A New Age in Corporate Accountability for Data Breaches

Why corporations owe it to you and society as a whole to stop data breaches and fraud

• By Simon Marchand
• Aug 05, 2019

There isn’t an industry safe from data breaches. From banks and credit organizations to hotel and restaurant chains, academic institutions and more, hundreds of millions of individuals have had their personal information stolen – all via the companies with whom they do business.

And although the case for why companies should protect consumer data is clear—companies lose less money and consumer information is safe from predators—what’s not often addressed are some of the more disconcerting aspects of data breaches. What ultimately happens to the stolen data and money? What are companies doing to stop the broader implications of fraud – beyond their bottom lines and brand perceptions? And, do companies have a corporate social responsibility to protect their customers and society as a whole from fraud?

The Stolen Data Lifecycle: From the Cybercriminal Underground to Funding Terrorism and Other Crimes

There’s a large market for personally identifiable information (PII) on the dark web. The most popular stolen record type, PII, includes information such as name, date of birth, social security number, member identification number, mailing address, telephone number, banking account number, etc. Over the years, fraudsters have become more sophisticated in terms of their ability to acquire more than just one PII item.

In fact, the 2017 Equifax data breach revealed not just the names, but the Social Security numbers, birth dates and addresses of almost half of the total U.S. population (143 million individuals)—critical, personal information that is gold to fraudsters. And, although according to The Identity Theft Resource Center the overall number of U.S. data breaches tracked decreased the following year by 23 percent–from 1,632 data breaches in 2017 to 1,244 in 2018–the reported number of exposed records containing sensitive PII jumped an alarming 126 percent from the 197,612,748 records exposed in 2017 to 446,515,334 in 2018.

While oftentimes the stolen data is used to drain financial accounts–obviously a more direct use of the stolen credentials–the lion’s share of stolen credentials is made available to the highest bidder on the dark web, with these stolen data dumps “publicized” to fraudsters via a number of web sites, ranging from social media networks to the comment sections of popular gaming sites.

This cybercriminal underground is the marketplace where PII or stolen account numbers can go anywhere from a couple dollars a piece to bulk pricing for credit card numbers, for example. Add to the mix the illegal acquisition of user-generated passwords and PINs, and there’s an even larger draw for this personal information on the dark web.

So, why seek out and buy this data from the dark web? Bottom line: criminals can make significant financial ROI to fund some of the most heinous crimes, giving money to terrorist organizations, organized crime rings, drug and human trafficking operations and more.

Fraud and Corporate Social Responsibility

No law-abiding citizen wants to find out that her personal information is being used to fund terrorism–all because the bank that she trusted to put her money in, the store she shopped at, or the wireless service provider she used didn’t have the right tools in place to protect her and her personal data from fraud.

While consumers definitely need to take it upon themselves to use the available tools designed to protect them–such as using multi-factor authentication, or opting for biometrics over user-generated PINs and passwords, etc.–corporations also need to step up to the plate big time to ensure that they are doing what they need to not only protect themselves, but more importantly their customers. Businesses cannot idly stand by as they provide a gateway to these criminal acts.

Companies have a corporate social responsibility to their customers and society as a whole to make this right. Some businesses and politicians are already recognizing this fact.

The global, voluntary International Standard ISO 26000, a guidance for organizations in the public and private sectors that want to operate in a socially responsible manner, identifies “consumer data protection and privacy” as a key consumer issue that corporations should be addressing. A handful of U.S. lawmakers are working to enact legislation to prosecute companies and their executives who fail to protect consumer privacy, while in Canada, measures have already been taken to remedy this issue.

For instance, the Personal Information Protection and Electronic Documents Act (PIPEDA) requires Canadian businesses to report any breach of privacy (any loss or mishandling of PII that might lead to a real risk of significant harm such as financial loss or identity theft) to the Office of the Privacy Commissioner of Canada. According to PIPEDA, “Failure to report the potential for significant harm could expose private-sector organizations to fines of up to $100,000 for each time an individual is affected by a security breach, if the federal government decides to prosecute a case.”

In the U.S., the Corporate Executive Accountability Act, proposed in early April by Sen. Elizabeth Warren (D-Massachusetts), would impose jail time on corporate executives who "negligently permit or fail to prevent" a "violation of the law" that "affects the health, safety, finances or personal data" of one percent of the population of any state. While in spirit this proposal is a nice attempt to address this massive growing issue, it only applies to companies that generate more than $1 billion in annual revenue, and to companies that are either convicted of violating the law or settle claims with state or federal regulators. This ultimately does not address most data breaches given their size and scope. A slightly more aggressive data privacy law proposed by Sen. Ron Wyden (D-Oregon) would give executives up to 20 years in prison for violations of their customers' privacy.

While it is too early to tell whether either proposed legislation will pass, companies themselves should be taking the extra steps in working with authorities to identify and prosecute these fraudsters infiltrating their systems.

For instance, in 2016, Muhammad Sohail Qasmani admitted to laundering over $19.6 million on behalf of the perpetrators of a massive international computer hacking and telecommunications fraud scheme. The scheme included hijacking the telephone networks of U.S. companies and then running up millions in bogus charges. These illicit proceeds were moved across 10 countries–ensuring the dialers and hackers who perpetuated the scheme received their cut.

Similarly, in the U.K., Lee Chisholm was sentenced to two and a half years in jail for repeatedly making calls pretending to be the customer gathering personal information to allow him to take control of accounts. He then used the cards to make a variety of purchases, which he would then sell for a profit. In Chisholm’s case, voice biometrics was used to track his exploits, preventing £370,000 of financial loss.

Without this level of diligence on part of the companies being affected in conjunction with local authorities, these individuals would likely be continuing to commit these crimes today. Unfortunately Qasmani and Chisholm are in the minority when it comes to pursuing, stopping and prosecuting fraudsters. Oftentimes these fraudsters continue to commit their crimes since companies either lack the resources to identify and catch them, or they categorize their fraudulent losses with other normal cost-of-doing-business line-item expenses such as bad debt. Not only is this new accounting norm costly for businesses and their investors, it’s socially irresponsible.

So how do businesses get a handle on this issue?

For starters, they need to understand the fraudulent entry points into their businesses. Fraudsters do not approach account access in a siloed manner. Instead, they take advantage of the growing channels and devices—mobile apps, contact centers, smart speakers, etc.—that pose new entries points for perpetrators. Organizations also need to understand that new and repeat career criminals attempt to steal from institutions every day. If they find a weakness in a channel, they will continue to go back to that channel and then pivot to another one when that initial channel doesn’t work.

Second, in order to truly combat fraud, businesses need to have a cross-channel security approach that stops fraudsters wherever and however they attack. This means investing in the right tools to protect them, and making sure that these technologies are capable of fraud detection, fraud prevention, as well as authentication. Taking a multi-authentication approach is critical. Proven technologies like voice biometrics, as well as behavioral biometrics, device prints, face prints and technologies that can detect social engineering are key to identifying and stopping this fraud.

Third, companies must be socially responsible. They need to stop categorizing fraud as a normal cost of doing business. It is not. They also need to understand that turning a blind eye to this crime is fostering other crimes. As such, organizations must report criminal activity and pursue putting these fraudsters behind bars. Not only is it better for business—it’s the right thing to do.

And finally, this is where biometrics technologies such as voice come into play. By using voice biometrics, anti-fraud teams can now link seemingly unrelated cases to a small number of individuals. Doing so allows them to build solid cases with strong evidence that can then lead to prosecution. By doing so, corporations start having a real, concrete impact in the fight against fraud, putting measures that are not only obstacles or deterrents, but also tools to target the fraud problem to its root.