Facts + Statistics: Identity theft and cybercrime

The scope of identity theft

Identity theft continues to pose challenges for consumers as criminals develop new mechanisms to commit fraud. According to the 2019 Identity Fraud Study from Javelin Strategy & Research, the number of consumers who were victims of identity fraud fell to 14.4 million in 2018, down from a record high of 16.7 million in 2017. However, identity fraud victims in 2018 bore a heavier financial burden: 3.3 million people were responsible for some of the liability of the fraud committed against them, nearly three times as many as in 2016. Moreover, these victims’ out-of-pocket fraud costs more than doubled from 2016 to 2018 to $1.7 billion. New account fraud losses also rose slightly, with criminals beginning to focus their attention on different financial accounts, such as loyalty and rewards programs and retirement accounts. Additionally, criminals are becoming adept at foiling authentication processes, particularly mobile phone account takeovers. These takeovers nearly doubled to 680,000 victims in 2018, compared with 380,000 in 2017. The study does note that the shift to embedded chip cards is helping to contain existing card fraud, which showed the steepest decline of any fraud type in 2018, with losses at $14.7 billion in 2018, down from $16.8 billion in 2017.

Identity theft and fraud complaints

The Consumer Sentinel Network, maintained by the Federal Trade Commission (FTC), tracks consumer fraud and identity theft complaints that have been filed with federal, state and local law enforcement agencies and private organizations. Of the 3 million identity theft and fraud reports received in 2018, 1.4 million were fraud-related, and 25 percent of those cases reported money was lost. In 2018, consumers reported losing about $1.48 billion related to fraud complaints, an increase of $406 million from 2017. The median amount consumers paid in these cases was $375. Within the fraud category, imposter scams were the most reported and ranked first among the top 10 fraud categories identified by the FTC. They accounted for $488 million in losses. In 2018, 15 percent of all complaints were related to identity theft. Identity theft complaints were the third most reported to the FTC. Identity theft claims fell from 2015 to 2018 by 9.3 percent, but began to increase again in 2018 and were up 19.8 percent from 2017 to 2018.

Identity Theft And Fraud Reports, 2015-2018 (1)

 

(1) Percentages are based on the total number of Consumer Sentinel Network reports by calendar year. These figures exclude "Do Not Call" registry complaints.

Source: Federal Trade Commission, Consumer Sentinel Network.

View Archived Graphs

Top Five Types of Identity Theft, 2018 (1)

 

Type of identity theft Number of reports Percent of total top five
Credit card fraud—new accounts 130,928 40.5%
Miscellaneous identity theft (2) 87,765 27.1
Tax fraud 38,967 12.0
Mobile telephone—new accounts 33,466 10.3
Credit card fraud—existing accounts 32,329 10.0
Total, top five 323,455 100.0%

(1) Consumers can report multiple types of identity theft. In 2018, 17 percent of identity theft reports included more than one type of identity theft.
(2) Includes online shopping and payment account fraud, email and social media fraud, and medical services, insurance and securities account fraud, and other identity theft.

Source: Federal Trade Commission, Consumer Sentinel Network.

View Archived Tables

Identity Theft By State, 2018 (1)

 

State Complaints per
100,000 population (2)
Number of
complaints
Rank (3) State Complaints per
100,000 population (2)
Number of
complaints
Rank (3)
Alabama 108 5,241 19 Montana 76 799 35
Alaska 69 507 41 Nebraska 67 1,281 42
Arizona 126 8,853 11 Nevada 194 5,816 2
Arkansas 73 2,197 38 New Hampshire 117 1,565 15
California 186 73,668 3 New Jersey 125 11,273 13
Colorado 110 6,151 18 New Mexico 96 2,000 27
Connecticut 108 3,864 19 New York 122 24,248 14
Delaware 158 1,517 7 North Carolina 112 11,481 16
D.C. 167 1,156 5 North Dakota 63 474 44
Florida 180 37,797 4 Ohio 88 10,268 31
Georgia 229 23,871 1 Oklahoma 79 3,109 34
Hawaii 72 1,021 40 Oregon 101 4,179 22
Idaho 80 1,368 33 Pennsylvania 107 13,725 21
Illinois 127 16,296 10 Puerto Rico 51 1,710 51
Indiana 74 4,918 36 Rhode Island 93 990 29
Iowa 53 1,654 50 South Carolina 126 6,339 11
Kansas 74 2,142 36 South Dakota 56 486 48
Kentucky 57 2,522 47 Tennessee 101 6,808 22
Louisiana 111 5,202 17 Texas 159 45,030 6
Maine 56 744 48 Utah 94 2,915 28
Maryland 145 8,747 8 Vermont 51 316 51
Massachusetts 93 6,387 29 Virginia 97 8,196 25
Michigan 140 13,952 9 Washington 100 7,380 24
Minnesota 73 4,070 38 West Virginia 58 1,051 45
Mississippi 97 2,894 25 Wisconsin 64 3,731 43
Missouri 85 5,222 32 Wyoming 58 338 45

(1) Includes the District of Columbia and Puerto Rico.
(2) Population figures are based on the 2018 U.S. Census population estimates.
(3) Ranked by complaints per 100,000 population. States with the same number of complaints per 100,000 population receive the same rank.

