Despite industry and government efforts, identity data theft still hits tens of millions of Americans every year. The last quarter of 2022, for example, the tally was something like 22 million. That’s according to the latest breach dashboard compiled by data company TransUnion. For more, the Federal Drive with Tom Temin spoke with Jeff Huth, TransUnion senior vice president for the Public Sector.
Tom Temin Give us some highlights of what your dashboard is showing. Tell us maybe a little bit about the methodology that you use and what we know about the amount of records that just keep getting purloined.
Jeff Huth Yeah, I think the important part of this is just the sheer amount of records, the sheer amount of risk that’s created. And we do this on a regular basis and we’re looking at breaches. So this comes from a company that joined the TransUnion family called Suntech last year, and it’s all about consumer protection, identity theft protection. But as a result of that, they also look at breaches and they look at the risk and the severity of breaches. So looking at it from a breach perspective and the risk and the severity, we’re able to assess, essentially, how much information has been released and what kind of risk that could pose to anybody. And really the focus here being public sector agencies. And so the focus on that is 22 million more identities in Q4 became at high risk. And really the big one there is medical identity theft, which is kind of an important thing. So that’s a significant number of records that have been breached on people that could be used to purvey that kind of fraud against public sector agencies.
Tom Temin And what is the source of those? Is it mostly [Centers for Medicare and Medicaid Services (CMS)], Social Security? There’s a lot of medically connected agencies.
Jeff Huth I suppose you could look at it as anyone who is using identity information, using past medical information to conduct some form of fraud. It could be Medicaid, it could be Medicare, it could be veterans benefits. It could be any of those that might be done with the federal government. I think the important point of that, is the amount of information that’s available puts that category of things at high risk. But really, it’s other things that are high risk as well. Government issued document theft, which is really using that to steal someone’s identity and take benefits that might be useful for someone else.
Tom Temin And do the data thieves go after medical records, not because they care whether somebody has eczema or not, but because medical records are associated with location, with Social Security number and with payment methodologies.
Jeff Huth That’s correct. Payment methodologies to medical identity theft, again, being the most pervasive, the biggest risk could be used for a variety of different purposes from a fraud perspective. But again, the point being so much information has been released. It’s an increasing problem. The problem since we’ve been looking at this in 2020 is growing. The number of breaches are growing. The number of breaches indicate the amount of data that’s being released is growing. And when that data is out there and able to conduct different forms of fraud, it’s something that we need to think about as a group and public sector. And I’m happy to see things like the anti-fraud proposal, the administration put out recently, in particular the focus on identity theft. The cybersecurity strategy talks about strengthening cyber. That’s all right and kind of dovetails nicely with us talking about kind of the risks and the threats that are going to hit our cybersecurity infrastructure and put consumers identities at risk.
Tom Temin Is there some sort of a ratio or metric between millions of lost records and the actual cases of individuals having their identities taken or misused in some manner?
Jeff Huth I’m sure there is. That’s not an element that we’ve done in this particular research. That is an interesting item that we should look at. When information is breached, there is a period of time when you start seeing that information on the dark web or you start seeing that information being used in certain kinds of fraud. That’s not an element that we focused on here, but something we should look at in future iterations of our report.
Tom Temin And what do we know about the most common breach mechanism? Is it someone has administrator passwords they get in with or is it phishing or what is it?
Jeff Huth Yeah, that would probably be a great one for some of the cybersecurity experts. But from what I’ve seen, what I’ve heard, it is typically people who are, maybe not nefarious insiders, but people who are making mistakes. Phishing attempts turn into open doors for hackers to exfiltrate data on individuals. And, it’s happening. And again, we’re looking at it from the perspective of data breaches, high risk data breaches, high risk being the amount of information that’s taken that can be used, but it’s happening across public sector and private sector. Unfortunately, an increasing at an alarming rate over the last couple of years.
Tom Temin We’re speaking with Jeff Huth. He’s senior vice president for the public sector at TransUnion. So it strikes me there’s two issues here that the government has to deal with. One is making sure that the stuff doesn’t get out and whatever their cyber security measures are. The other is, are there measures they can put in post facto, such that even if someone wrongly has another person’s individual information, they can’t make use of it with two factor or facial or whatever the case might be?
