be equipped to deal with hackers looking for “a little chink in the armor,” Kuhn says. Often, employees represent the softest spot to attack:
Interestingly, Black Friday and Cyber Monday were actually down last year from 2013. Kuhn attributes this to hackers ignoring retail point-of-sale systems and bagging more valuable records elsewhere, like at a hospital.
The FBI says a set of stolen medical records are worth about $50 on the black market, while a stolen credit card number is worth $1 to $5. So Kuhn thinks that hospitals are the next big target.
“If I can dump a million records at $50 a record, that’s quite a haul for a criminal,” he said. “The upcoming danger truly is medical record information.”
The real cost of data breaches
According to another IBM study, the average cost that an company incurs for a data breach is $5.9 million, up from $5.4 million a year ago. The cost per stolen record rose from $188 to $201.
And there’s a higher cost that comes later: A record 15 percent of consumers terminated their relationship with a company due to distrust in 2014.
IBM predicts a “material data theft of 10,000 records” has a 19 percent probability of happening at any decent-sized company over the next two years.
“The threat is there, and it’s only a matter of time before it happens.”
While IBM is urging these companies to spend more time and money on security, what can you do? Read Debt.com’s free advice on How to Prevent Identity Theft.