Integrating Fraud Into Data Breach Prevention

Michael Bruemmer


June 1, 2016

data breach fraud

It is no secret that data breaches and other security incidents are quickly becoming one of the most significant risks on the minds of executives. The good news is that more companies are developing breach response plans to effectively manage the often costly process of responding to an incident, and to mitigate the damage to reputation and loss of customers.

Yet many of these plans fail to account for fraud management and protection. The risk of fraud continues to rise, with more than 13 million people falling victim to some form of fraud in the past year alone, much of which can be linked to data breaches. According to the Ponemon Institute’s Consumer Study on Aftermath of a MegaData Breach, 25% of consumers stated they had fraudulent charges on their credit card as result of a data breach. It is essential for companies to understand how fraud and data breaches are linked in order to effectively mitigate both risks.

The Fraud and Data Breach Link

First and foremost, the motivation behind most breaches is to steal information that can then be used for financial gain. Cybercriminals can use the stolen data to make fraudulent transactions at the breached company, drain bank accounts or commit identity theft. When this happens, companies can face significant reputational backlash and, as a result, increased risk of class action lawsuits.

Even when a breach involves information that seems on its surface to be unlikely to lead to an increase in fraud, attackers find new ways to monetize their efforts. For example, email addresses alone could provide attackers with the information needed to launch spear phishing attacks that trick customers into revealing more sensitive information like banking records or passwords. There is also the problem of synthetic identity theft, where attackers use data from multiple sources to piece together enough information to commit identity theft.

There are also less obvious ways that fraud and data breaches are linked. An increase in fraud can often serve as the canary in the coal mine for a security incident. If an organization is experiencing a significant uptick in fraud or even just seeing suspicious patterns of account activity, this could be a sign that the company has suffered a security incident that has gone undetected. If the fraud and security departments at a company are not well aligned, it is possible that this valuable intelligence will be delayed in getting to the right people, which would subsequently hamper the response process.

Breaches at other companies can also lead to increased fraud at organizations. This is mainly due to rampant reuse of the same usernames and passwords across multiple websites. Attackers regularly take advantage of this and will try to use stolen credentials from one breach on other sites across the web. While an organization may not be responsible for a breach, it may still suffer the consequences and need to take action, especially as customers will ultimately take out their frustration on the company where they see the fraud occur.

Aligning Fraud and Security

The most important thing companies can do to proactively manage these risks is effectively integrate their fraud and security departments, ensuring that the teams develop strong working relationships ahead of a security incident. In many cases, this means appointing someone from the fraud team as a key part of the security incident response team. They should have responsibility for adjusting fraud protection strategies during the breach, as well as reporting any increase in fraudulent activity while the company investigates the incident. Ultimately, these processes should be incorporated into a formal written incident response plan.

Further, because fraud is likely to increase after a breach, companies should consider what needs to be enhanced in order to better protect themselves during an attack. In particular, they should focus on two lines of defense: data protection and fraud prevention.

Data protection is vital because stolen data has the potential to create long-term headaches for the organization and affected individuals. Stolen payment cards can be deactivated and new ones issued, but the theft of identity information is not easily corrected. Social Security numbers, birth dates, names and addresses cannot simply be reissued. Furthermore, the data likely includes information on dependent minors, who are prime targets for identity thieves because their credit is often unmonitored.

When identity data is compromised, a huge burden is placed on the second line of defense—fraud prevention. Organizations must continually evolve their fraud prevention control and skills, and minimize the damage caused by stolen identity data.

Implementing Fraud Technology

Ahead of an incident, applying a comprehensive, data-driven approach to fraud prevention is a must. One step that companies can take to reduce fraud, especially after a breach, is improving consumer authentication to make sure individuals are who they say they are. Fraud departments should consider investing in tools and technologies capable of providing:

  • Layered authentication strategy

  • Device intelligence and

  • risk assessment

  • Credit and noncredit data

  • and risk attributes

  • Multifactor authentication,

  • using one-time passcodes via

  • text messaging

  • Identity risk scores

  • Dynamic knowledge-based

  • authentication questions

  • Traditional personally identifiable information (PII) validation

  • and verification

  • Biometrics and remote document verification

  • Out-of-band alerts, communications and confirmations

  • Contextual account, transaction and channel purview

Both fraud and data breaches are a growing concern, and if either are mismanaged, the outcome will have long-lasting effects on an organization. Following any type of attack, companies need to shore up their fraud technologies to ensure they are fully prepared to protect themselves and their compromised data.
Michael Bruemmer, CHC, CIPP/US, is vice president with the Experian Data Breach Resolution group.