Source: Federal Trade Commission, Consumer Sentinel Network.

View Archived Tables

See also the Identity Theft section of our Web site Click Here

Top 10 Writers Of Identity Theft Insurance By Direct Premiums Written, 2018 (1)

($000)

Rank Group/company Direct premiums written (2) As a percent of total
1 State Farm Mutual Automobile Insurance $30,507 13.5%
2 Travelers Companies Inc. 24,636 10.9
3 Liberty Mutual 11,278 5.0
4 Allstate Corp. 10,761 4.8
5 Farmers Insurance Group 9,291 4.1
6 Erie Insurance Group 8,926 4.0
7 American International Group (AIG) 5,793 2.6
8 Auto-Owners Insurance Co. 3,697 1.6
9 Munich Re 2,927 1.3
10 Markel 2,849 1.3
  Total, top 10 $110,666 49.0%
  Total (3) $225,922 100.0%

(1) Includes stand-alone policies and the identity theft portion of package policies. Does not include premiums from companies that cannot report premiums for identity theft coverage provided as part of package policies.
(2) Before reinsurance transactions.
(3) Includes only companies that can report premiums for stand-alone identity theft coverage and coverage provided as part of package policies.

Source: NAIC data, sourced from S&P Global Market Intelligence, Insurance Information Institute.

View Archived Tables

Cybercrime

As businesses increasingly depend on electronic data and computer networks to conduct their daily operations, growing pools of personal and financial information are being transferred and stored online. This can leave individuals exposed to privacy violations, and financial institutions and other businesses exposed to potentially enormous liability, if and when a data security breach occurs.

Interest in cyber insurance and cyberrisk continues to grow as a result of high-profile data breaches and awareness of the almost endless range of exposures businesses face. In 2018, 500 million records were exposed in November from Marriott International; 340 million records were exposed in June from Exactis, a marketing firm; 150 million were exposed at Under Armour; 92 million at MyHeritage, a genealogy firm; and 87 million records at Facebook. In 2017 the largest U.S. credit bureau, Equifax, suffered a breach that exposed the personal data of 145 million people, including Social Security numbers. It was among the worst breaches on record because of the amount of sensitive information stolen.

In 2018, the number of breaches reported fell from 2017, but the amount of records containing personally identifiable information soared. Breaches had reached a new record in 2017, with 1,632 breaches tracked, according to the Identity Theft Resource Center (IRTC), and the number of records exposed in 2017 rose to about 198 million. In 2018, the number of breaches fell 23 percent from 2017 to 1,244 breaches, but the number of records exposed that contained sensitive information more than doubled to 447 million, a 126 percent increase. Because only half the total number of breaches reported by the IRTC included the number of records exposed, the actual total number of exposed records likely exceeds the reported number substantially. The business sector suffered the most breaches by industry in 2018, with 571 breaches or 46 percent of the total number of breaches. Medical/healthcare organizations were affected by 363 breaches or 29 percent of total breaches. The banking/credit/financial sector ranked third as it suffered 135 breaches (11 percent of all breaches). These figures do not include the many attacks that go unreported and undetected.

Despite conflicting analyses, the costs associated with these losses are increasing. McAfee and the Center for Strategic and International Studies (CSIS) estimated the likely annual cost to the global economy from cybercrime is $445 billion a year, with a range of between $375 billion and $575 billion. The average cost of data breach globally was $13.0 million in 2018, up 12 percent from $11.7 million in 2017, according to a 2019 study from the Ponemon Institute and Accenture. Researchers polled 355 organizations located in 11 countries to determine what costs they faced after a cyberattack, such as the costs to detect, recover, investigate and manage the incident response. They also included the cost of activities that occur after the fact and efforts to reduce business interruption and loss of customers. In the United States, the average annual cost of cybercrime rose 29 percent in 2018, to $27.4 million, compared with $21.2 million in 2017. Globally, the banking industry had the highest average annual cost in 2018—$18.4  million—up from $16.7 million in 2017, followed by utilities and software companies. By type of attack, malware incidents had the highest cost, at $2.6 million followed closely by web-based attacks at $2.3 million.

In 2018, the ITRC reported that hacking was the most used method of breaching data, with 482 data breaches resulting in almost 17 million records exposed. Unauthorized access ranked second with 377 data breaches affecting the highest number of records exposed by data breach type—404 million. Accidental exposure had the third highest number of breaches, 114, with 22 million records exposed.

