While Emergent Chaos is engaged in a baroque and convoluted publicity stunt to create FUD around the VA data loss, I will try to give you some perspective:
100% of all Social Security Numbers are "at risk" of use in identity fraud; they are constantly in use by 100′s of thousands of people, some of whom intend to do you harm.
Now, let’s get down to business of figuring out risk. According to a 2003 report done by Synovate for the FTC:
1.5 percent of survey participants reported that in the last year they had discovered that their personal information had been misused to open new credit accounts, take out new loans, or engage in other types of fraud, such as misuse of the victim’s name and identifying information when someone is charged with a crime, when renting an apartment, or when obtaining medical care (“‘New Accounts & Other Frauds’ ID Theft”).
The Synovate report also classified two other groups that I don’t believe apply here. In any case, the way I will use this number makes it the conservative approach.
Emergent Chaos and others have suggested that the 26.5 million accountholders (of which I believe I am one) are at "an increased risk" of identity fraud. While I believe this to be true, it has nothing to do with the relative percentage of total SSNs out there – either 8.9% or 12% (this strikes me as a base rate fallacy in the making) – and everything to do with the percentage of SSNs abused compared to something that is considered "normal" (my 1.5% number). Here is the logic:
-
1.5% of 26.5 million, or about 400,000 of these folks would have their identities stolen anyway.
-
The "increased risk" associated with this incident is a function of how many people over that 400,000 become victims (ignoring likely degrees of error for now).
-
The expectation is that the anticipated increase is specifically due to this single incident.
-
This would tell us after the fact whether the risk was actually increased or there was a lot of FUD going on due to disagreement on principles.
I would feel more comfortable if the 1.5% number were more clearly defined and if we had numbers specifically for veterans – I have previously suggested that over 150,000 people would typically have access to an SSN and I believe that number is likely much larger for military and veterans.
There is another interesting point in this situation that needs to be made: it seems reasonable to suggest that there is a finite limitation to the number of SSNs that may actually be used fraudulently, given that care and feeding are required to perpetrate the crime (as opposed to credit card numbers that may possibly be automatically scripted for quick hits) and there appear to be plenty of alternative opportunities to gain access to "more qualified" SSNs (for the bad guys, that is 
). If this is true, then it is best for each individual involved to be one of many; the larger the number of SSNs stolen, the less likely any individual is to be a victim. So 26.5 million is better than, say, 5 and 300 million would be better still. (Obviously, the best case would be to not be in this group at all).
Hope this helps provide some perspective on this particular incident. It is unfortunate that it happened, but it is not (yet) the end of the world. In any case, let’s hope that organizations get smarter about accepting SSNs on face value as authenticators.
But Pete -
The whole reason the risk is hypothesized to be increased is that now more people know these 26.5 million SSNs. Surely it isn’t kooky talk to say that the more unauthorized people that know your PII, the higher the probability it will be misused?
However, your idea about looking at the ID theft rate and determining the increased risk after the fact may not work because the Vets may change their behavior. For example, large numbers may put freezes on their credit reports. It may turn out, as a result, that FEWER of them wind up getting hit by an actual ID theft. To really figure this out, we need to have a good deal more info, and right now I don’t think much of it is being collected.
@Chris -
It’s not kooky talk – in fact, I agreed in my posting that risk is *likely* increased simply by having more people with access to these SSNs, though I disagree strongly that this applies solely to “unauthorized” people given that the vast majority of identity fraud comes from “authorized” people. Let’s face it – there are plenty of ways for an identity thief to get SSNs and other PII that are much less risky than breaking into somebody’s house.
What I am suggesting is that the absolute level of increased risk is likely very, very, low. That is, if a typical account has 150,000 people with access and now there are 150,005 (or even 150,100 for that matter) even having an extra 100 people with access is not going to change the risk equation that much.
Your point about unintended positive consequences is an interesting one – not one I’ve seen brought up simply on its merits before. Your idea is a good one: that loss like this may actually reduce identity theft. Now, whether or not it justifies the FUD is an interesting question…
(Btw, this incident has potentially more serious consequences than identity theft that we probably should be looking at closely).
