Facts + Statistics: Identity theft and cybercrime

The scope of identity theft

According to 2018 Identity Fraud: Fraud Enters a New Era of Complexity from Javelin Strategy & Research, in 2017, there were 16.7 million victims of identity fraud, a record high that followed a previous record the year before. Criminals are engaging in complex identity fraud schemes that are leaving record numbers of victims in their wake. The amount stolen hit $16.8 billion last year as 30 percent of U.S. consumers were notified exposure to a data breach last year, an increase of 12 percent from 2016. For the first time, more Social Security numbers were exposed than credit card numbers.

Following the introduction of microchip equipped credit cards in 2015 in the United States, which make the cards difficult to counterfeit, criminals focused on new account fraud. New account fraud occurs when a thief opens a credit card or other financial account using a victim’s name and other stolen personal information. According to the Javelin study, account takeovers tripled in 2017 from 2016, and losses totaled $5.1 billion.

Identity theft and fraud complaints

The Consumer Sentinel Network, maintained by the Federal Trade Commission (FTC), tracks consumer fraud and identity theft complaints that have been filed with federal, state and local law enforcement agencies and private organizations. Of the 3 million identity theft and fraud reports received in 2018, 1.4 million were fraud-related, and 25 percent of those cases reported money was lost. In 2018, consumers reported losing about $1.48 billion related to fraud complaints, an increase of $406 million from 2017. The median amount consumers paid in these cases was $375. Within the fraud category, imposter scams were the most reported and ranked first among the top 10 fraud categories identified by the FTC. They accounted for $488 million in losses. In 2018, 15 percent of all complaints were related to identity theft. Identity theft complaints were the third most reported to the FTC. Identity theft claims fell from 2015 to 2018 by 9.3 percent, but began to increase again in 2018 and were up 19.8 percent from 2017 to 2018.

Identity Theft And Fraud Reports, 2015-2018 (1)

 

id_theft_and_fraud_complaints_2015-2018.gif

(1) Percentages are based on the total number of Consumer Sentinel Network reports by calendar year. These figures exclude "Do Not Call" registry complaints.

Source: Federal Trade Commission, Consumer Sentinel Network.

View Archived Graphs

See also the Identity Theft section of our Web site Click Here

Cybercrime

As businesses increasingly depend on electronic data and computer networks to conduct their daily operations, growing pools of personal and financial information are being transferred and stored online. This can leave individuals exposed to privacy violations, and financial institutions and other businesses exposed to potentially enormous liability, if and when a data security breach occurs.

Interest in cyber insurance and cyberrisk continues to grow as a result of high-profile data breaches and awareness of the almost endless range of exposures businesses face. Through November in 2018, 500 million records were exposed in November from Marriott International; 340 million records were exposed in June from Exactis, a marketing firm; 150 million were exposed at Under Armour; 92 million at MyHeritage, a genealogy firm; and 87 million records at Facebook. In 2017 the largest U.S. credit bureau, Equifax, suffered a breach that exposed the personal data of 145 million people, including Social Security numbers. It was among the worst breaches on record because of the amount of sensitive information stolen.

Cyberattacks and breaches have grown in frequency, and losses are on the rise. Breaches again hit a new record in 2017, with 1,632 breaches tracked, according to the Identity Theft Resource Center (IRTC). The number of records exposed in 2017 rose to about 198 million. In 2018, the number of breaches fell 23 percent from 2017 to 1,244 breaches, but the number of records exposed that contained sensitive personally identifiable information more than doubled to 447 million, a 126 percent increase. Because only half the total number of breaches reported by the IRTC included the number of records exposed, the actual total number of exposed records likely exceeds the reported number substantially. The business sector suffered the most breaches by industry in 2018, with 571 breaches or 46 percent of the total number of breaches. Medical/healthcare organizations were affected by 363 breaches or 29 percent of total breaches. The banking/credit/financial sector ranked third as it suffered 135 breaches (11 percent of all breaches). These figures do not include the many attacks that go unreported and undetected. Despite conflicting analyses, the costs associated with these losses are increasing. McAfee and the Center for Strategic and International Studies (CSIS) estimated the likely annual cost to the global economy from cybercrime is $445 billion a year, with a range of between $375 billion and $575 billion.

