A New Age in Corporate Accountability for Data Breaches

Why corporations owe it to you and society as a whole to stop data breaches and fraud

There isn’t an industry safe from data breaches. From banks and credit organizations to hotel and restaurant chains, academic institutions and more, hundreds of millions of individuals have had their personal information stolen – all via the companies with whom they do business.

And although the case for why companies should protect consumer data is clear—companies lose less money and consumer information is safe from predators—what’s not often addressed are some of the more disconcerting aspects of data breaches. What ultimately happens to the stolen data and money? What are companies doing to stop the broader implications of fraud – beyond their bottom lines and brand perceptions? And, do companies have a corporate social responsibility to protect their customers and society as a whole from fraud?

The Stolen Data Lifecycle: From the Cybercriminal Underground to Funding Terrorism and Other Crimes

There’s a large market for personally identifiable information (PII) on the dark web. The most popular stolen record type, PII, includes information such as name, date of birth, social security number, member identification number, mailing address, telephone number, banking account number, etc. Over the years, fraudsters have become more sophisticated in terms of their ability to acquire more than just one PII item.

In fact, the 2017 Equifax data breach revealed not just the names, but the Social Security numbers, birth dates and addresses of almost half of the total U.S. population (143 million individuals)—critical, personal information that is gold to fraudsters. And, although according to The Identity Theft Resource Center the overall number of U.S. data breaches tracked decreased the following year by 23 percent–from 1,632 data breaches in 2017 to 1,244 in 2018–the reported number of exposed records containing sensitive PII jumped an alarming 126 percent from the 197,612,748 records exposed in 2017 to 446,515,334 in 2018.

While oftentimes the stolen data is used to drain financial accounts–obviously a more direct use of the stolen credentials–the lion’s share of stolen credentials is made available to the highest bidder on the dark web, with these stolen data dumps “publicized” to fraudsters via a number of web sites, ranging from social media networks to the comment sections of popular gaming sites.

This cybercriminal underground is the marketplace where PII or stolen account numbers can go anywhere from a couple dollars a piece to bulk pricing for credit card numbers, for example. Add to the mix the illegal acquisition of user-generated passwords and PINs, and there’s an even larger draw for this personal information on the dark web.

So, why seek out and buy this data from the dark web? Bottom line: criminals can make significant financial ROI to fund some of the most heinous crimes, giving money to terrorist organizations, organized crime rings, drug and human trafficking operations and more.

Fraud and Corporate Social Responsibility

No law-abiding citizen wants to find out that her personal information is being used to fund terrorism–all because the bank that she trusted to put her money in, the store she shopped at, or the wireless service provider she used didn’t have the right tools in place to protect her and her personal data from fraud.

While consumers definitely need to take it upon themselves to use the available tools designed to protect them–such as using multi-factor authentication, or opting for biometrics over user-generated PINs and passwords, etc.–corporations also need to step up to the plate big time to ensure that they are doing what they need to not only protect themselves, but more importantly their customers. Businesses cannot idly stand by as they provide a gateway to these criminal acts.

Companies have a corporate social responsibility to their customers and society as a whole to make this right. Some businesses and politicians are already recognizing this fact.

The global, voluntary International Standard ISO 26000, a guidance for organizations in the public and private sectors that want to operate in a socially responsible manner, identifies “consumer data protection and privacy” as a key consumer issue that corporations should be addressing. A handful of U.S. lawmakers are working to enact legislation to prosecute companies and their executives who fail to protect consumer privacy, while in Canada, measures have already been taken to remedy this issue.

For instance, the Personal Information Protection and Electronic Documents Act (PIPEDA) requires Canadian businesses to report any breach of privacy (any loss or mishandling of PII that might lead to a real risk of significant harm such as financial loss or identity theft) to the Office of the Privacy Commissioner of Canada. According to PIPEDA, “Failure to report the potential for significant harm could expose private-sector organizations to fines of up to $100,000 for each time an individual is affected by a security breach, if the federal government decides to prosecute a case.”

In the U.S., the Corporate Executive Accountability Act, proposed in early April by Sen. Elizabeth Warren (D-Massachusetts), would impose jail time on corporate executives who "negligently permit or fail to prevent" a "violation of the law" that "affects the health, safety, finances or personal data" of one percent of the population of any state. While in spirit this proposal is a nice attempt to address this massive growing issue, it only applies to companies that generate more than $1 billion in annual revenue, and to companies that are either convicted of violating the law or settle claims with state or federal regulators. This ultimately does not address most data breaches given their size and scope. A slightly more aggressive data privacy law proposed by Sen. Ron Wyden (D-Oregon) would give executives up to 20 years in prison for violations of their customers' privacy.