The Daily Incite – June 2, 2006
June 2, 2006 Good Morning: First Ill apologize for my lack of blogging this week. Being on the west coast did not give me a lot of time to do much besides meet with folks and do The Daily Incite. But Ill be back in the office next week, so
The Persistence of SSNs, and The Persistence of Theives
Pete Lindstrom, who knows a good phrase when he reads one, puts forward the claim that the theft of veterans SSNs doesn’t put them at increased risk of fraud. His basic argument is that there’s a lot of people out…
I think it is more than obvious that the actual percentage chance that I, as a veteran, will get hit with ID theft because of this is low. That has never been the issue. The issue is that there are 26 million veterans who now have their ID floating around somewhere, and it was a preventable event. The sheer stupidity and cluelessness of the VA to not have something in place to prevent this type of problem is the real issue. If someone is creating FUD around this, then shame on them. But don’t discount that this is a real problem that needs to be fixed. By saying that the percentage chance is low is (to some people) tantamount to saying this theft is no big deal and we shouldn’t worry about it.
The VA is making changes, and that is good. But don’t you think your comments could cause some people to relax and reduce the pressure on elected officials and the VA to make something happen to fix this? This DOES NOT need to disappear, whcih is what I am afraid will happen if people start producing arguments such as yours.
100% Followup
My post about the VA Fiasco of losing 26 million personal records (including mine) has struck a chord with some. I thought I would take the time to clarify some things: 1. Emergent Chaos posted a specific response in The Persistence of SSNs, and The Pe…
Good conversation. I’ve actually been thinking about the subject – but not just ID theft, but % of real compromise for attacks against large amounts of consumers, like Phishing, Bot infection, etc…
If you’re looking for a baseline measurement, we should probably agree on a definition of risk. I break risk into the following factors: the probable frequency and probable magnitude of loss. In other words, how much you stand to lose, and how often you’re going to lose it.
I’ve been (un)fortunate enough to be privy to information about a large scale compromise concerning spyware. Literally thousands of desktops of malware. It was determined that there was only one instance of the Malware being used at all past the initial infection, and then just a cursory “look around” – no evidence of abuse. To me, the similarities of the scenarios are interesting – I would guess that the percentage of use of the PII is similar, simply because the level of effort involved to steal from hundreds of thousands of people is so great, not to mention the fact that a smart criminal might figure that if he used more than a certain percentage of those IDs – he’d attract attention.
So my analysis of the subject so far really focuses on aspects of a Threat Community that is interested in inflicting some level of harm using the information. This, of course, is an assumption. I would love to study the probability that the perp. actually just sold the thing, data and all to a pawn shop or (ahem) associate who blew the contents away and all risk is eliminated.
So when I look at a Threat, I try to estimate a couple of basic things:
1.) Their Capability, which I break up into a measurement of their skills (knowledge and experience) and resources (time and materials).
2.) The factors that determine their willingness to act. In other risk studies, we’ve been using this “willingness” measurement as part of the factors that make up “Threat Event Frequency”. TEF is basically how likely it is a threat will act, and part of probability determination on how often we can expect loss. This willingness I think would consist of the attackers own determinations of: a.) feasibility, a ratio of challenge to the attacker and their (perceived) capability – and b.) motivation, a function of risk (to them) and reward.
So in an effort for me to give you a “baseline risk” qualification, let me solicit your opinions on the following in percentages from 1-100:
1.) Threat Capability (assume we’re going to use a threat that is aware that they could use the data on the laptop, not just a quick $200 turn around to go buy some crack). A rating of 1 would be a complete moron with Windows 3.11 and an IP stack on 14.4, and 99 would be the most elite government agent with government agency resources behind them. I would assume tons of time to act on their part.
2.) The frequency with which you would expect them to attack. Consider this to be a measurement of “willingness”, above. We don’t need to try to factor in a range for frequency of contact, at this point contact = true.
Once you give me some values for those two factors, we can move onto other factors to consider in the “frequency of loss” part of risk.
Interestingly enough, for the VA or just about any B2C – if you think about magnitude of loss from their perspective, and not the perspective of the consumer, there’s very little loss to consider, IMHO. Risk to a bank, the VA, Insurance company, hospital, whatever, concerning loss of PII *in a B2C incident* for a large company with plenty of brand equity is pretty low. The main component of their loss is regulatory fines and judgments, and maybe, just maybe a class action suit.
I thought about this a little more, and without realizing it, I’m thinking about risk from the perspective of VA. If you want to think about it from any given Vet, or one of the Vets who actually had their data stolen (two different perspectives to study) – that willingness factor would have to include the number of “identities” we actually expect to be stolen out of the total. The minimum would be 1, max is what, 240,000? – but what is the most likely? Let me know what you think and why, and I’ll let you know what I think.
Then we’ll throw out the contact = true part, and use that number as a percentage…