Jeff Huth Well stated. That’s the recommendations that we’re putting out here. We’re looking at it in terms of the risk that happened, not just at the federal, but at the state level as well. And so states will be doing things around administering certain benefits programs, but the risk is still there. It’s not uncommon to hear that if hackers or a fraud group have attacked a certain area and they are no longer allowed, they’ll just move on to something else. So we see that happening in the public sector the way that the private sector sees that. Again, it’s a problem that keeps growing federal and state level. Protecting the identities of the people, making sure to provide a friction-right experience, we talk about it. So how do you throw up enough barriers so that you can prevent fraud, but also not make it difficult for people who are completely normal accessing things that should have access to? It’s so friction-right experienced that states and federal government should be applying. As well as, how do we try to deal with this from an overall cybersecurity perspective. And again, I think that’s kind of the two things we’ve seen out of the administration recently. The identity theft and anti-fraud proposal, along with the cybersecurity strategy, now kind of addressing those two elements that you talked about.
Tom Temin Right. And in your experience working with clients, what does an ideal, frictionless type of safe experience look like? Because you can ask people to answer 16 challenge questions, probably not ideal.
Jeff Huth That’s really true. And questions can themselves be discovered, unfortunately. So them questions knowledge based exams, they would be called an industry by themselves, are not necessarily the best form. It’s truly now we’re getting into a little bit of the technical parts of it, but it’s multiple factors. It’s things that you are things that you know, things that you have point of view. So I think of an experience where you may be trying to access an account, state agency, federal agency. You have to assert who you are. Who better to than to ask who, if you were search who you are than the people who are sort of the gold standards, the credit bureaus in the U.S.? Is this really Jeff Huth? Is this really who he says he is? And then also look at the access that I’m using and the channel, the digital attributes that I’m using. Is there anything odd or nefarious or unusual about the way and the location or the device I’m using to access it? And then introducing things along the way, like, Hey, we’re going to send you a passcode to your phone that we have on record as an authorized phone from your carrier. So there’s lots of different techniques like that to make the experience right, but in reverse to kind of provide the friction-right experience as well. It could be. Oh, we’ve seen Jeff before. He’s providing the same information before. There’s nothing unusual about the channel by which he’s coming to us. So we can take him down a different path because there are no, quote unquote, red flags along the way in terms of how he’s doing things. So kind of looking at it from both, how do we throw down the appropriate barriers? To how do we appropriately remove barriers for the people who don’t need to be?
Tom Temin Yeah. So you really have to craft a careful approach to this whole ICAM, identity access management, whether deployed to your own people or applications deployed to the public.
Jeff Huth That’s right.
Tom Temin No shortcuts here. And what about just the idea of artificial intelligence infecting this whole process from the bad guys standpoint? For example, suppose you need to submit, refresh your photo for your facial recognition periodically, which might be a good practice. In this time, you can wear your glasses or not, whatever the case might be. It seems like there’s an AI way around a lot of these particular measures. aAnd I can steal that face, I can age it, I can put glasses on it, I can make it smile, whatever.
Jeff Huth Yeah. I mean, that’s a that is an interesting concept. Now we’re getting a little bit outside of the report, but there are things like liveness detection around biometrics that are important. And that’s the idea that I can’t just take a photo or a face or a picture and use it for a verification step. And I think that there is technology that should be, and that’s the kind of stuff we need to look at, introduce, make sure that it’s there from a fraud mitigation perspective for sure. But in general, the topic of AI, I’m sure that there’s going to be both threats and opportunities for us to look at as we help to adjust problem using it in terms of providing, again, that friction-right experience. Maybe I could be kind of the human thinking in the loop around, Well, do I introduce more here? Or do I trust less or do I trust more? It’s all about trust. Start off with zero trust and then build trust.
Tom Temin And getting back to the report, who should read it? And what should the top takeaways be from it?
Jeff Huth Yeah, so who should read it? Anyone who is dealing with at state federal level, of course. Anyone who is dealing with a situation where they have to trust citizen or trust a consumer who may be trying to create an account with them, trying to access services from them, trying to assert who they are. Any time that there is a threat that someone else could be using that information for nefarious purposes. So that’s, again, any state, federal agency. And I think the takeaways from it are really understanding that, number one, that the amount of data that’s available in a breach creates an opportunity for fraudsters to use that information nefariously against you with the notion that things like tax fraud, medical identity theft and the government document theft, those are important public sector avenues by which this information could be used fraudulently, so that’s one. And it’s also that it’s not going away. It’s not a decreasing trend. It’s increasing, it’s continuing, It’s growing. And it has been growing. And we saw it a lot during the pandemic. And it’s continuing to be a problem. Medical identity theft being the most common type that we saw in the fourth quarter. We’ll keep looking at it and we’ll keep assessing where it’s coming from. We kind of want to be the canary in the coal mine when it comes to indicating what systems might be exposed, when it comes to the kinds of data that’s been exposed in a breach.
Tom Temin Jeff Huth is senior vice president for the public sector at TransUnion. Thanks so much for joining me.
Jeff Huth Thank you very much for having me today. I appreciate it.