In 2018, the ITRC reported that hacking was the most used method of breaching data, with 482 data breaches resulting in almost 17 million records exposed. Unauthorized access ranked second with 377 data breaches affecting the highest number of records exposed by data breach type—404 million. Accidental exposure had the third highest number of breaches, 114, with 22 million records exposed.

In 2019 through early May the ITRC tracked 437 breaches that exposed about 11.6 million records. The business category continues to be the most affected sector, with 195 breaches, or 45 percent of all breaches detected through early May. The business sector breaches affected 3 million records. The medical and healthcare sector suffered 158 breaches, or 36 percent of all breaches, which affected 4.6 million records. Unauthorized access and hacking were the leading methods of breaching data in April 2019, accounting for 77 percent and 15 percent, respectively, of total breaches reported by the ITRC in April.

Cyber insurance evolved as a product in the United States in the mid- to late-1990s as insurers have had to expand coverage for a risk that is rapidly shifting in scope and nature. According to the National Association of Insurance Commissioners, 140 U.S. insurers reported writing some cyber insurance premiums in 2016, based on the Cybersecurity and Identity Theft Coverage Supplement for insurer financial statements. Direct premiums written totaled $1.86 billion in 2017, at companies that can report premiums for stand-alone and coverage provided as part of a package policies.

According to the Insurance Information Institute’s 2017 report, Protecting against #cyberfail: Small business and cyber insurance, insurers foresee substantial growth coming from the small business segment, as these companies become aware of the possibilities of liability, especially due to a breach and the resulting response costs arising out of the possession of private data. According to the Insurance Information Institute (I.I.I.) and J.D. Power 2018 Small Business Cyber Insurance and Security Spotlight Survey^SM, 10 percent of small businesses surveyed suffered one or more cyber incidents in the prior year, and the average cost of cyber-related losses over the past year was $188,400. Only about one-third of firms surveyed had cyber insurance, nearly 60 percent of respondents said their company is very concerned about cyber incidents–and 70 percent think that the risk of being victimized by a cyberattack is growing at an alarming rate. Insurers can reach these potential small business customers through education, training and risk assessment services regarding cybersecurity.

Number Of Data Breaches And Records Exposed, 2008-2017 (1)

num_of_data_breaches_and_rec_exp_08-17.gif

(1) As of January 22, 2018.

Source: Identity Theft Resource Center.

View Archived Graphs

The Internet Crime Complaint Center (IC3), a joint project of the Federal Bureau of Investigation, the National White Collar Crime Center and the Bureau of Justice Assistance monitors Internet-related criminal complaints. In 2018 the IC3 received and processed 351,937 complaints, a 17 percent increase from 2017. Losses soared to $2.7 billion in 2018, almost double losses reported in 2017 that totaled $1.4 billion. In terms of dollar losses, business email compromise and email account compromise complaints were the most reported scams, with about $1.3 billion in losses, close to half of all losses. This type of scam targets both businesses and individuals who perform wire transfers. Criminals hack email accounts and attempt unauthorized fund transfers. About 20,000 people were victims of email account scams. Personal data breaches resulted in $149 million in losses and identity theft caused $100 million in losses. About 51,000 people were victims of personal data breaches and 16,000 were victims of identity theft scams.

Almost one out of four victims (24.1 percent) was over the age of 60. Close to half of all victims were under the age of 50, and they accounted for 57 percent of all losses in 2018.

Cybercrime Complaints, 2014-2018 (1)

 

cyb_crime_comp_14-18.gif

(1) Based on complaints submitted to the Internet Crime Complaint Center.

Source: Internet Crime Complaint Center.

View Archived Graphs

Additional resources

Federal Trade Commission

Internet Crime Complaint Center