While it is too early to tell whether either proposed legislation will pass, companies themselves should be taking the extra steps in working with authorities to identify and prosecute these fraudsters infiltrating their systems.

For instance, in 2016, Muhammad Sohail Qasmani admitted to laundering over $19.6 million on behalf of the perpetrators of a massive international computer hacking and telecommunications fraud scheme. The scheme included hijacking the telephone networks of U.S. companies and then running up millions in bogus charges. These illicit proceeds were moved across 10 countries–ensuring the dialers and hackers who perpetuated the scheme received their cut.

Similarly, in the U.K., Lee Chisholm was sentenced to two and a half years in jail for repeatedly making calls pretending to be the customer gathering personal information to allow him to take control of accounts. He then used the cards to make a variety of purchases, which he would then sell for a profit. In Chisholm’s case, voice biometrics was used to track his exploits, preventing £370,000 of financial loss.

Without this level of diligence on part of the companies being affected in conjunction with local authorities, these individuals would likely be continuing to commit these crimes today. Unfortunately Qasmani and Chisholm are in the minority when it comes to pursuing, stopping and prosecuting fraudsters. Oftentimes these fraudsters continue to commit their crimes since companies either lack the resources to identify and catch them, or they categorize their fraudulent losses with other normal cost-of-doing-business line-item expenses such as bad debt. Not only is this new accounting norm costly for businesses and their investors, it’s socially irresponsible.

So how do businesses get a handle on this issue?

For starters, they need to understand the fraudulent entry points into their businesses. Fraudsters do not approach account access in a siloed manner. Instead, they take advantage of the growing channels and devices—mobile apps, contact centers, smart speakers, etc.—that pose new entries points for perpetrators. Organizations also need to understand that new and repeat career criminals attempt to steal from institutions every day. If they find a weakness in a channel, they will continue to go back to that channel and then pivot to another one when that initial channel doesn’t work.

Second, in order to truly combat fraud, businesses need to have a cross-channel security approach that stops fraudsters wherever and however they attack. This means investing in the right tools to protect them, and making sure that these technologies are capable of fraud detection, fraud prevention, as well as authentication. Taking a multi-authentication approach is critical. Proven technologies like voice biometrics, as well as behavioral biometrics, device prints, face prints and technologies that can detect social engineering are key to identifying and stopping this fraud.

Third, companies must be socially responsible. They need to stop categorizing fraud as a normal cost of doing business. It is not. They also need to understand that turning a blind eye to this crime is fostering other crimes. As such, organizations must report criminal activity and pursue putting these fraudsters behind bars. Not only is it better for business—it’s the right thing to do.

And finally, this is where biometrics technologies such as voice come into play. By using voice biometrics, anti-fraud teams can now link seemingly unrelated cases to a small number of individuals. Doing so allows them to build solid cases with strong evidence that can then lead to prosecution. By doing so, corporations start having a real, concrete impact in the fight against fraud, putting measures that are not only obstacles or deterrents, but also tools to target the fraud problem to its root.


  • Maximizing Your Security Budget This Year

    7 Ways You Can Secure a High-Traffic Commercial Security Gate  

    Your commercial security gate is one of your most powerful tools to keep thieves off your property. Without a security gate, your commercial perimeter security plan is all for nothing. Read Now

  • Making Safety and Security Intrinsic to School Design

    Public anxieties about school safety are escalating across the country. According to a 2023 Gallup report, 44% of parents fear for their child’s physical safety at school, a 10 percentage-point increase since 2019. Unfortunately, these fears are likely to increase if the incidence of school tragedies continues to mount. As a result, school leaders are now charged with two non-negotiable responsibilities. The first, as always, is to ensure kids have what they need to learn, grow, and thrive. Sadly, their second responsibility is to keep the children in their care safe from threats and physical danger. Read Now

  • The Power of a Layered Approach to Safety

    In a perfect world, every school would have an unlimited budget to help secure their schools. In reality, schools must prioritize what budget they have while navigating the complexities surrounding school security and lockdown. Read Now

  • How a Security System Can Enhance Arena Safety and the Fan Experience

    Ensuring guests have both a memorable experience and a safe one is no small feat for your physical security team. Stadiums, ballparks, arenas, and other large event venues are increasingly leveraging new technologies to transform the fan experience and maintain a high level of security. The goal is to preserve the integrity and excitement of the event while enhancing security and remaining “behind the scenes.” Read Now

Featured Cybersecurity


New Products

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge. 3

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3