In 2019 through October 10 the ITRC tracked 1,152 breaches that exposed about 160 million records. The total includes the Capital One breach of July 29, 2019 that exposed 100 million records. The banking, credit and financial category was the most affected sector by number of records exposed, with 100.4 million records, or 62 percent of all records exposed so far in 2019. This sector had 71 breaches, or 6.2 percent of all breaches detected. The medical and healthcare sector had about 38 million records exposed to date, or 23 percent of all records exposed in 404 breaches that accounted for 35 percent of all breaches.

Cyber insurance evolved as a product in the United States in the mid- to late-1990s as insurers have had to expand coverage for a risk that is rapidly shifting in scope and nature. In 2018, 545 insurers reported writing cyber insurance, up from 505 in 2017, according to NAIC data sourced from S&P Global Market Intelligence.  Direct premiums written totaled $2.0 billion in 2018, at companies that can report premiums for stand-alone and coverage provided as part of a package policies, up from $1.86 billion in 2017.

According to the Insurance Information Institute (I.I.I.) and J.D. Power 2019 Small Business Cyber Insurance and Security Spotlight SurveySM, 12 percent of businesses surveyed suffered one or more cyber incidents in the prior year, up from 10 percent in 2018. Nearly 71 percent said they are “very concerned” about cyber incidents, up from 58 percent in 2018, and 75 percent said they believe the risk of being victimized by a cyberattack is growing at an alarming rate–up from 70 percent in 2018. Among the 44 percent of respondents who said they do not currently have cyber insurance and the 21 percent who said they do not know whether they do, 64 percent said they do not plan to purchase a cyber insurance policy in the next 12 months. While this is down from 70 percent in 2018 and given small companies’ growing awareness and concerns about cyberrisk, insurers and agents and brokers might be able to increase their overall support of this market by addressing the issues of affordability and coverage limitations that seem to be an obstacle to purchasing.

Number Of Data Breaches And Records Exposed, 2009-2018 (1)

 

(1) As of January 7, 2019.

Source: Identity Theft Resource Center, 2018 End of Year Data Breach Report.

View Archived Graphs

The Internet Crime Complaint Center (IC3), a joint project of the Federal Bureau of Investigation, the National White Collar Crime Center and the Bureau of Justice Assistance monitors Internet-related criminal complaints. In 2018 the IC3 received and processed 351,937 complaints, a 17 percent increase from 2017. Losses soared to $2.7 billion in 2018, almost double losses reported in 2017 that totaled $1.4 billion. In terms of dollar losses, business email compromise and email account compromise complaints were the most reported scams, with about $1.3 billion in losses, close to half of all losses. This type of scam targets both businesses and individuals who perform wire transfers. Criminals hack email accounts and attempt unauthorized fund transfers. About 20,000 people were victims of email account scams. Personal data breaches resulted in $149 million in losses and identity theft caused $100 million in losses. About 51,000 people were victims of personal data breaches and 16,000 were victims of identity theft scams.

Almost one out of four victims (24.1 percent) was over the age of 60. Close to half of all victims were under the age of 50, and they accounted for 57 percent of all losses in 2018.

Cybercrime Complaints, 2014-2018 (1)

 

(1) Based on complaints submitted to the Internet Crime Complaint Center.

Source: Internet Crime Complaint Center.

View Archived Graphs

Top 10 States By Number Cybercrime Victims, 2018 (1)

 

Rank State Number
1 California 49,031
2 Texas 25,589
3 Florida 23,984
4 New York 18,124
5 Virginia 14,800
6 Washington 10,775
7 Pennsylvania 10,554
8 Illinois 10,087
9 Colorado 9,328
10 Georgia 9,095

(1) Based on the total number of complaints submitted to the Internet Crime Complaint Center via its website from each state and the District of Columbia where the complainant provided state information.

Source: Internet Crime Complaint Center.

View Archived Tables

Top 10 Writers Of Cybersecurity Insurance By Direct Premiums Written, 2018 (1)

($000)

Rank Group/company Direct premiums written (2) As a percent of total
1 Chubb Ltd. $325,800 16.2%
2 AXA 255,875 12.7
3 American International Group (AIG) 232,574 11.6
4 Travelers Companies Inc. 146,231 7.3
5 Beazley Insurance Co. 110,948 5.5
6 CNA Financial Corp. 83,357 4.2
7 AXIS 76,001 3.8
8 BCS Financial Corp. 69,505 3.5
9 Liberty Mutual 66,495 3.3
10 Zurich Insurance Group 46,112 2.3
  Total, top 10 $1,412,897 70.4%
  Total (3) $2,008,086 100.0%

(1) Includes stand-alone policies and the cybersecurity portion of package policies. Does not include premiums from companies that cannot report premiums for cybersecurity coverage provided as part of package policies.
(2) Before reinsurance transactions.
(3) Includes only companies that can report premiums for stand-alone cybersecurity coverage and coverage provided as part of package policies.

Source: NAIC data, sourced from S&P Global Market Intelligence, Insurance Information Institute.

View Archived Tables

Additional resources

Federal Trade Commission

Internet Crime Complaint Center

Back to top