Everyone knows data breaches are expensive and affect a lot of people, but just how much is startling. In a new analysis, Javelin Strategy & Research estimates credit and debit card issuers spent $252.7 million in 2009 replacing more than 70 million cards compromised by data breaches.
Analyst Robert Vamosi made that estimate based on two recent Javelin surveys of consumers affected by data breaches and identity fraud, and a range of card-replacement costs reported by various sources in the wake of data breaches. Pleasanton, Calif.-based Javelin last November took a random sample of 3,294 online consumers and in September surveyed 5,000 U.S. adults, including 703 identity-fraud victims.
Vamosi settled on what he calls a conservative $3.50 per-card replacement cost for an estimated 39 million debit cards and 33.3 million credit cards reissued last year for a total of 72.2 million. About 20% of the affected consumers said they had more than one card replaced.
Javelin says 26% of U.S. consumers had received a data-breach notification last year from a company or agency holding their personal data, including credit and debit card or checking-account information. Of those notified, 11.5% were victims of identity fraud compared with only 2.4% who weren’t notified. In other words, a consumer notified that his data were compromised is nearly five times more likely to become a victim of ID fraud than a person who doesn’t get such a notice. Vamosi says Javelin’s latest findings are consistent with a pattern in recent years of consumers notified that they were victims of a data breach also becoming victims of actual fraud.
Data breaches are one obvious pathway to fraud, but a breach alone doesn’t mean an affected consumer will become an identity-fraud victim. Banks often give free credit-report monitoring services to customers whose data may have been compromised, but consumers often fail to use such services, which could spot fraud early, or forget about a notification. “There’s a disconnect,” Vamosi tells Digital Transactions News. Consumers, he says, “should pay attention to your credit reports after you’re notified, because you’re more vulnerable.”
How consumers react when their payment cards are reissued in the wake of a data breach in some ways is a bit surprising. Asked about their use of a card after it had been reissued for security reasons, 55% of credit card holders and 54% of debit card holders said reissuance had no impact on their usage. “That may be a factor of zero liability,” Vamosi says, referring to payment card network and many banks’ policies of sparing cardholders from any losses after fraudulent use of their cards. “The impact on the consumer was lessened.”
That still leaves nearly 40% of cardholders who did reduce usage of their reissued card—bad news for their issuers who get less interchange and interest income. Among debit card holders, 7% said they no longer used the card, 13% said they used it much less than before, and 17% said they used it somewhat less. For credit card holders, the comparable figures were 10%, 14%, and 16%, respectively. A small minority—9% of debit card holders and 6% of credit card holders—reported using a reissued card somewhat or much more than the old card.
The number of breached records with personally identifiable information, such as bank account numbers, credit or debit card numbers, personal identification numbers, Social Security numbers, health records, and other data, varies widely from year to year. The 2009 roster includes the one reported that January by merchant processor Heartland Payment Systems Inc., which according to the U.S. attorney in New Jersey compromised 130 million credit and debit cards. In all, 2009 saw 222.5 million records breached, according to figures Javelin cited from the San Diego-based Identity Theft Resource Center.